EU Sovereign Cloud, GAIA-X and air-gap: what mid-market really needs from cloud sovereignty

For a decade, "data sovereignty" was a procurement checkbox: tick a region, sign the DPA, move on. The teeth have grown. Schrems II, the EU Data Act, the AI Act, national supply-chain regulations and a wave of customer-driven scrutiny have turned sovereignty from a clause into an architecture.

The question is no longer "where is the data stored?" It is "who can compel its disclosure, who can patch the runtime, and where does the encryption key live when the lawyers show up?"

What sovereignty actually means in 2026

The useful framing breaks sovereignty into four distinct concerns.

• Data sovereignty - the physical location of the bytes. Necessary, not sufficient.
• Operational sovereignty - which entity can patch the operating system, observe the logs, restart the service. If a U.S. parent of an EU subsidiary can SSH in, the EU subsidiary does not have operational sovereignty.
• Legal sovereignty - which jurisdiction's subpoenas the platform must honour. CLOUD Act vs GDPR is the canonical conflict.
• Digital sovereignty - whether the customer can leave the platform without rewriting their stack. Open standards, open table formats, export-able schemas.

A vendor that can answer "yes" to one of these and silently shrug at the other three is not a sovereign vendor.

Six deployment topologies, one platform

DivetIQ supports six deployment shapes from one codebase. The list matters because mid-market companies rarely fit a single mould.

1. Public-cloud SaaS - multi-tenant on AWS, Azure or GCP. EU regions available, customer chooses.
2. Single-tenant SaaS - dedicated tenant in the customer's chosen region with isolated data planes.
3. Private cloud on AWS, Azure or GCP - customer's own cloud account, DivetIQ-operated.
4. On-premise Kubernetes / OpenShift - the customer's own datacenter, full operational control.
5. EU Sovereign Cloud - GAIA-X-aligned, EU-only data plane and control plane, no U.S.-jurisdiction admin access.
6. Air-gapped private cloud - no internet egress, sealed update process.

All six run the same modules, the same APIs, the same agent catalog. There is no "limited sovereign edition" with a smaller feature surface.

Keys, residency, and the boring details that matter

Encryption at rest is AES-256, encryption in transit is TLS 1.3. The interesting questions are about who holds the key.

• BYOK (Bring Your Own Key) - the customer manages the key material in their own KMS; DivetIQ requests decryption per operation. Revoking the key revokes platform access.
• HYOK (Hold Your Own Key) - the key never leaves the customer's HSM. DivetIQ operates against encrypted payloads where the workflow allows.
• Confidential computing options for highly regulated workloads in V2 - data decrypted only inside attested enclaves.

The other boring details that matter on the day a regulator calls:

• Per-region data residency with verified controls, not best-effort.
• Sub-processor list in a customer-facing Trust Center, with notification before any change.
• AI transparency notices wherever the EU AI Act requires them, plus opt-out where applicable.
• Operational tooling for GDPR/CCPA/LGPD - DSAR, right to be forgotten, portability, rectification - exposed as a workflow, not as a help-desk ticket.

ISO 27001, SOC 2 Type II, GDPR-by-design are table stakes. The questions that matter past the audit are who has hands on the keyboard, whose courts can compel the disclosure, and whether the customer can leave with their data intact. Mid-market companies do not always need every answer - but they should know what they are answering, and they should be the ones choosing.