Is your AI supplier within reach of the US CLOUD Act?

Seven questions about who owns your stack. About two minutes. No email address, no tracking — your answers stay in your browser.

In 2018 the United States enacted the CLOUD Act. It requires any provider subject to US jurisdiction to preserve and disclose data within its “possession, custody, or control”, and to do so “regardless of whether such communication, record, or other information is located within or outside of the United States” (18 U.S.C. § 2713). In plain terms: if the company can be compelled in a US court, the location of the servers does not settle the question. Data residency is about geography. The CLOUD Act is about ownership and jurisdiction.

This is not a theoretical reading of the statute. Asked before a French Senate commission of inquiry on 10 June 2025 whether he could guarantee that French citizens’ data would never be transmitted to the US authorities without the agreement of the French authorities, the director of public and legal affairs of Microsoft France answered, under oath: no, he could not guarantee it — adding that it had never happened. Both halves of that answer deserve to be taken seriously. This checker is about the first half: whether the legal route into your data exists at all.

Answer the questions below about the AI or cloud service your practice actually uses — including any unofficial ChatGPT habit, if that is the honest answer. If you don’t know an answer, say so. Not knowing is a finding in its own right, and the result will tell you exactly which questions to put to your supplier in writing.

General information, not legal advice. This checker reflects public sources as at June 2026 and the answers you give, which we cannot verify. It does not assess the lawfulness of your current arrangements, your UK GDPR position, or any specific contract, and a verdict here is not a substitute for your practice’s own DPIA. For decisions about your data protection obligations, speak to your Data Protection Officer or a solicitor.
JavaScript is off — this page still works as a worksheet. Answer the seven questions on paper, then read the verdict the rules point to. The rules: if your answer to question 1 or 2 is yes, your verdict is Within direct reach. Otherwise, if your answer to question 3, 4 or 5 is yes, your verdict is Within reach through the supply chain. Otherwise, if any of questions 1–5 is “not sure”, your verdict is Exposure unknown. Only five firm “no” answers produce Outside direct reach. Questions 6 and 7 never change the verdict; they tell you which follow-up letters to send. All four verdicts are printed in full below.
1. Is your AI supplier’s ultimate parent company incorporated in the United States?

Follow the ownership chain to the top. OpenAI (ChatGPT), Microsoft (Copilot), Google (Gemini) and Anthropic (Claude) are all US companies. A UK subsidiary, a UK office or a “.uk” domain does not change where the parent answers to a court.

2. Is your contract for the service with a US entity, or governed by the law of a US state?

Check the signature block and the “governing law” clause in the terms of service. Many AI services sold in the UK contract from the US, or under the law of California or Delaware.

3. Does your supplier have any US corporate presence — a parent, a controlling US investor, a subsidiary, branch or office in the United States?

The CLOUD Act binds providers “subject to US jurisdiction”, and whether a non-US company qualifies is a fact-dependent question about its contacts with the United States. A company that operates exclusively outside the US is not within US personal jurisdiction; a company with a substantial US presence may be. If you answered yes to question 1, answer yes here too.

4. Do US-owned sub-processors handle your content — for example, the model behind the service (OpenAI, Anthropic, Google) or the hosting platform (AWS, Microsoft Azure, Google Cloud)?

Ask for the sub-processor list; a supplier processing personal data under UK GDPR Article 28 should be able to produce one. Many products marketed as UK AI are an interface over a US model API or a US-owned cloud — and the sub-processor is where your text actually goes.

5. Is the hardware that runs the AI model owned or operated by a US company, wherever it physically sits?

“UK region” usually means a US-owned data-centre estate that happens to be located in Britain — Azure UK South, AWS London and Google Cloud London are all examples. The building is in England; the operator is not. The legal question follows the operator, not the postcode.

6. Does your supplier publish, in writing, who owns the inference hardware and where your content is processed?

Look for a security or sub-processor page with company names and dates on it, not slogans. “UK-based” and “sovereign” are marketing words; the ownership and location of the machines are facts, and facts can be stated plainly.

7. Has your supplier confirmed to you in writing that no company in its ownership or processing chain can be compelled to disclose your data under US law?

A supplier genuinely outside US jurisdiction can put this in one sentence on letterhead. A supplier inside it will usually send you a paragraph about encryption instead. The difference is informative.

Within direct reach.

On your answers, the company you contract with — or its parent — is subject to US jurisdiction. Under 18 U.S.C. § 2713, a provider subject to US jurisdiction must disclose data in its “possession, custody, or control... regardless of whether” that data “is located within or outside of the United States”. UK data residency does not close this route; it determines where your data sits, not who can be compelled to hand it over. To be equally clear about what this verdict is not: it is not a finding that your data has been accessed, that access is likely, or that using this supplier is unlawful. US authorities need a qualifying legal order, orders can be challenged, and the Microsoft executive who told the French Senate he could not guarantee non-disclosure also said it had never happened. The finding is narrower and more useful than alarm: the legal route exists, your contract and your hosting region do not remove it, and your DPIA should say so in those words rather than rely on “UK hosting” to answer a question it cannot answer.

What to do next

Within reach through the supply chain.

Your supplier may well be UK- or EU-owned, but on your answers your content passes through US-owned hands — a model API, a cloud platform, or hardware operated by a US company. The CLOUD Act binds providers subject to US jurisdiction, and the question for your data is asked of every link that has possession, custody or control of it, not of the logo on the invoice. A UK company reselling a US model has moved the contract; it has not moved the jurisdiction. As with every verdict on this page, this is not a finding that anything has been accessed. It is a finding that the route exists one step down the chain — which is precisely where it is easiest for a DPIA to miss.

What to do next

Exposure unknown — which is itself a finding.

You could not answer one or more of the questions that determine whether a US legal route into your data exists. That is not a criticism. Most of this information is genuinely hard to find, and some suppliers prefer it that way. But it means your practice’s current position is “exposure undetermined”, and a DPIA that is silent on a question this basic is incomplete rather than reassuring. The useful news is that every gap on this page can be closed with one short letter, and a supplier’s speed and directness in answering it will tell you nearly as much as the answers themselves.

What to do next

Outside direct reach, on your answers.

On what you have told us, no company in your AI supply chain is US-owned, US-contracted or running on US-operated hardware. If that is correct, the CLOUD Act has no direct route to your data: the statute binds providers subject to US jurisdiction, and on your answers there are none in the chain. Two honest caveats belong next to that. First, this page cannot verify your answers — only your supplier’s written confirmation can, and if you do not yet hold one, that is the next step. Second, “outside the CLOUD Act” does not mean “beyond all legal process”: US authorities can still seek data held in the UK through UK courts, by mutual legal assistance or under the UK–US Data Access Agreement in force since October 2022, and UK authorities have powers of their own. The difference is that those routes run through UK law and UK oversight — which is exactly why ownership and jurisdiction, not server location, were worth checking in the first place.

What to do next

Sources