Digital sovereignty in SaaS
Digital sovereignty means you can leave. And you know where your data flows.
European regulations like the Digital Product Passport or pharmaceutical serialization under the Falsified Medicines Directive exist for good reason: they protect consumers, create supply chain transparency, and strengthen European industrial policy. All the more surprising, then, how often the infrastructure handling this data is anything but European. Digital sovereignty doesn't start with the legal framework — it starts with the question of who actually has access to the data.
Geographic location does not equal sovereignty
A server in Frankfurt does not make a provider sovereign. What matters is who operates that server, who has access to the systems, and which legal system the provider falls under. A German data center operated by a US corporation is subject to US law — including the CLOUD Act, which under certain conditions grants US authorities access to data without notifying the customer concerned.
That's not fearmongering. It's contractual reality.
There's a related issue that rarely gets discussed: many providers place a so-called CDN service in front of their infrastructure — a globally distributed network that delivers content faster and protects against attacks. Sounds harmless. The market leader in this space is Cloudflare, a US company. The problem: these services typically terminate the encrypted connection between browser and server. That means traffic is decrypted at one point before being forwarded — through infrastructure that is not subject to European jurisdiction. The actual data may eventually land on a German server. But it traveled. European alternatives exist and serve the same purpose — without that detour.
Sovereignty means legal, physical, and logical control over data. All three together.
No lock-in is also sovereignty
Digital sovereignty has a second dimension that often gets lost in discussions about cloud jurisdiction: portability. Anyone who cannot export their data fully at any time and migrate to another provider is dependent — regardless of where the servers are located.
Many SaaS providers make data export technically possible but practically painful. Proprietary formats, missing APIs, incomplete exports. This is not accidental. Vendor lock-in is a business model.
Sovereignty here means: complete, machine-readable export of all your data, at any time, without explanation.
What we do differently
At BRAINORITY, we didn't make a strategic decision against any particular provider — we made a decision in favor of a specific mindset. And the consequences run through every part of the infrastructure.
SecIdent runs exclusively on servers in German data centers, operated by German hosting providers. Where proximity to the user requires edge infrastructure, this happens exclusively through European providers. Backups are stored end-to-end encrypted across multiple locations within the EU — even the operators of the backup infrastructure have no plaintext access to these copies.
AI-assisted background functions run on dedicated systems in German data centers, unreachable from the public internet. No data stream leaves the system toward external AI services for this purpose.
And: we collect no data beyond the customer's purpose. No usage profiles, no behavioral analysis, no aggregation for our own ends. The data belongs to the customer — conceptually as well.
Digital sovereignty can ne inconvenient. It forces decisions that mean more effort in the short term. We take this path deliberately — and explain to our customers why.
What is SecIdent?
SecIdent is a SaaS platform for digital product identities — built for regulated markets including the Digital Product Passport under ESPR (EU) 2024/1781, the battery passport under (EU) 2023/1542, and pharmaceutical serialization under 2011/62/EU. The platform runs exclusively in German data centers, is ISO 27001 certified, and fully GDPR compliant. Data export is complete and available at any time — no artificial barriers.
