Digital sovereignty begins with infrastructure

Or why Synaedge is independent of hyperscalers

The rapid spread of AI-powered video analytics presents companies with new data protection challenges. Platforms such as Vaidio, an AI vision solution for video analytics, promise efficient surveillance through automated image recognition and alerting. At the same time, organizations in the EU and Switzerland must strictly comply with the applicable data protection laws. A central issue in this context is data sovereignty. Where and under whose control are sensitive video and personal data processed? Synaedge has clearly positioned itself here as an independent European provider that does not rely on US hyperscalers. In this article, we explain why digital sovereignty begins with infrastructure and why Synaedge is independent of hyperscalers.

AI video analytics and data protection: the challenge of data transfer

In AI-powered video analytics, personal data (e.g. faces, vehicle license plates, movement profiles) are generated and often stored centrally or transferred to the cloud. If personal video material is transferred to third countries outside Europe – such as the United States – complex legal requirements come into force. Especially since the landmark Schrems II ruling of the European Court of Justice (ECJ) of 16 July 2020 (Case C-311/18), it has been clear that simple solutions such as the former EU–US Privacy Shield are no longer sufficient. This data protection agreement, which facilitated data transfers to the United States until 2020, was declared invalid by the ECJ because it did not provide a sufficiently high level of protection. The reason: extensive US surveillance programs such as PRISM and UPSTREAM enabled mass surveillance, which violates fundamental EU rights. At the same time, the ECJ confirmed the validity of Standard Contractual Clauses (SCCs) as a transfer mechanism, but imposed strict requirements: data exporters and importers must assess whether the level of protection in the recipient country is essentially equivalent to that of the EU and, if necessary, implement additional safeguards. This assessment is particularly sensitive when it comes to transfers to the United States. The ECJ explicitly criticized the fact that U.S. intelligence laws such as Section 702 of FISA and Executive Order 12333 do not provide EU citizens with sufficient legal protection and allow disproportionate access to their data. In other words, without additional safeguards, an EU company cannot be sure that data stored in the United States or accessible from there are protected to the same extent as in the EU.

U.S. surveillance laws vs. EU law: an overview of the conflict

The core question is: can a U.S. service provider guarantee that no unlawful disclosure of EU personal data to U.S. authorities takes place? In practice, no, because U.S. laws such as the USA PATRIOT Act (2001) and, in particular, the CLOUD Act (2018) require U.S. companies to disclose data to U.S. authorities upon request, regardless of where the data are stored. The CLOUD Act explicitly also applies to data stored on servers located abroad. This means that U.S. authorities can request data from U.S. providers even if the data are stored in Europe, without the need to submit a prior mutual legal assistance request (MLAT) through European authorities. From an EU perspective, this creates a direct legal conflict. Because Article 48 of the GDPR stipulates that a request for disclosure by a non-European public authority may only be recognized on the basis of an international agreement or an appropriate legal basis. Unilateral access by U.S. authorities, as enabled by the CLOUD Act, must not lead to data transfers under EU law. With the CLOUD Act, legal systems therefore collide: a U.S. court order can force a provider to disclose data, while the GDPR prohibits a European company from transferring data to third parties without a valid legal basis. After Schrems II, data protection authorities therefore require a comprehensive Transfer Impact Assessment (TIA) for every transfer to a third country. In particular when using U.S. services, it must be assessed whether technical, organizational, or contractual additional measures can sufficiently protect the data from U.S. access, which is often difficult to achieve.

Physically in Europe, legally in the United States? Risks of hyperscalers

The major hyperscalers (such as AWS, Microsoft Azure, or Google Cloud) do operate data centers in Europe, but as U.S. companies they are ultimately subject to U.S. law. This is often referred to as the “in body in Europe, in spirit in the United States” problem: while the servers are physically located in the EU, legal and administrative access from the U.S. remains possible. Thus, the mere fact that U.S. employees have administrative access or that data could be forwarded to the U.S. parent company is sufficient for the GDPR and the Swiss Federal Act on Data Protection (FADP) to consider this a transfer to a third country, even if the servers are located in the EU. For customers of such hyperscalers, this means that despite EU region hosting, there remains a residual risk that data could reach U.S. authorities without their knowledge. In summary, the risks associated with using U.S.-based cloud providers are:

Extraterritorial access: U.S. authorities can request data regardless of where it is stored. This directly conflicts with EU requirements (Article 48 GDPR).
Lack of legal protection: EU citizens have no effective means to challenge such access, as U.S. laws such as FISA or the CLOUD Act do not provide adequate legal remedies.
Compliance burden: companies must continuously assess and document whether and how they protect data from third-party access (encryption, key management within the EU, etc.) in order to comply with the Schrems II requirements. Each new use of cloud services requires a case-by-case Transfer Impact Assessment (TIA) – a significant effort that entails legal uncertainty.
Legal uncertainty: although the EU adopted the new EU–US Data Privacy Framework (DPF) in 2023. The DPF is in force, was upheld in an initial proceeding in 2025, but remains politically and legally controversial and could once again be brought before the ECJ.
Trump administration: this further exacerbates the problem of unpredictability in the legal and political framework in the United States.

Synaedge: European data sovereignty instead of U.S. cloud services

Synaedge positions itself as a local cloud and service provider for AI-based video analytics, in particular as a certified hosting partner of the Vaidio platform in the EMEA region. The decisive difference: Synaedge is independent of hyperscalers and operates its own server infrastructure in certified data centers in Switzerland, Germany, and Spain. These locations are directly interconnected without routing through third-party providers or global cloud corporations. This architecture ensures genuine technical sovereignty: full control over data paths, minimal latency, and a stable network connection from the edge device and on-premise server through to AI analysis in the data center. Since the entire infrastructure is operated within the EU as well as in Switzerland, which is recognized as a third country with an adequacy decision, no data transfers to legally uncertain third countries take place. For data processing within the EU, Articles 44 et seq. of the GDPR do not apply at all; for Switzerland, transfers take place on the basis of Article 45 GDPR, without the need for additional safeguards such as Standard Contractual Clauses or Transfer Impact Assessments. This completely eliminates the high compliance effort otherwise required when using U.S. providers. In particular, this model eliminates the greatest risk: access by external authorities on the basis of extraterritorial laws. Synaedge is not subject to any U.S. legislation such as the CLOUD Act or FISA and therefore cannot be compelled to disclose data to U.S. authorities. Access without the customer’s knowledge and control is excluded. Should a legitimate request for information ever be made from abroad, it would have to follow the formal route via international mutual legal assistance agreements, including judicial review and the involvement of the competent European or Swiss authorities, as provided for in Article 48 of the GDPR. In short: with Synaedge, data sovereignty remains with the customer and within the European legal framework.

Conclusion: data protection through European independence

Synaedge demonstrates with its independent cloud architecture that modern AI video analytics and strict data protection are compatible. By deliberately avoiding U.S. hyperscalers and operating in European data centers, Synaedge circumvents the legal pitfalls of transatlantic data transfers. Companies using Vaidio via Synaedge receive a Schrems II–compliant solution out of the box, without any compromises in functionality or scalability.