When we started designing Paak, our management platform for sports clubs, one question arose before we even wrote a single line of code: where will our users’ data live?
The answer seemed straightforward. We’re in Europe. Our clubs are in Europe. Our members are in Europe. So the data stays in Europe. Obviously.
But as we dug deeper, we uncovered a reality that most sports club leaders are unaware of, and one that should concern them all.
What your club’s database actually contains
Before going any further, let’s take a moment to realize what “sports club data” actually means:
- Full identities: names, addresses, dates of birth of every member, including minors
- Contact details: emails, phone numbers of parents and legal guardians
- Medical information: medical certificates, allergies, contraindications
- Financial data: bank details, payment histories, membership fees
- Photos and videos: taken during training sessions, competitions, and club events
For a club with 200 members, half of whom are minors, this is a sensitive database. Not in the “state secret” sense, but in the GDPR sense: personal data, often belonging to vulnerable individuals (children), entrusted to a nonprofit organization.
The question isn’t abstract. It’s legal, ethical, and practical: who can access this data, and under which jurisdiction?
”Sovereign cloud”: when marketing masks reality
Since 2020, and even more so since early 2025, the term “sovereign cloud” has become a sales pitch. Many companies proudly display it. But what does it really mean?
The joint venture trap
In France, two major initiatives were announced as the answer to the sovereignty problem:
- S3NS: a joint venture between Thales and… Google Cloud
- Bleu: a joint venture between Orange, Capgemini, and… Microsoft
The concept? European players operate data centers in France, but the underlying technology remains American. Google provides the engine for S3NS. Microsoft provides Azure and Microsoft 365 to Bleu.
It’s like buying a “made in France” car whose engine, gearbox, and onboard electronics come from Detroit. The bodywork is French. The essentials are not.
Why this is a problem: CLOUD Act and FISA 702
Two American laws make this architecture fundamentally incompatible with European data protection:
The CLOUD Act (2018) authorizes US authorities to demand access to data held by any US-incorporated company, including data stored in Europe, including data belonging to European citizens.
Section 702 of the FISA Act (renewed in April 2024) goes even further: it allows US intelligence agencies to collect data from non-Americans stored on servers managed by US providers, without individualized judicial oversight. The 2024 renewal even expanded its scope to any company providing a service with access to equipment through which communications pass.
And the companies involved cannot inform their clients that they’ve been compelled to hand over data.
The Court of Justice of the European Union confirmed it: US surveillance laws do not provide adequate protection for European data. This is precisely why the Safe Harbor and then Privacy Shield agreements were invalidated.
The discovery that changed everything for us
It was while investigating our suppliers that we made a troubling discovery.
In-Q-Tel is a venture capital fund established in 1999 by the CIA. Its openly stated mission: to fund technology startups whose products serve US intelligence agencies.
What most Europeans don’t realize is that In-Q-Tel invests heavily in Europe. According to a Follow the Money investigation (2024), the fund has invested in at least 52 European startups, with amounts growing from under $5 million in 2017 to approximately $35 million in 2023, a sevenfold increase in six years.
And these aren’t just defense startups. The goal is clear: to gain privileged access to sensitive European technologies, with oversight rights that ordinary investors don’t have.
The most well-known example is Palantir Technologies, which received its initial $2 million investment from In-Q-Tel in 2005. Now valued at over $250 billion, Palantir is at the heart of the intelligence systems of… France’s DGSI. Yes, France’s domestic intelligence service uses CIA-funded software to process its most sensitive data. This contract, signed after the 2015 attacks, is reportedly still active.
When you try to find out who really controls the technology chain, the discoveries are often disconcerting. A supplier presenting itself as European may have a minority shareholder linked to US intelligence services. A “sovereign” solution may rely on code that, legally, remains subject to US law.
May 2025: proof that this isn’t theoretical
For those who might think this is all paranoia, an incident in February 2025 turned this risk into concrete reality.
After the Trump administration sanctioned the chief prosecutor of the International Criminal Court (ICC), Microsoft suspended the prosecutor’s access to email and cloud services. An international institution, based in The Hague, found itself overnight stripped of its work tools, by decision of an American company enforcing Washington’s foreign policy.
