Do you know who really owns the software you use?

Posted on by

Do you know who really owns the software you use for strategy, governance, compliance, risk management, financial planning and sustainability reporting?

Preserving Europe’s digital independence and safeguarding our core values matters — now and for the generations to come.

In Europe, we often talk about digitalisation, performance and ESG — but far less about the jurisdictional risks behind the software we use to manage them.

Yet for organisations working with strategy, execution, compliance, risk management, finance and ESG, the legal environment of your software provider is no longer a technical detail. It directly affects the confidentiality of your plans, the integrity of your reporting, and the compliance burden placed on your teams.

In a EU market where U.S. private equity firms are taking an increasingly strong position, the need for suppliers with clear European ownership and long‑term predictability is growing.

Here’s the reality:

  • When a SaaS provider is U.S.-owned or U.S.-controlled, every piece of EU personal data processed — even if hosted in the EU — becomes an international data transfer.
  • This triggers obligations such as DPF, SCCs, TIAs, DPIAs, and an assessment of exposure to U.S. surveillance laws (FISA 702, CLOUD Act, EO 12333).

And none of these mechanisms protect business‑critical data like strategy documents, financial forecasts, product roadmaps, risk analysis or ESG data.

For tools that sit at the heart of corporate governance, this matters

This is why the structural choice of a privately owned, EU‑based and EU‑controlled software editor is more than a procurement preference — it is a governance decision. When your platform operates fully under EU jurisdiction, you avoid cross‑border transfers, reduce compliance overhead, and maintain clearer protection over both personal and non‑personal strategic data.

As organisations raise the bar on transparency, resilience, and responsible digitalisation, the question is no longer only

“What can the software do?”

It is also

“Under which legal system does it operate — and what does that mean for our data, our reporting, and our risk posture?”

The below article outlines the obligations and risks EU organisations need to consider when choosing software operated under U.S. jurisdiction.

When selecting software for strategy, governance, compliance, risk management, financial planning and sustainability reporting, data protection is not a secondary concern — it is a core governance requirement

These domains involve highly sensitive information: forward‑looking strategy, financial planning, regulatory reporting, and internal performance and compliance data.

For EU organisations, the legal environment in which a software provider operates directly affects how securely this information can be processed and how predictable the compliance obligations will be.

This is where the distinction between an EU‑based, EU‑owned software editor and a U.S.-owned or U.S.-controlled SaaS provider becomes critical.

Because Cleerit is a privately owned, EU‑based and EU‑controlled solution, all processing remains fully within the EU legal framework. This means no international data transfers, no reliance on DPF/SCCs/TIAs, and no exposure to U.S. surveillance laws such as FISA 702, the CLOUD Act, or Executive Order 12333. For customers, this translates into lower regulatory risk, fewer compliance steps, and clearer protection for both personal data and business‑critical information.

By contrast, using a U.S.-owned or U.S.-controlled SaaS provider — even if hosted in the EU — automatically triggers GDPR international transfer rules and requires organisations to assess foreign‑law risks, implement additional safeguards, and limit the types of data that can be safely uploaded.

This is particularly relevant when the software handles strategic, financial, or ESG‑related content, where confidentiality and regulatory integrity are essential.

The following section outlines the obligations and risks EU organisations should consider when choosing software operated under U.S. jurisdiction.

Is your software provider U.S.-based, owned or controlled? 

If your software provider is U.S.-based, any EU personal data processed by the provider involves a cross‑border transfer and requires valid international data transfer mechanism.

This means you must rely on one of the following U.S. SaaS obligations:

  • EU–U.S. Data Privacy Framework (DPF) — A U.S. government–run certification that allows U.S. companies to legally receive EU personal data by committing to GDPR‑level protections.
  • Standard Contractual Clauses (SCCs), if not DPF‑certified — EU‑approved legal contracts that let organizations transfer personal data to non‑EU countries, incl. the U.S., while guaranteeing GDPR‑level protection.
  • Transfer Impact Assessment (TIA), always required when SCCs are used — a mandatory GDPR risk analysis that evaluates whether sending personal data to a non‑EU provider (such as a U.S. SaaS company) exposes it to foreign laws or surveillance risks, and what safeguards are needed.

You also have DPIA obligations. In the EU, a DPIA (Data Protection Impact Assessment) is a mandatory GDPR assessment that organizations must perform when a processing activity is likely to result in a high risk to individuals’ rights and freedoms — especially when using tools, systems, or transfers involving non‑EU countries.

