Jurisdictional Exposure Scorecard

Method notes

• Provider HQ drives the US CLOUD Act / FISA-702 calculation. The US CLOUD Act compels US-headquartered providers to produce customer data on request regardless of where the data physically sits, so an AWS region in Frankfurt is still subject to US lawful-access reach.
• Region location adds GDPR / local data-protection law on top of HQ exposure. A service hosted in an EU region by a US provider still triggers GDPR for EU data subjects.
• Switch to a specific lens(US, EU, UK, PRC, EEA, APAC, Other) above to see the statutes that apply under that regime with authoritative external links — EUR-Lex for GDPR, the DOJ's US CLOUD Act resource page, legislation.gov.uk for UK statutes, CAC.gov.cn for PRC law, etc.
• Sovereign-flaggedregions (AWS GovCloud, Azure Government, GCP S3NS, OVH Sovereign Cloud, etc.) are the closest analogue to "no jurisdictional risk beyond the parent provider's marketed contractual stance". They don't remove the US CLOUD Act reach but they do narrow the attack surface considerably.
• OpenStack and similar open-source projects without a single corporate operating entity are categorised as no single jurisdiction.
• Print / Save as PDF button at the top right renders this page in a print-friendly layout — useful for attaching a snapshot to procurement docs. The active lens (or the all-jurisdictions overview) is what gets printed.
• This is a coarse model designed for procurement triage, not full legal review. Buyers in regulated industries should still get specific counsel before signing.