Data Sovereignty: Why Some Clients Won't Accept Cloud-Only Surveillance

On November 10, 2026, the Department of Defense begins requiring third-party CMMC certification on contracts that handle Controlled Unclassified Information. Defense contractors managing CUI in or around their facilities have six months to align their security architecture, including video surveillance, with NIST SP 800-171 controls. For many of them, the system they bought five years ago is no longer compliant.

The reason is data sovereignty. In 2025, Microsoft's Chief Legal Counsel for France told the French Senate that Microsoft cannot guarantee European customer data will not be transferred to the US government. That admission, from one of the largest cloud providers in the world, made data sovereignty a procurement issue and not a theoretical one.

What Data Sovereignty Means for Surveillance Footage

Three terms get used interchangeably and should not be:

• Data residency is where footage physically sits.
• Data sovereignty is which legal jurisdiction can compel access to it.
• Data localization is the act of structuring systems to satisfy both.

For surveillance, all three converge on a single practical question: who can compel access to your footage, and under what process?

Footage on a US cloud provider's infrastructure is controlled by the provider, and US law reaches the provider regardless of where the racks physically sit. Footage on operator-controlled hardware on the operator's premises is controlled by the operator. The laws of the operator's jurisdiction apply, and there is no third-party access surface for an outside party to target without serving the operator directly.

The CLOUD Act Is the Reason This Matters Now

The Clarifying Lawful Overseas Use of Data Act, passed in 2018, amended the Stored Communications Act. US providers must produce data in their possession, custody, or control regardless of where it is physically stored. The law reaches any provider with a legal presence in the United States, including US subsidiaries of foreign companies. Provider responses are often subject to non-disclosure obligations, so the customer may never learn that their footage was produced.

In 2025, Anton Carniaux, Chief Legal Counsel of Microsoft France, testified before the French Senate that Microsoft cannot guarantee European customer data will not be transferred to the US government. Procurement organizations responded. Canada's Shared Services proposals now flag providers subject to the CLOUD Act. France's SecNumCloud requires 61 percent EU ownership and immunity from non-EU laws. The 2026 US National Trade Estimate Report identified five countries with new or expanded cloud-procurement restrictions.

For US-based buyers, the CLOUD Act is rarely the headline risk on its own. It is the legal mechanism that makes the next four frameworks necessary.

Four US Frameworks Where Cloud-Only Fails the Test

Each of these four frameworks turns the cloud vs. on-premise trade-off from a preference into a compliance position. Surveillance footage is in scope under all four when it captures the protected category of data each framework was written to protect.

Framework	Scope trigger	Cloud requirement	Why on-premise often wins
CJIS Security Policy v6.0 (Dec 27, 2024)	Footage tied to law enforcement activity, biometric data, or investigative case files	US-person, fingerprint-checked operators only. FIPS 140-3 encryption, customer-managed keys, and US-only residency	Multi-tenant commercial cloud frequently cannot satisfy operator-access controls. On-premise meets these by default
CMMC 2.0 (Phase 2 begins Nov 10, 2026)	Footage of secure areas, R&D environments, or production floors handling CUI. Subcontractor flow-down applies	FedRAMP Moderate or Equivalent provider with a documented Customer Responsibility Matrix. Level 2 = NIST SP 800-171 Rev 2 (110 controls across 14 domains)	Most commercial Video Surveillance as a Service platforms are not authorized at FedRAMP Moderate
HIPAA Privacy and Security Rules	Cameras in patient care areas capturing faces, badges, monitors, or audio of clinical conversations. Sharp Grossmont Hospital settled a class action for $1 million in 2019 after operating-room cameras recorded ~1,800 patients without consent	Business Associate Agreement, encryption in transit and at rest, audit logging, and minimum-necessary access	On-premise with documented access control often passes audit cleaner than cloud-with-BAA
FERPA Department of Education guidance	Video directly related to a student and maintained by the institution, with law enforcement unit footage excluded	Vendor must qualify as a "school official" with legitimate educational interest under the contract. Penalties $15,000 to $75,000 per incident	State overlays (CA SB 1177/AB 1584, NY Ed Law 2-d, IL SOPPA) tighten cloud requirements further

The FBI is direct that there is no such thing as a CJIS-certified vendor. Compliance is the agency's responsibility, which is why operator-controlled architecture matters more than a vendor compliance badge.

Iron Gate's Architecture: Designed Around Customer Data Control

Every Iron Gate system is designed, engineered, assembled, and tested in-house at Iron Gate's Holly Hill, Florida facility. Surveillance data stays on customer-controlled servers, with no commercial cloud dependencies. Access control management runs cloud-based or on-premise depending on the customer's compliance posture, with on-premise the default for organizations that need full data sovereignty. Cellular connectivity and solar power options keep systems operating independently from facility networks, so surveillance stays online during IT incidents and security events.

