Legal & Contractual complete

• Click-through acceptance. Cloud services are onboarded by clicking "I agree" on standard Terms of Service. No one in the organisation has read these terms, let alone assessed their implications for data protection, liability, or jurisdiction.
• No Data Processing Agreements. Despite processing personal data through multiple cloud providers, the organisation has not executed a single DPA. The obligations, rights, and responsibilities of the processor relationship are undefined.
• Jurisdictional blindness. The organisation does not know which country's laws govern its cloud contracts, where disputes would be resolved, or whether its data is subject to foreign government access requests.
• No contract register. There is no centralised record of which cloud services are in use, what contracts govern them, or when they expire.

Without contractual frameworks, the organisation has no legal recourse if a provider suffers a data breach, changes its terms to the organisation's detriment, or is compelled by foreign authorities to disclose data. GDPR Art 28 is unambiguous: processing by a processor must be governed by a contract or legal act. Operating without DPAs is not a grey area - it is a clear regulatory violation.

Legal sovereignty is impossible without a contractual foundation. At this level, the organisation has ceded all control to providers whose terms are designed to protect the provider, not the customer. The organisation cannot even assess its exposure to foreign law because it has not examined the governing law clauses in its own agreements.

• Template DPAs. The organisation has executed the provider's standard DPA (e.g., Microsoft's DPA, AWS's DPA, Google Cloud's Data Processing Amendment). These documents were signed as part of the onboarding process without modification.
• No negotiation. The organisation lacks the perceived leverage, expertise, or awareness to negotiate contractual terms. Procurement treats cloud services as commodity purchases rather than strategic data processing relationships.
• Foreign jurisdiction accepted. Contracts are governed by US law (or another foreign jurisdiction) because that is what the provider's standard terms specify. No legal assessment has been conducted on the implications of this choice.
• Unilateral amendment rights. Providers retain the right to modify terms, pricing, and sub-processor lists with minimal notice. The customer's only recourse is to terminate - often impractical given lock-in.

Standard DPAs provide a baseline of contractual protection, but they are drafted by the provider's legal team to protect the provider's interests. Common issues include:

• Broad sub-processing rights that allow the provider to engage additional processors without the customer's meaningful consent.
• Liability caps that are disproportionately low relative to the potential damage from a breach.
• Governing law clauses that require disputes to be resolved in a foreign jurisdiction, significantly increasing the cost and complexity of enforcement.
• Data access provisions that do not address the provider's obligations when served with a foreign government data access order (e.g., under the CLOUD Act).

The organisation has taken a first step toward contractual order, but its agreements provide form without substance. Sovereignty requires not just the existence of contracts but the ability to enforce meaningful protections within them. At Level 1, the provider holds all the contractual power.

• Negotiated DPAs. The organisation has secured amendments to provider DPAs - typically covering enhanced audit rights, shorter breach notification timelines (e.g., 24-48 hours rather than "without undue delay"), and a sub-processor approval or objection mechanism rather than mere notification.
• SCCs with Transfer Impact Assessments. For each international data transfer, the appropriate SCC module has been executed and a Transfer Impact Assessment documents the legal regime in the recipient country, supplementary measures in place, and residual risk.
• Active sub-processor monitoring. When a provider notifies the organisation of a new sub-processor, a documented review process is triggered. The organisation has exercised its objection right at least once or has documented its rationale for acceptance.
• Legal counsel engagement. Cloud contracts are reviewed by legal counsel with data protection expertise before execution. Review memoranda document identified risks and negotiated mitigations.

Despite meaningful progress, Level 2 organisations face structural limitations:

• Unilateral ToS changes. While the DPA may be negotiated, the underlying Terms of Service often still permit the provider to modify service terms, acceptable use policies, or pricing with limited notice. The negotiated DPA may not override these rights.
• Limited liability. Liability caps in cloud agreements are typically set at 12 months of fees paid - which may represent a fraction of the actual damage from a data breach or service failure.
• CLOUD Act exposure. Transfer Impact Assessments correctly identify CLOUD Act risk for US-headquartered providers, but contractual mitigations (notification commitments, undertakings to challenge orders) are procedural rather than structural. A US court order will compel disclosure regardless of contractual commitments.
• Governing law. Contracts may still be governed by US or other foreign law, increasing enforcement costs and jurisdictional complexity.

Level 2 represents a significant advancement in contractual sovereignty. The organisation exercises meaningful control over its processor relationships and has visibility into cross-border transfer risks. However, the asymmetry of bargaining power with hyperscale providers means that certain structural risks - particularly CLOUD Act exposure and unilateral amendment rights - cannot be fully addressed through contractual negotiation alone.