U.S. surveillance laws remain a risk factor for EU organisations

 Even with DPF or SCCs, EU regulators expect you to assess exposure to:

  • FISA 702
  • CLOUD Act
  • Executive Order 12333

This is standard for any U.S. SaaS.

Moreover, protection under DPF or SCCs does not cover business data, only personal data in relation to GDPR. GDPR does not regulate: 

  • business plans
  • internal strategy documents
  • product roadmaps
  • financial forecasts
  • ESG reports without personal data
  • anonymized datasets
  • source code

These are not protected under GDPR, and therefore not covered by DPF or SCCs.

What these laws mean for a U.S.-owned/controlled SaaS company

FISA Section 702

A U.S. law that allows intelligence agencies (primarily the NSA) to compel U.S. electronic communication service providers to provide access to data about non‑U.S. persons located outside the U.S. for foreign intelligence purposes.

  • Applies to any U.S.-based cloud or SaaS provider
  • Can require secret, non‑disclosable access to data
  • Applies even if the data is stored in the EU, as long as the company is U.S.-controlled

GDPR impact:

  • This is the main reason the EU considers the U.S. a third country with inadequate personal data protection (except for DPF‑certified companies).
  • The EU noted that data protection rules only contribute to the protection of individuals if they are followed in practice. It is therefore necessary to consider not only the content of rules applicable to personal data transferred to a third country, but also the system in place to ensure the effectiveness of such rules.
  • U.S. surveillance laws allow broad government access to data without EU‑equivalent privacy safeguards or judicial remedies, as confirmed by the CJEU in Schrems II.
  • DPF reduces the risk but does not eliminate it. DPF solves the transfer problem — meaning you may transfer EU personal data to that company and it will be assimilated to intra-EU transmissions of data — but it does not guarantee full GDPR adequacy and compliance by the provider, and it does not eliminate your DPIA obligations.
  • Moreover, the CJEU (Schrems II) made clear that adequacy can be challenged again, meaning that even with DPF, adequacy is conditional and can be re‑evaluated or invalidated. The Court invalidated the previous Privacy Shield because U.S. surveillance laws conflicted with EU fundamental rights. (CJEU Case C‑311/18 “Schrems II”: https://curia.europa.eu/juris/liste.jsf?num=C-311/18

 In practice: A U.S. SaaS provider could be compelled to hand over EU personal data without notifying the customer, and protection under DPF or SCCs does not cover business data.

U.S. CLOUD Act

A law that allows U.S. law enforcement to compel U.S. companies to provide data regardless of where the data is stored (including EU data centers).

  • Applies to any U.S.-owned company, even if it operates an EU subsidiary
  • Applies to data stored in the EU
  • Can include business data, user data, logs, metadata 

In practice: A U.S. SaaS provider may be legally required to disclose EU customer data stored in Europe.

Executive Order 12333

A presidential order that authorizes U.S. intelligence agencies to conduct surveillance outside the U.S., often through upstream collection (intercepting data in transit).

  • Does not require cooperation from the SaaS provider
  • Data can be collected without the provider’s knowledge
  • Applies to data crossing international networks (e.g., transatlantic traffic)

EO 12333 is relevant because it allows upstream collection of data that passes through global networks — even if the company storing the data is not directly compelled. It targets infrastructure, not companies.

This is why the CJEU (Schrems II) considered it a risk factor for EU–U.S. data transfers. EO 12333 permits intelligence collection without EU‑equivalent safeguards, which is why the U.S. was not granted adequacy.

The risk is harder to mitigate because it targets infrastructure, not companies. Encryption and zero knowledge architectures reduce exposure. 

How does this affect your choice of software? 

For any U.S.-owned SaaS provider you must evaluate exposure to U.S. surveillance laws and you may need to restrict what data users upload, register or integrate, especially:

  • HR data
  • sensitive strategy documents
  • regulated ESG/CSRD data
  • customer data
  • anything containing personal data

In short: when governance matters, jurisdiction matters.

Cleerit’s EU‑based and EU‑controlled model gives organisations the legal clarity and operational predictability they increasingly expect from their core platforms, and that many organisations now consider essential.

And last but not least: preserving Europe’s digital independence and safeguarding our core values matters — now and for the generations to come.

Read more about Cleerit’s privately owned, EU based and EU controlled solution for Performance Management & Compliance Governance 360° — connecting strategy, execution, finance & ESG to drive your everyday performance, protect your organization and turn your strategies into reality >>>

It’s the clarity and decision support designed for you to reach your goals, maximize results, secure compliance, and contribute to an inclusive and sustainable future.

Posted in Cleerit.