IsoGentiX Knowledge Hub · Infrastructure & Governance

Why We Run on OVHcloud: Data Sovereignty, the CLOUD Act, and Why Infrastructure Is a Compliance Decision

When biological data has legal standing under the Nagoya Protocol, who holds the keys to that data is not an operational question. It is a legal one. This is why IsoGentiX builds on European sovereign cloud infrastructure.

9 min read Published May 2026 Audience: CTO, legal, regulatory affairs, data governance

← Back to Knowledge Hub

The short answer

IsoGentiX runs its data platform on OVHcloud, Europe's largest independent cloud provider, headquartered in France. This is not primarily a procurement decision. It is a data governance decision, driven by three compounding factors: the legal jurisdiction implications of the US CLOUD Act; the structural conflict of interest that arises when proprietary genomic data is stored with cloud providers that are simultaneously investing in life sciences and drug discovery; and the chain-of-custody requirements imposed by the Nagoya Protocol and EU Regulation 511/2014.

Each of these factors points in the same direction. The biological data that IsoGentiX generates - specimen-level, multi-omic, provenance-verified records from Madagascar's endemic flora - is commercially valuable, legally encumbered, and irreplaceable. The infrastructure on which it sits must offer legal protection that no contract with a US cloud provider can replicate, regardless of the data center location on the invoice.

What the CLOUD Act actually does

The Clarifying Lawful Overseas Use of Data Act - the CLOUD Act - was signed into US law in March 2018. Its practical effect is straightforward: it allows US law enforcement and intelligence agencies to compel US-headquartered technology companies to produce electronic data stored anywhere in the world, including on servers located inside the European Union.

This is not a hypothetical risk. It is a structural feature of US law as it applies to US companies operating globally. Microsoft, Google, Amazon, and any other US-incorporated cloud provider are subject to CLOUD Act orders regardless of where the physical servers are and regardless of what the terms of service or data processing agreements say. Contractual protections offered by a cloud provider do not override domestic statutory obligations.

The jurisdiction gap

A US company operating EU data centers remains a US company for CLOUD Act purposes. Storing data with AWS EU (Frankfurt), Azure EU (Amsterdam), or Google Cloud EU (Belgium) does not remove that data from the reach of US legal process. The legal address of the parent company determines jurisdiction, not the physical address of the server.

The European Commission has acknowledged this conflict explicitly. The Schrems II ruling by the Court of Justice of the European Union (2020) invalidated the EU-US Privacy Shield on the grounds that US surveillance law - including statutes substantially broader than the CLOUD Act - was incompatible with the fundamental rights protections guaranteed by the GDPR and the EU Charter of Fundamental Rights. The underlying conflict of law between US data access requirements and EU data protection obligations has not been resolved. It has been papered over by the EU-US Data Privacy Framework (2023), which remains legally contested.

OVHcloud is a French company, incorporated in France, with no US parent company and no US-domiciled ownership structure that would bring it within CLOUD Act jurisdiction. Data stored on OVHcloud infrastructure is subject to French and EU law only. There is no equivalent European statute that would compel OVHcloud to produce data to a foreign government without going through the formal mutual legal assistance treaty process, which requires EU judicial oversight.

The conflict of interest hiding in plain sight

Beyond the legal jurisdiction question, there is a structural conflict of interest in storing proprietary genomic and metabolomic data with the three dominant US hyperscalers that is rarely discussed directly.

Microsoft, Google, and Amazon are not passive infrastructure providers. Each has made substantial, active investments in life sciences, drug discovery, and biological data analysis - precisely the areas where IsoGentiX's data has its highest commercial value.

Microsoft operates Microsoft Research's AI for Health programme, holds the Nuance clinical AI platform (acquired 2022), and has partnerships across the pharmaceutical sector including with Sanofi and Novartis. Azure is actively marketed to pharma and biotech R&D.
Google operates Google Health, Verily (genomics, disease research), and DeepMind - whose AlphaFold protein structure prediction work has direct implications for drug discovery pipelines that overlap with the natural product chemistry space.
Amazon has built Amazon Health Services, acquired PillPack, and operates AWS HealthLake - a service specifically designed for storing and querying genomic and clinical data.

