{"id":3150,"date":"2026-05-01T16:00:04","date_gmt":"2026-05-01T15:00:04","guid":{"rendered":"https:\/\/cleeritesg.com\/?p=3150"},"modified":"2026-05-13T08:07:05","modified_gmt":"2026-05-13T07:07:05","slug":"do-you-know-who-really-owns-the-software-you-use","status":"publish","type":"post","link":"https:\/\/cleeritesg.com\/index.php\/2026\/05\/01\/do-you-know-who-really-owns-the-software-you-use\/","title":{"rendered":"Do you know who really owns the software you use?"},"content":{"rendered":"<p>Do you know who really owns the software you use for strategy, governance, compliance, risk management, financial planning and sustainability reporting?<\/p>\n<p><strong>Preserving Europe\u2019s digital independence and safeguarding our core values matters \u2014 now and for the generations to come.<\/strong><\/p>\n<p>In Europe, we often talk about digitalisation, performance and ESG \u2014 but far less about the jurisdictional risks behind the software we use to manage them.<\/p>\n<p>Yet for organisations working with strategy, execution, compliance, risk management, finance and ESG, the legal environment of your software provider is no longer a technical detail. <strong>It directly affects the confidentiality of your plans, the integrity of your reporting, and the compliance burden placed on your teams.<\/strong><\/p>\n<p>In a EU market where U.S. private equity firms are taking an increasingly strong position, the need for suppliers with clear European ownership and long\u2011term predictability is growing.<\/p>\n<p>Here\u2019s the reality:<\/p>\n<ul>\n<li>When a SaaS provider is U.S.-owned or U.S.-controlled, every piece of EU personal data processed \u2014 even if hosted in the EU \u2014 becomes an international data transfer.<\/li>\n<li>This triggers obligations such as DPF, SCCs, TIAs, DPIAs, and an assessment of exposure to U.S. surveillance laws (FISA 702, CLOUD Act, EO 12333).<\/li>\n<\/ul>\n<p>And none of these mechanisms protect business\u2011critical data like strategy documents, financial forecasts, product roadmaps, risk analysis or ESG data.<\/p>\n<h3><strong>For tools that sit at the heart of corporate governance, this matters<\/strong><\/h3>\n<p>This is why the structural choice of a privately owned, EU\u2011based and EU\u2011controlled software editor is more than a procurement preference \u2014 it is a governance decision. When your platform operates fully under EU jurisdiction, you avoid cross\u2011border transfers, reduce compliance overhead, and maintain clearer protection over both personal and non\u2011personal strategic data.<\/p>\n<p>As organisations raise the bar on transparency, resilience, and responsible digitalisation, the question is no longer only<\/p>\n<p>\u201cWhat can the software do?\u201d<\/p>\n<p>It is also<\/p>\n<p><strong>\u201cUnder which legal system does it operate \u2014 and what does that mean for our data, our reporting, and our risk posture?\u201d<\/strong><\/p>\n<p>The below article outlines the obligations and risks EU organisations need to consider when choosing software operated under U.S. jurisdiction.<\/p>\n<p>&#8212;<\/p>\n<h3><strong>When selecting software for strategy, governance, compliance, risk management, financial planning and sustainability reporting, data protection is not a secondary concern \u2014 it is a core governance requirement<\/strong><\/h3>\n<p>These domains involve highly sensitive information: forward\u2011looking strategy, financial planning, regulatory reporting, and internal performance and compliance data.<\/p>\n<p>For EU organisations, the legal environment in which a software provider operates directly affects how securely this information can be processed and how predictable the compliance obligations will be.<\/p>\n<blockquote><p><strong>This is where the distinction between an EU\u2011based, EU\u2011owned software editor and a U.S.-owned or U.S.-controlled SaaS provider becomes critical.<\/strong><\/p><\/blockquote>\n<p>Because Cleerit is a privately owned, EU\u2011based and EU\u2011controlled solution, all processing remains fully within the EU legal framework. This means no international data transfers, no reliance on DPF\/SCCs\/TIAs, and no exposure to U.S. surveillance laws such as FISA 702, the CLOUD Act, or Executive Order 12333. For customers, this translates into lower regulatory risk, fewer compliance steps, and clearer protection for both personal data and business\u2011critical information.<\/p>\n<p>By contrast, using a U.S.-owned or U.S.-controlled SaaS provider \u2014 even if hosted in the EU \u2014 automatically triggers GDPR international transfer rules and requires organisations to assess foreign\u2011law risks, implement additional safeguards, and limit the types of data that can be safely uploaded.<\/p>\n<p>This is particularly relevant when the software handles strategic, financial, or ESG\u2011related content, where confidentiality and regulatory integrity are essential.