• Custom enterprise agreements. Critical cloud services are governed by bespoke contracts - not amended versions of standard Terms of Service. These agreements are negotiated bilaterally with the provider's enterprise legal team and reflect the organisation's specific regulatory and sovereignty requirements.
• EU/Swiss governing law. All material contracts specify EU member state or Swiss law as the governing law, with disputes resolved in local courts or through arbitration seated in the relevant jurisdiction. This eliminates the cost and unpredictability of litigating in foreign courts.
• Bilateral termination rights. The customer can terminate for cause - including material breach, change of control (e.g., provider acquisition by a foreign entity), or regulatory necessity (e.g., new legal requirements that make the service relationship non-compliant). Upon termination, the provider is contractually obligated to assist with data extraction in standard formats within a defined timeline.
• Escrow arrangements. For services with significant switching costs, source code, configuration data, or critical datasets are held in escrow with a reputable third-party agent. Release conditions cover provider insolvency, persistent material breach, and service discontinuation.
• CLOUD Act mitigation. The organisation has implemented a layered approach to CLOUD Act risk: contractual commitments from the provider to notify and challenge any foreign government access order, combined with structural measures such as requiring operations through an EU-based subsidiary, deploying encryption architectures that limit provider access to cleartext data, and participating in provider data boundary programmes.

Level 3 provides the organisation with genuine contractual sovereignty over its cloud relationships. The key advances over Level 2 include:

• Enforceability. EU/Swiss governing law ensures that contractual protections can be enforced in a familiar legal system at manageable cost.
• Resilience. Escrow and termination rights ensure that the organisation is not trapped in a deteriorating provider relationship.
• Structural protection. CLOUD Act mitigations go beyond contractual promises to include architectural and organisational measures that reduce the practical risk of compulsory foreign disclosure.

Even at Level 3, the organisation remains a customer of providers who may have US or other foreign parent entities. While structural mitigations significantly reduce practical risk, the theoretical legal reach of instruments like the CLOUD Act extends to any entity under US jurisdiction - including foreign subsidiaries. Complete elimination of this risk requires moving beyond third-party provider relationships entirely, which is the domain of Level 4.

• Self-hosted or sovereign cloud. Critical infrastructure is either operated on the organisation's own premises or provided by sovereign cloud operators incorporated and operating exclusively within the local jurisdiction. These providers have no foreign parent entity, no foreign subsidiary obligations, and no contractual relationships that could create indirect foreign law exposure.
• Open-source software stack. The technology stack is composed entirely of open-source components. There are no proprietary licensing agreements that could constrain the organisation's freedom to operate, modify, or migrate its systems. The organisation can fork any component if the upstream project's direction diverges from its needs.
• Local jurisdiction throughout. Every contract, every corporate relationship, and every data processing arrangement is governed by local law. There is no clause, mechanism, or structural relationship through which a foreign government could assert jurisdiction over the organisation's data.
• No CLOUD Act exposure. Because no entity in the infrastructure or service chain is subject to US jurisdiction, the CLOUD Act - and equivalent foreign government access instruments - has no legal mechanism to reach the organisation's data. This risk is not mitigated or managed; it is eliminated.

Level 4 is the target state for organisations that require full legal sovereignty over their data and operations. The key achievements are:

• Complete jurisdictional control. The organisation knows with certainty which law governs every aspect of its data processing and can enforce its rights in local courts.
• Zero foreign law exposure. No foreign government can use legal instruments to compel any entity in the organisation's supply chain to disclose data.
• Freedom to operate. Open-source software and sovereign infrastructure eliminate the risk of vendor lock-in, forced migration, or unilateral service changes.
• Regulatory confidence. The organisation can demonstrate to regulators, auditors, and data subjects that its data processing arrangements meet the highest standard of legal protection available.

Achieving Level 4 is not a one-time accomplishment. Maintaining it requires continuous attention:

• Provider ownership monitoring. Sovereign cloud providers may be acquired by foreign entities. The organisation must monitor ownership changes and have contingency plans to migrate if a provider's sovereignty status changes.
• Open-source supply chain. While open-source eliminates vendor lock-in, it introduces supply chain responsibilities. The organisation must monitor for abandoned projects, security vulnerabilities, and licence changes in its dependency tree.
• New service introductions. Every new service or tool adopted must be assessed against Level 4 criteria before deployment. A single proprietary dependency or foreign-jurisdictioned service can compromise the entire sovereignty posture.
• Regulatory evolution. New regulations, bilateral agreements, or court rulings may alter the legal landscape. The organisation's legal team must stay current with developments in data sovereignty law across relevant jurisdictions.