Storing novel, proprietary, provenance-verified genomic data from a globally unique biodiversity source on infrastructure operated by companies that are simultaneously competing in the commercial applications of that data category is a conflict of interest that requires justification. We do not believe it can be adequately justified on cost or convenience grounds alone.

"The most valuable thing about IsoGentiX data is its novelty. That novelty has commercial value precisely because it is not publicly available. The infrastructure on which it sits should not be operated by a company with direct commercial interests in the same space."

What EU sovereign cloud infrastructure actually means

Sovereign cloud has become an overused marketing term. In the context of this decision, it has a specific and narrow meaning: cloud infrastructure that is legally and structurally outside the reach of non-EU data access laws, operated by a company with no ownership, management, or contractual dependencies that could make it subject to non-EU legal jurisdiction.

OVHcloud satisfies this definition. It is publicly listed on Euronext Paris, has no US parent company, operates its own hardware across its data center network (rather than leasing capacity from US-owned infrastructure), and has received SecNumCloud qualification from ANSSI - France's national cybersecurity agency - the most rigorous sovereign cloud certification available in the EU.

SecNumCloud qualification is significant because it goes beyond ISO certification. It requires an independent technical audit of the provider's architecture, access controls, and supply chain - including verification that no foreign entity holds a position that could be used to compel data access. It is the standard to which French public authorities hold their most sensitive infrastructure requirements.

OVHcloud's specific security and compliance credentials

The following certifications and qualifications underpin IsoGentiX's choice of OVHcloud as its infrastructure partner. Each addresses a distinct aspect of data protection, operational security, or legal jurisdiction.

SecNumCloud (ANSSI) France's highest sovereign cloud qualification. Requires independent architecture audit and supply-chain verification. Confirms no foreign jurisdiction can compel access.

ISO 27001 International standard for information security management systems. Covers risk assessment, access controls, incident response, and business continuity.

ISO 27017 Cloud-specific security controls extending ISO 27001. Addresses virtual machine isolation, shared resource protection, and cloud-specific threat vectors.

ISO 27018 Personally identifiable information (PII) protection in cloud environments. Governs how data processors handle personal data on behalf of controllers.

HDS (Health Data Host) French certification for hosting health data. Requires certified hosting of health records, clinical data, and - relevantly - genomic data processed for medical purposes.

GDPR Compliant by Design As an EU company, OVHcloud has no conflict between its domestic legal obligations and GDPR requirements. No cross-border data access orders can override EU fundamental rights law.

43+ Data centres globally, majority in EU

1999 Founded in Roubaix, France. No US parent structure.

EU law Only jurisdiction applicable. CLOUD Act has no reach.

0 Proprietary lock-in formats. Open standards throughout.

The Nagoya chain-of-custody connection

The Nagoya Protocol and EU Regulation 511/2014 require that users of genetic resources maintain auditable records demonstrating lawful access, documented chain of custody, and compliance with the benefit-sharing terms under which data was made available. This due diligence obligation sits with the commercial user - the pharma company, the agritech developer, the AI platform - not just with the data provider.

Chain of custody, in this context, is not only about the physical journey of a biological specimen from Madagascar to a sequencing facility. It extends to the digital data derived from that specimen - and to the infrastructure on which that digital data resides. A complete provenance record requires knowing: who can access the data, under what authority, under what circumstances, and with what visibility to the data owner.

This is where the CLOUD Act creates a specific problem for Nagoya-compliant data workflows. If a dataset carrying Nagoya provenance obligations is stored on US cloud infrastructure, there is a category of access event - a lawful CLOUD Act disclosure order - that would not require notification of the data owner, would not appear in access logs in a way the data owner could audit, and could not be prevented by the data owner's contractual terms. The result would be a gap in the chain-of-custody record that neither the data owner nor the commercial user could close.