<\/p>\n<p>The following section outlines the obligations and risks EU organisations should consider when choosing software operated under U.S. jurisdiction.<\/p>\n<h2><strong>Is your software provider U.S.-based, owned or controlled?<\/strong><strong>\u00a0<\/strong><\/h2>\n<p>If your software provider is U.S.-based, any EU personal data processed by the provider involves a cross\u2011border transfer and requires valid international data transfer mechanism.<\/p>\n<p>This means you must rely on one of the following U.S. SaaS obligations:<\/p>\n<ul>\n<li>EU\u2013U.S. Data Privacy Framework (DPF) \u2014 A U.S. government\u2013run certification that allows U.S. companies to legally receive EU personal data by committing to GDPR\u2011level protections.<\/li>\n<li>Standard Contractual Clauses (SCCs), if not DPF\u2011certified \u2014 EU\u2011approved legal contracts that let organizations transfer personal data to non\u2011EU countries, incl. the U.S., while guaranteeing GDPR\u2011level protection.<\/li>\n<li>Transfer Impact Assessment (TIA), always required when SCCs are used \u2014 a mandatory GDPR risk analysis that evaluates whether sending personal data to a non\u2011EU provider (such as a U.S. SaaS company) exposes it to foreign laws or surveillance risks, and what safeguards are needed.<\/li>\n<\/ul>\n<p>You also have DPIA obligations. In the EU, a DPIA (Data Protection Impact Assessment) is a mandatory GDPR assessment that organizations must perform when a processing activity is likely to result in a high risk to individuals\u2019 rights and freedoms \u2014 especially when using tools, systems, or transfers involving non\u2011EU countries.<\/p>\n<h2><strong>U.S. surveillance laws remain a risk factor for EU organisations<\/strong><\/h2>\n<p><strong>\u00a0<\/strong>Even with DPF or SCCs, EU regulators expect you to assess exposure to:<\/p>\n<ul>\n<li>FISA 702<\/li>\n<li>CLOUD Act<\/li>\n<li>Executive Order 12333<\/li>\n<\/ul>\n<p>This is standard for any U.S. SaaS.<\/p>\n<p>Moreover,<strong> protection under DPF or SCCs does not cover business data, <\/strong>only personal data in relation to GDPR. GDPR does not regulate:<strong>\u00a0<\/strong><\/p>\n<ul>\n<li>business plans<\/li>\n<li>internal strategy documents<\/li>\n<li>product roadmaps<\/li>\n<li>financial forecasts<\/li>\n<li>ESG reports without personal data<\/li>\n<li>anonymized datasets<\/li>\n<li>source code<\/li>\n<\/ul>\n<p>These are not protected under GDPR, and therefore not covered by DPF or SCCs.<\/p>\n<h2><strong>What these laws mean for a U.S.-owned\/controlled SaaS company<\/strong><\/h2>\n<h3><strong>FISA Section 702<\/strong><\/h3>\n<p>A U.S. law that allows intelligence agencies (primarily the NSA) to compel U.S. electronic communication service providers to provide access to data about non\u2011U.S. persons located outside the U.S. for foreign intelligence purposes.<\/p>\n<ul>\n<li>Applies to <strong>any U.S.-based cloud or SaaS provider<\/strong><\/li>\n<li>Can require secret, non\u2011disclosable access to data<\/li>\n<li>Applies even if the data is stored in the EU, as long as the company is <strong>U.S.-controlled<\/strong><\/li>\n<\/ul>\n<p>GDPR impact:<\/p>\n<ul>\n<li>This is the main reason the EU considers the U.S. a third country with inadequate personal data protection (except for DPF\u2011certified companies).<\/li>\n<li>The EU noted that data protection rules only contribute to the protection of individuals if they are followed in practice. It is therefore necessary to consider not only the content of rules applicable to personal data transferred to a third country, but also the system in place to ensure the effectiveness of such rules.<\/li>\n<li>U.S. surveillance laws allow broad government access to data without EU\u2011equivalent privacy safeguards or judicial remedies, as confirmed by the CJEU in Schrems II.<\/li>\n<li>DPF reduces the risk but does not eliminate it. DPF solves the transfer problem \u2014 meaning you may transfer EU personal data to that company and it will be assimilated to intra-EU transmissions of data \u2014 but it does not guarantee full GDPR adequacy and compliance by the provider, and it does not eliminate your DPIA obligations.<\/li>\n<li>Moreover, the CJEU (Schrems II) made clear that adequacy can be challenged again, meaning that even with DPF, adequacy is conditional and can be re\u2011evaluated or invalidated. The Court invalidated the previous Privacy Shield because U.S. surveillance laws conflicted with EU fundamental rights. (CJEU Case C\u2011311\/18 \u201cSchrems II\u201d: <a href=\"https:\/\/curia.europa.eu\/juris\/liste.jsf?num=C-311\/18\" target=\"_blank\" rel=\"noopener\">https:\/\/curia.europa.eu\/juris\/liste.jsf?num=C-311\/18<\/a><\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><strong>In practice:<\/strong> A U.S. SaaS provider <em>could<\/em> be compelled to hand over EU personal data without notifying the customer, and protection under DPF or SCCs does not cover business data.