AI threat detection is developed in compliance with ISO/IEC 42001. Senior leadership brings 28 years of federal law enforcement experience across ICE, US Border Patrol, and FLETC instructor roles. Customer-controlled keys, customer-controlled access, and an on-premise option remove the third-party access surface that the CLOUD Act reaches. The architecture matches the regulatory posture, not the other way around.

Hidden Data Sovereignty Risks Buyers Often Miss

Subprocessor sprawl. Cloud surveillance providers commonly use subprocessors for storage, AI analytics, transcoding, push notifications, and identity. Each may sit in a different jurisdiction under different contractual terms. The buyer's BAA, CJIS Security Addendum, or CUI Customer Responsibility Matrix typically covers only the prime provider. A subprocessor in another country can route footage through jurisdictions the buyer never authorized.

Provider acquisition. A US provider compliant on Day One can be acquired by a foreign parent on Day 730. Standard contracts rarely require material notice of jurisdiction-changing events. On-premise architecture removes this risk because there is no provider to be acquired.

Subscription dependency for retention. Many cloud-only platforms tie footage retention to an active subscription. CJIS retention varies by state but commonly runs one to seven years. HIPAA retention is six years in many states. School disciplinary footage follows state record rules. A subscription lapse can become a record-destruction violation.

How to Evaluate a Vendor's Data Sovereignty Posture Before You Buy

A six-question checklist for an RFP or vendor review.

1. Where is footage physically stored, and which entities have administrative access? If the answer is multi-tenant cloud, ask which other entities see metadata, indices, or telemetry derived from your footage.
2. What is the complete subprocessor list, with each subprocessor's home jurisdiction? The vendor should provide one and commit contractually to advance notice of changes.
3. Under what process can the vendor be compelled to produce footage, and is the customer notified? The contract should specify whether the vendor will challenge requests and notify the customer when permitted.
4. Who controls the encryption keys? Without customer-managed keys, the vendor can decrypt unilaterally.
5. What happens to footage if the vendor is acquired, files for bankruptcy, or terminates the contract? Exit clauses and data-portability commitments separate vendors who have planned for these events from vendors who have not.
6. Is an on-premise or hybrid option available, and at what cost difference over five years? If the vendor cannot offer on-premise, the architecture is cloud-only by definition. For some compliance postures, that ends the conversation.

When Data Sovereignty Is Not Optional

Cloud-only video surveillance is a sound choice for many small-business and commercial buyers who have no compliance requirement to consider data sovereignty. Nothing here argues otherwise.

For defense contractors approaching the November 10, 2026 CMMC Phase 2 deadline, government agencies handling Criminal Justice Information, healthcare facilities with cameras in clinical zones, and schools whose footage qualifies as an education record, cloud-only is a compliance liability. The decision is not cloud bad, on-premise good. The decision is who can be compelled to produce the footage, and whether the architecture in the contract aligns with the answer.

Iron Gate manufactures both architectures and lets the regulatory posture drive the choice. To talk through specific compliance requirements for government or other regulated deployments, call 904-896-5618 or book a security assessment.

Common Questions

What is data sovereignty in video surveillance?
Data sovereignty is the question of which legal jurisdiction can compel disclosure or access to surveillance footage, and under what process. It determines who has to be served with legal process to retrieve the footage and whether the operator is notified when that happens. For regulated environments, the answer often determines whether a system is legal to deploy.

What is the difference between data residency and data sovereignty?
Data residency is where data physically sits. Data sovereignty is which legal jurisdictions can compel access to it. Footage stored in a US data center is resident in the United States, but a US provider hosting that footage may also be subject to foreign legal process via executive agreements under the CLOUD Act.

Is on-premise video surveillance required for CMMC compliance?
Not strictly required. CMMC Level 2 allows cloud architecture if the cloud provider is FedRAMP Moderate or Equivalent and the Customer Responsibility Matrix is documented. In practice, on-premise often passes audit cleaner because the architecture itself reduces the number of controls the contractor has to inherit from a third party.

Are school surveillance videos covered by FERPA?
Yes, when the video is directly related to a student and maintained by the institution. There is a carve-out for footage created and maintained by a school's law enforcement unit for law enforcement purpose. Vendor designations as school officials shift FERPA obligations onto the vendor's contract.

Does HIPAA apply to hospital security cameras?
Yes when footage captures Protected Health Information. Cameras in patient care areas that record faces, name badges, monitors, or audio of clinical conversations create electronic Protected Health Information. Cloud storage requires a Business Associate Agreement and HIPAA-aligned access controls.