Guides

US CLOUD Act & SaaS Monitoring: What EU Founders Need to Know

The CLOUD Act lets US authorities access data from US companies regardless of hosting region. Here's what it means for your monitoring stack.

If you’re an EU founder using a US-based monitoring tool, there’s a law you should know about. It’s called the CLOUD Act, and it fundamentally changes what “your data is stored in the EU” actually means.

What Is the CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into US law in March 2018. It establishes that US law enforcement can compel US-based technology companies to provide data stored on their servers, regardless of whether the data is stored in the US or in a foreign country.

In plain language: if your monitoring provider is a US company, the US government can request your data — even if the servers are in Frankfurt, Dublin, or Amsterdam.

How It Works

Here’s a simplified scenario:

Scenario: CLOUD Act request for monitoring data

  1. You’re an EU startup using a US monitoring tool
  2. Your monitoring data is stored in an “EU region” data center
  3. A US law enforcement agency issues a warrant or subpoena to the monitoring provider
  4. The provider is legally required to hand over your data — regardless of where it’s stored
  5. The provider may be prohibited from telling you about the request (gag order)
  6. Your monitoring data — URLs, uptime patterns, incident history, alert configs — is now in the hands of a foreign government

This isn’t hypothetical. The CLOUD Act was specifically created to resolve a legal dispute (Microsoft vs. United States) where Microsoft refused to hand over emails stored in Ireland. The CLOUD Act made it unambiguously clear: US jurisdiction follows the company, not the data center.

What Data Is at Risk?

When a CLOUD Act request targets your monitoring provider, the following data could be disclosed:

  • All monitored URLs — your complete service map
  • Check results — uptime/downtime patterns over time
  • Response times — performance data for all endpoints
  • Incident history — what broke, when, and how often
  • Alert configurations — who gets notified, through which channels
  • Account information — your email, team members, billing details
  • API keys and webhook URLs — your integration endpoints

This is not just metadata. It’s a comprehensive profile of your infrastructure.

CLOUD Act vs GDPR — The Legal Conflict

The CLOUD Act and GDPR are fundamentally in conflict:

GDPR says: Personal data of EU residents cannot be transferred to a third country without adequate protection. US surveillance laws mean the US does not provide adequate protection (Schrems II ruling).

CLOUD Act says: US companies must hand over data on request, regardless of where it’s stored or what local laws say.

US companies caught in the middle typically:

  • Comply with the CLOUD Act (because non-compliance means contempt of court in the US)
  • Hope GDPR enforcement doesn’t catch up (because GDPR fines are the lesser immediate risk)

As an EU customer, this means your monitoring provider’s GDPR promises are only as strong as their willingness to risk US legal consequences. Most won’t take that risk.

“But They Have SCCs…”

Standard Contractual Clauses (SCCs) are the legal mechanism US companies use to justify EU data processing after Schrems II killed the Privacy Shield. But the Court of Justice of the EU explicitly stated that SCCs don’t override US surveillance laws.

SCCs are a contractual promise between you and the provider. The CLOUD Act is a law that applies regardless of contracts. When there’s a conflict between a contract and a law, the law wins.

Which Monitoring Tools Are Affected?

Any monitoring tool operated by a US-incorporated company is subject to the CLOUD Act. This includes:

  • UptimeRobot — US company
  • Pingdom — owned by SolarWinds (US)
  • BetterStack — US company
  • Datadog — US company
  • PagerDuty — US company
  • New Relic — US company

Even if these companies offer “EU data residency,” the CLOUD Act applies to the company, not the data center.

What You Can Do

1. Choose an EU-incorporated monitoring provider

The simplest solution: use a provider that is not subject to US law. A German, French, Belgian, or any other EU-incorporated company cannot be compelled by the CLOUD Act.

Check our guide to GDPR-compliant monitoring tools for EU-based options.

2. Self-host your monitoring

Tools like Uptime Kuma let you run monitoring on your own infrastructure. No third party, no CLOUD Act risk.

3. Evaluate your actual risk

Not every business needs to worry about the CLOUD Act equally. But if you:

  • Handle data from EU citizens
  • Are in a regulated industry (finance, health, legal)
  • Have customers who ask about data sovereignty
  • Are building a trust-based product

…then the CLOUD Act should be part of your vendor evaluation.

4. Ask the right questions

When evaluating a monitoring tool, ask:

  • Where is the company incorporated?
  • Is the company subject to the CLOUD Act?
  • Can you guarantee that no data will be disclosed to non-EU authorities?
  • Is the DPA available for download?

If they can’t answer clearly, that tells you something.

The Bottom Line

The CLOUD Act means that “EU data center” and “EU data residency” are not the same thing. Where the servers are matters less than where the company is incorporated.

For EU founders who take data sovereignty seriously, the safest path is choosing monitoring tools from EU companies — tools where the CLOUD Act simply doesn’t apply.

Explore why monitoring data specifically shouldn’t leave the EU or browse European alternatives to US monitoring tools for your options.

Engin Yildirim – Founder of FoundersDeck

Engin Yildirim

Founder of FoundersDeck. 13+ years in software engineering. Building EU-first tools for founders.

Read more about me →