Can the US just access Msafe data? We regularly receive (justified) questions about data sovereignty: if Msafe’s software runs on Microsoft Azure, can the US access my data, even if it is located in the Netherlands?
In this article, we explain this clearly. The US cannot “just access” your data, and the practical probability of a scenario where this plays out is very low. There does exist a residual risk associated with jurisdiction over the cloud provider (not the location of the servers), which is why we take additional measures to minimize this risk.
Msafe is hosted in the Netherlands on Microsoft infrastructure within Microsoft Azure.
Msafe Secure File Transfer is EU-hosted, built in the Netherlands, with strong encryption (AES-256), strict access control and a full audit trail.
U.S. laws such as the U.S. CLOUD Act may in some cases require providers to hand over data under their “control,” regardless of where that data resides.
This is not a bulk access or “master key.” It requires a legal process, and Microsoft emphasizes that the CLOUD Act does not create automatic or unrestricted access.
Dutch analyses (NCSC) assess the risk of CLOUD-Act disclosure of EU data as (very) low, based on transparency reporting (Microsoft: 12 disclosures of “non-US enterprise content data” since 2018).
Why this question exists (and why it is good that you are asking it)
“Data in the Netherlands” (data residency) means: the storage location is NL/EU. This is important and reduces many risks.
But data sovereignty is also about: what legislation can force a party with access to infrastructure to provide data?
Since Microsoft is a US corporate group, the question quickly arises: can the US put pressure on Microsoft through legislation, even if the servers are in Europe?
That question is real, which is precisely why we choose an architecture and policy that minimizes plain-text exposure, strictly controls access and makes everything provable.
What is the U.S. legally allowed to do?
The core of the U.S. CLOUD Act (18 U.S.C. § 2713) is that a provider may be required to retain/transfer data under its “possession, custody, or control,” regardless of whether that data is inside or outside the U.S.
Important: This is not “free access to European data centers.” It is about enforcing cooperation through a legal claim.
No “bulk access” and no automatic access
Microsoft itself publishes explanations in which it explicitly states that the CLOUD Act does not provide unlimited, bulk or automatic access; U.S. tracking must meet strict legal requirements.
EU rules limit ‘direct’ enforceability
From an EU perspective, also relevant is: Article 48 GDPR. The EDPB guidelines explain that rulings/decisions of third-country authorities are not automatically enforceable in the EU.
Specifically, what does this mean for Msafe customers?
Our software runs on a Dutch server from Microsoft. This data center at Schiphol Airport is certified and complies with all EU regulations.
Msafe Secure File Transfer is designed as a controlled, auditable file layer:
- Strong encryption (AES-256) and detailed access control.
- Files are encrypted client-side before upload/send (i.e., before they even enter the cloud).
- Encryption keys are accessible only to authorized users.
- Access can be enforced with 2FA/MFA and policies such as automatic expiry and revocation.
- All actions are fully traceable via an audit trail (uploads/downloads/shares/deletions, etc.) and exportable for compliance.
Why this reassures: even if a third party ever tries to force access to stored data, the difference between “data in plain text” and “data that is already client-side encrypted” is huge.
Encryption is not a marketing term; it is risk mitigation.
How do we secure this organizationally?
Msafe is ISO 27001:2022 certified (audit by DEKRA).
That includes structural risk analysis, controlled processes, security policies and continuous improvement.
How great is the risk in practice?
It is fair to say: a theoretical possibility is not the same as a likely scenario.
A relevant (Dutch) analysis by the NCSC concludes that the risk of CLOUD Act disclosure of EU data appears (very) low, based in part on transparency reports. That memo states that Microsoft would have disclosed “non-US enterprise content data” in this context 12 times since the CLOUD Act in 2018.
In addition, Microsoft guarantees the following:
That users/customers are informed in advance when data is accessed, unless prohibited by law.
What can you expect from Msafe?
We want “data sovereignty” for customers not to be a vague concept, but something you can test and prove. We are therefore transparent about hosting in the Netherlands/EU. How our encryption, Multy Factor Autentication and audit trails work.
FAQ
Can the US “just access” my data because Msafe runs on Azure?
No. There is no “direct view button.” Access requires a legal process. The CLOUD Act is about disclosure through provider control, not bulk or automatic access.
Is “data in the Netherlands” a guarantee against jurisdictional risk?
It’s a very strong foundation (residency), but jurisdiction is about legislation and control. That’s why we combine EU hosting with encryption, access control and auditability.
What if Microsoft needs support?
Microsoft has mechanisms such as Customer Lockbox (in Azure) that allow explicit approval or disapproval (with logging) of access to customer data in exceptional support situations.
What is your key technical mitigation?
That files are encrypted client-side before upload/send and that access is strictly controlled (MFA/2FA, expiry/revoke, policies) with full audit trails.
Can the US just join Msafe?
Msafe customers need not fear that “the U.S. can just access your data” because Msafe runs in Azure in the Netherlands.
Yes, U.S. legislation such as the CLOUD Act exists and is relevant in broad terms.
But: it is not bulk access, the practical probability is very low according to Dutch analyses, and Msafe’s security model (EU hosting + client-side/E2E encryption + strict access + audit trails + ISO governance) is precisely designed to minimize sovereignty risks.