<\/p>\n<h3><strong> U.S. CLOUD Act<\/strong><\/h3>\n<p>A law that allows U.S. law enforcement to compel U.S. companies to provide data regardless of where the data is stored (including EU data centers).<\/p>\n<ul>\n<li>Applies to <strong>any U.S.-owned company<\/strong>, even if it operates an EU subsidiary<\/li>\n<li>Applies to data stored in the EU<\/li>\n<li>Can include business data, user data, logs, metadata<strong>\u00a0<\/strong><\/li>\n<\/ul>\n<p><strong>In practice:<\/strong> A U.S. SaaS provider may be legally required to disclose EU customer data stored in Europe.<\/p>\n<h3><strong> Executive Order 12333<\/strong><\/h3>\n<p>A presidential order that authorizes U.S. intelligence agencies to conduct surveillance outside the U.S., often through upstream collection (intercepting data in transit).<\/p>\n<ul>\n<li>Does not require cooperation from the SaaS provider<\/li>\n<li>Data can be collected <strong>without the provider\u2019s knowledge<\/strong><\/li>\n<li>Applies to data crossing international networks (e.g., transatlantic traffic)<\/li>\n<\/ul>\n<p>EO 12333 is relevant because it allows upstream collection of data that passes through global networks \u2014 even if the company storing the data is not directly compelled. It targets infrastructure, not companies.<\/p>\n<p>This is why the CJEU (Schrems II) considered it a risk factor for EU\u2013U.S. data transfers. EO 12333 permits intelligence collection without EU\u2011equivalent safeguards, which is why the U.S. was not granted adequacy.<\/p>\n<p>The risk is harder to mitigate because it targets infrastructure, not companies. Encryption and zero knowledge architectures reduce exposure.<strong>\u00a0<\/strong><\/p>\n<h2><strong>How does this affect your choice of software?<\/strong><strong>\u00a0<\/strong><\/h2>\n<p>For any U.S.-owned SaaS provider you must evaluate exposure to U.S. surveillance laws and you may need to restrict what data users upload, register or integrate, especially:<\/p>\n<ul>\n<li>HR data<\/li>\n<li>sensitive strategy documents<\/li>\n<li>regulated ESG\/CSRD data<\/li>\n<li>customer data<\/li>\n<li>anything containing personal data<\/li>\n<\/ul>\n<p><strong>In short: when governance matters, jurisdiction matters.<\/strong><\/p>\n<p>Cleerit\u2019s EU\u2011based and EU\u2011controlled model gives organisations the legal clarity and operational predictability they increasingly expect from their core platforms, and that many organisations now consider essential.<\/p>\n<p>And last but not least: preserving Europe\u2019s digital independence and safeguarding our core values matters \u2014 now and for the generations to come.<\/p>\n<p>Read more about Cleerit\u2019s privately owned, EU based and EU controlled solution for Performance Management &amp; Compliance Governance 360\u00b0 \u2014 connecting strategy, execution, finance &amp; ESG to drive your everyday performance, protect your organization and turn your strategies into reality <a href=\"https:\/\/cleeritesg.com\/index.php\/cleerit-enterprise-performance-management\/\" target=\"_blank\" rel=\"noopener\">&gt;&gt;&gt;<\/a><\/p>\n<p>It\u2019s the clarity and decision support designed for you to reach your goals, maximize results, secure compliance, and contribute to an inclusive and sustainable future.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Do you know who really owns the software you use for strategy, governance, compliance, risk management, financial planning and sustainability reporting? Preserving Europe\u2019s digital independence and safeguarding our core values matters \u2014 now and for the generations to come. In Europe, we often talk about digitalisation, performance and ESG \u2014 but far less about the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3164,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[66],"tags":[],"class_list":{"0":"post-3150","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","6":"hentry","7":"category-cleerit","9":"post-with-thumbnail","10":"post-with-thumbnail-large"},"_links":{"self":[{"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/posts\/3150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/comments?post=3150"}],"version-history":[{"count":9,"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/posts\/3150\/revisions"}],"predecessor-version":[{"id":3160,"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/posts\/3150\/revisions\/3160"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/media\/3164"}],"wp:attachment":[{"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/media?parent=3150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/categories?post=3150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cleeritesg.com\/index.php\/wp-json\/wp\/v2\/tags?post=3150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}