The CLOUD Act Is Not Your Vendor's Problem. It Is Yours.
The CLOUD Act compels US-incorporated vendors to hand over data on request, regardless of where it's hosted. Here's why vendor jurisdiction matters for CTI.

Key takeaways
- Threat intelligence platforms hold an organisation’s most operationally sensitive data. The jurisdiction governing that data matters as much as the encryption protecting it.
- The US CLOUD Act compels any American-incorporated vendor to produce data held anywhere in the world on government order, regardless of where it sits physically or what a contract says.
- Processing sensitive security data through a US-incorporated platform may place an organisation in ongoing structural non-compliance with UK GDPR. This may not be because of a breach, but because of the architecture itself.
- The only way to close this exposure is a vendor not subject to US jurisdiction. Contracts are a process. They are not a technical control.
Threat intelligence exists to reduce exposure to adversaries. It is a structural risk written into the legal framework of every US-incorporated technology company. Subsequently, most UK security teams have not fully considered what that means.
The Data Your Intelligence Platform Actually Holds
Threat intelligence platforms sit at the intersection of the most sensitive operational data, specifically; indicators of compromise, network telemetry, incident timelines and adversary tracking. In many cases, the intelligence a mature platform accumulates about an organisation’s environment is more operationally sensitive than the data in their SIEM.
A capable adversary with visibility into an organisation’s intelligence platform would know which threats have been detected and those that have not. Adversaries would know an organisation’s response patterns and the gaps in detection coverage. Consequently, they are aware of this overlooked area before an organisation can be.
So ask the question too few procurement teams ask: what jurisdiction governs access to that data?
What the CLOUD Act Actually Does
The CLOUD Act compels US providers to produce data held anywhere in the world on government order. Where data physically sits is irrelevant. What contracts say is irrelevant. Which data protection law nominally applies to an organisation is irrelevant.
The CLOUD Act follows the provider, not the data. FISA Section 702, which was reauthorised in April 2024 with expanded scope, provides a parallel intelligence-community access mechanism. Together, this mean that data is reachable through multiple legal channels simultaneously, none of which require an organisation's knowledge or consent.
Why Your Contract Does Not Protect You
The ICO’s Transfer Risk Assessment guidance requires organisations to assess the risk of third-party government access when transferring data internationally. It also requires additional technical and organisational steps where that risk is identified, which often features steps that go beyond what a contract alone can provide. The EDPB’s Schrems II recommendations, which the ICO references in its own guidance, are more direct. They confirm that contractual supplementary measures alone cannot address US surveillance law exposure and that technical measures are required. A notification clause is a process that activates after data has already been sought, it is not a control.
Additionally, GDPR Article 48 prohibits transferring personal data to non-EU authorities on the basis of a foreign court order alone. An organisation using a US-incorporated intelligence platform may be in ongoing structural non-compliance, not because of anything that has gone wrong, but because of the architecture itself. NIS2 and DORA compound this for critical infrastructure and financial services operators, both of which carry third-party ICT supply chain risk obligations that a CLOUD Act-exposed vendor relationship directly implicates.
What Switzerland Got Right
Switzerland rejected Palantir's bids at least nine times, not because the platform failed but because the sovereignty risk was judged unacceptable regardless of contractual protections.<sup>[1]</sup> The assessment identified factors no clause can address:proprietary complexity preventing independent audit, opaque internal architecture, foreign legal jurisdiction, and remote update mechanisms that could change platform behaviour without the operator's knowledge.
The question Switzerland’s authorities answered is the one every security leader should ask: if this vendor's home government chose to act against our interests, could they do so through this platform, and would we know?
Closing the Exposure
No contract, data residency clause, or vendor commitment changes the legal framework. The exposure is structural. The only decision that removes it is choosing a vendor not subject to US jurisdiction.
CYJAX is incorporated in the UK. Our legal obligations run to UK law. Our data governance is independently verified to ISO 27001:2022. There is no CLOUD Act jurisdiction over our operations. When you deploy CYJAX, the jurisdiction question has one answer, and it is the right one.
Sources
- Euronews, June 2026 — Why are European governments reevaluating their agreements with US defence tech contractor Palantir?
- US Director of National Intelligence — FISA Section 702 legal reference
- ENISA — NIS2 Directive overview
- European Banking Authority — Digital Operational Resilience Act (DORA)
- ICO, January 2026 — Transfer risk assessments
Get Started with CYJAX CTI
Empower Your Team. Strengthen Your Defences.CYJAX gives you the intelligence advantage: clear, validated insights that let your team act fast without being buried in noise.
