Data Sovereignty in an AI era.
The legal reality of the Cloud Act, Schrems II and the EU AI Act. Discover how Verulon guarantees complete control over your business data.
Schrems II Compliant
Privacy Shield invalid — we offer an alternative
EU AI Act Ready
Full control over training data and audit trails
Why act now?
Schrems II Impact
The European Court of Justice declared the Privacy Shield invalid in 2020. Transfer of personal data to the US without additional safeguards is unlawful — but most companies still do it.
The EU AI Act
High-risk AI systems require demonstrable control over training data, model behaviour and audit trails. American cloud AI structurally fails to meet this — and fines can amount to 3% of global turnover.
Technical Architecture
Simplified for mobile
Your Systems
Data Source
Protected by Verulon
Verulon Sovereignty Layer
Dutch jurisdiction · GDPR compliant
Public Cloud
Risk of Cloud Act
Sovereign AI
Fully in the Netherlands
Our 6-Point Guarantee
Jurisdiction Guarantee
Your data is stored and processed exclusively in the Netherlands, under Dutch and EU law. No sub-processors outside the EU.
ISO 27001 Certification
Our processes and infrastructure are certified in accordance with the international standard for information security.
Data Processing Agreement
Transparent, GDPR-compliant data processing agreement with a clear sub-processor list and no silent data transfers.
Audit Rights
Enterprise clients have a contractual right to physical on-site audits of our data centres and processes.
No Foreign Access
Verulon is a fully Dutch company. No foreign parent company, no extraterritorial obligations.
Transparent Chain
Closed, transparent processing chain without external sub-processors. You always know who manages your data.
Ready for the future?
Discuss your compliance challenges with a Verulon specialist and discover how we can guarantee your data sovereignty.
Start your transitionYour business data belongs in the Netherlands.
The legal and technical risks of American cloud services are real. Understand what's at stake — and how to regain full control.
European Court of Justice
C-311/18 — Data Protection Commissioner
“Privacy Shield has been declared invalid.”
Ruling 2020 — Schrems II
Schrems II: Why the Cloud is no longer “just the Cloud”
In 2020 the European Court of Justice declared the Privacy Shield agreement invalid. Since then, any transfer of personal data to the US without additional safeguards is in violation of the GDPR — a reality that most Dutch companies still ignore.
Cloud Act Risk
American authorities can demand data from US companies — even if that data is stored in Europe. AWS, Azure and Google all fall under this.
Our Solution
Verulon is fully Dutch. No foreign parent company, no extraterritorial obligations. Your data falls exclusively under Dutch and EU legislation.
The EU AI Act & Your Data
The EU AI Act (in force since August 2024) sets strict requirements for high-risk AI systems. Organisations using American cloud AI risk fines of up to 3% of global turnover and lack the required audit trails.
Transparency
Full insight into how AI models make decisions. No black-box systems from foreign providers.
Data Verification
Demonstrable control over training data and model weights. Meets the documentation requirements of the EU AI Act.
Governance
Full audit trail of inference logs and model behaviour. Ready for regulators and internal audits.
Our 6-Point Guarantee
Concrete, contractually guaranteed assurances for your data sovereignty — not just a marketing promise.
Jurisdiction Guarantee
Your data is stored and processed exclusively in the Netherlands, under Dutch and EU law. No sub-processors outside the EU.
ISO 27001 Certification
Our processes and infrastructure are certified in accordance with the international standard for information security.
Data Processing Agreement
Transparent, GDPR-compliant data processing agreement with a clear sub-processor list and no silent data transfers.
Audit Rights
Enterprise clients have a contractual right to physical on-site audits of our data centres and processes.
No Foreign Access
Verulon is a fully Dutch company. No foreign parent company, no extraterritorial obligations.
Transparent Chain
Closed, transparent processing chain without external sub-processors. You always know who manages your data.
Technical Design for Sovereignty
Our architecture is built from the ground up to meet the most stringent compliance requirements. Every layer is isolated from foreign jurisdictions.
Isolated Compute
Dedicated bare-metal servers in Dutch data centres. No shared compute with other clients or jurisdictions.
Encrypted Storage
End-to-end encryption with client-managed keys. Verulon never has access to the content of your data.
Architecture Overview
Web
HTTPS / TLS
API
REST / gRPC
Sovereignty Gateway
Jurisdiction validation · Rate limiting · Audit logging
Compute Layer
Bare-metal · Netherlands
AI Inference
Open-source models · Local
Monitoring
Audit trails · Compliance logs
Isolated Storage
NL-onlyFrequently asked questions
Answers to the legal and technical questions we hear most often from compliance officers and IT managers.
What is the difference between data residency and data sovereignty?
Data residency means data is physically located in a certain country — but the parent company may still follow foreign legislation. Data sovereignty goes further: the legal ownership and all applicable legislation fall under local jurisdiction.
Does the US Cloud Act also apply to European data centres of American companies?
Yes. The Cloud Act has extraterritorial effect. If the company managing the data falls under American jurisdiction (AWS, Microsoft, Google), American authorities can demand access — regardless of where the data is physically located.
How does Verulon comply with the EU AI Act?
We work exclusively with open-source models on own infrastructure. Training data, model weights and inference logs remain entirely under your control. We provide the audit trails and documentation required for high-risk AI systems.
What are sub-processors and why are they a risk?
Sub-processors are parties to whom a processor (cloud provider) passes your data for partial processing. Large hyperscalers have dozens of sub-processors worldwide — often without explicit notification. Verulon has a closed, transparent chain without external sub-processors.
Is Verulon suitable for NEN 7510 (healthcare) and BIO (government)?
Yes. Our infrastructure and processes are designed to comply with sector standards such as NEN 7510 for healthcare institutions and the BIO (Baseline Information Security Government). We work with your compliance team for specific attestations.
How quickly can Verulon take over our infrastructure?
Depending on the complexity of your current environment, a migration ranges from 4 to 12 weeks. We always maintain a parallel phase where your existing systems remain operational until the Verulon environment is fully validated.
Ready for sovereign control?
Join the organisations that take their digital sovereignty seriously. We are ready for a no-obligation conversation.