The ICC subsequently migrated to openDesk, an open-source office suite provided by Germany’s Center for Digital Sovereignty (ZenDiS).
The message is crystal clear: if you depend on an American provider, a political decision made in Washington can cut your access overnight. It doesn’t matter that your data is “hosted in Europe.” Control isn’t about where the servers are. Control lies with whoever holds the switch.
What “100% European” truly means at Paak
When we say Paak is a 100% European infrastructure, it’s not a marketing slogan. It’s a deliberate architecture, brick by brick:
| Service | Provider | Country | Ownership |
|---|---|---|---|
| Hosting | OVHcloud | France | French company listed in Paris |
| Payments | Mollie | Netherlands | Dutch company, PCI-DSS certified |
| Authentication | Hanko | Germany | German company |
| Emails | Brevo (formerly Sendinblue) | France | French company |
None of these providers is a US subsidiary. None is subject to the CLOUD Act or FISA. None can receive a National Security Letter ordering them to hand over your data in silence.
And this isn’t a coincidence. It’s the result of methodical work: for every building block of our tech stack, we verified the ownership structure, headquarters, and applicable jurisdiction. Every time a European alternative existed with equivalent quality, we chose it.
Our source code runs on servers in France, in Gravelines in northern France. Your payments are processed through the Netherlands and your members’ bank details never pass through our servers: they’re processed directly by Mollie in its PCI-DSS certified environment. Your authentication goes through Germany. Your emails are sent from France. At no point does your data leave the European Union, and at no point is it subject to US law.
Why this matters for your club
“But we’re just a small handball club with 150 members. Nobody’s going to spy on us.”
That’s true. The CIA probably isn’t interested in your youth team’s results. But that’s not really the point.
-
It’s a legal obligation. As a data controller under the GDPR, your club is required to ensure that members’ personal data is adequately protected. Using a host subject to the CLOUD Act creates real legal risk, especially when that data includes information about minors.
-
It’s a matter of trust. Parents who register their children entrust you with sensitive information: addresses, photos, medical data. Being able to tell them “your data stays in Europe, with European providers” is a mark of seriousness.
-
It’s a societal choice. Every euro spent with an American provider reinforces an oligopoly that already controls 70% of the European cloud market (down from 22% for European players in 2017, falling to 15% in 2024 according to Synergy Research Group). Choosing Paak means supporting a European digital ecosystem.
-
It’s insurance against the unpredictable. The ICC incident shows that a policy change in Washington can have immediate consequences on your daily tools. With a 100% European infrastructure, your club will never depend on a foreign political decision.
Final thoughts
Digital sovereignty isn’t a topic reserved for large corporations or governments. It concerns every organization that collects personal data, including your sports club.
At Emmara, we chose transparency and consistency. Every component of Paak was selected not only for its technical quality, but also for its independence from extra-European jurisdictions.
Because your members deserve better than a host whose data can be silently seized by a US court.
Your data stays in Europe. For real.
Read more:
- Discover Paak and its European infrastructure — management, payments, compliance
- About Emmara — our commitment to digital sovereignty
- Excel Is Killing Your Club — why it’s time to ditch spreadsheets
- Why CRM is a must-have — centralise your data
Paak is a management platform for sports clubs, 100% European. paak.club
Sources and references
- Follow the Money — “U.S. gets sneak peek at Europe’s military tech through CIA-backed fund”
- Wire.com — “CLOUD Act: What It Means for EU Data Sovereignty”
- CDT.org — “FISA 702 Expansion: Impact on the EU-U.S. Data Privacy Framework”
- The Register — “International Criminal Court dumps Microsoft Office”
- Computer Weekly — “Microsoft’s ICC email block reignites European data sovereignty concerns”
- Synergy Research Group — “European Cloud Providers’ Local Market Share Now Holds at 15%”
- Lighthouse Reports — “What is Palantir Doing in Europe?”
- Oodrive — “Extension of the FISA Act: A Threat to Our Data”