This gap matters because chain-of-custody documentation is not merely a best-practice requirement under the Nagoya framework. It is the mechanism by which commercial users demonstrate due diligence under EU Regulation 511/2014. An access event that cannot be documented and accounted for is an access event that cannot be included in a due diligence declaration. Under a US hyperscaler, that risk exists structurally. Under OVHcloud, it does not.

IsoGentiX infrastructure architecture

All IsoGentiX primary data - raw sequencing reads, processed assemblies, metabolomic spectra, specimen-level provenance records, and access logs - is stored and processed on OVHcloud infrastructure located in EU data centres. No primary data is processed on or transferred through infrastructure subject to US legal jurisdiction. Access log completeness is guaranteed by design: every access event is recorded and auditable, with no category of lawful access that bypasses the log.

This architecture means that any commercial licensee of IsoGentiX data can include the infrastructure jurisdiction in their Nagoya due diligence documentation without qualification or caveat.

No lock-in and the permanence obligation

One of IsoGentiX's four core values is permanence. The biological data generated through the programme represents decades of field collection, laboratory work, and indigenous community engagement. It cannot be recreated. The species it documents may not be accessible for future collection as deforestation and climate change continue to alter Madagascar's ecosystems. The data must be protected not only from unauthorised access but from institutional failure, vendor dependency, and technological obsolescence.

OVHcloud's commitment to open standards and non-proprietary data formats is relevant here. All data stored on OVHcloud infrastructure uses open formats that can be transferred to any compliant infrastructure without conversion or loss. There is no API lock-in, no proprietary storage format, and no dependency on OVHcloud-specific tooling that would make migration structurally difficult. This preserves the optionality that permanence requires.

By contrast, AWS S3, Azure Blob Storage, and Google Cloud Storage each have egress pricing structures and ecosystem dependencies that create real friction against migration - friction that accumulates over time into effective lock-in. For a dataset that must be preserved and accessible for decades, that friction is a risk factor.

What this means for our clients

For pharma, agritech, and AI companies licensing IsoGentiX data, our infrastructure choice has direct practical implications for their own compliance obligations.

Compliance requirement	Implication of US cloud	Implication of OVHcloud
Nagoya due diligence documentation	Chain-of-custody record contains structural gap (CLOUD Act access events not auditable by data owner)	Complete, auditable access log with no legally privileged gaps. Fully includable in EU Regulation 511/2014 due diligence declarations.
GDPR data transfer obligations	Transfer of personal data (including genomic data that can identify individuals) to US-controlled infrastructure remains legally contested post-Schrems II	Data remains within EU legal jurisdiction. No cross-border transfer issue. GDPR compliance is structural, not contractual.
IP protection	Data stored with a provider that has conflicting commercial interests in the same data category	Provider has no life sciences or drug discovery programme. No conflict of interest.
Regulatory submissions (EMA, FDA)	Data provenance for regulatory submissions may require explanation of infrastructure jurisdiction	EU sovereign infrastructure with full audit trail. Provenance documentation complete and straightforward.
Internal data governance policies	Many institutional research organisations and pharmaceutical companies prohibit storage of sensitive research data on infrastructure subject to US CLOUD Act	OVHcloud satisfies institutional sovereign cloud policies without requiring exception or review.

The practical consequence is that when a company licenses IsoGentiX data, the infrastructure choice we have made reduces their compliance workload rather than adding to it. They receive data with a complete, unambiguous provenance record, stored on infrastructure whose legal jurisdiction is unambiguous, from a provider with no conflicting commercial interests. That combination is not available from any US hyperscaler.

Conclusion

Infrastructure is easy to treat as a commodity decision: cost per terabyte, latency, SLA uptime. For most data categories, those are the right variables. Biological data with Nagoya provenance obligations, commercial IP value, and chain-of-custody requirements operates in a different context entirely.

The decision to run on OVHcloud reflects the same logic that drives every other aspect of the IsoGentiX architecture: that the legal defensibility of a dataset is inseparable from its commercial value, and that defensibility requires building the right structure from the beginning rather than retrofitting it later. The right cloud jurisdiction, like the right consent documentation and the right benefit-sharing framework, is a precondition - not an afterthought.