Where is my data stored, and how does Impossible Cloud keep it private and secure?
This article explains how Impossible Cloud manages data residency, jurisdiction, and privacy safeguards to ensure full compliance with GDPR and regional data protection requirements.
Data Residency, Jurisdiction, and Regional Control
Who chooses the region where my customer data is stored?
You as the customer select the region when creating or managing storage resources. Customer data will only be stored in the regions that are explicitly chosen on bucket level.
Is Impossible Cloud impacted by the Cloud ACT when the US region is launched?
The US CLOUD Act applies to data controlled by US-based providers or entities operating under US jurisdiction. As Impossible Cloud is an EU-based company headquartered in Germany, operating exclusively under EU law and GDPR, it does not fall within the scope of the CLOUD Act. Across all EU regions, Impossible Cloud works with independent EU-based hardware providers that are not subject to US legal authority. Customer data stored in EU regions therefore remains under exclusive EU jurisdiction and is fully protected by EU privacy laws.
Will any of my customer data or partner data be replicated to the US?
Customer data will not be replicated to the US unless the customer actively chooses to use the US region. Impossible Cloud regions are geo-fenced, ensuring that customer data stored in a given region remains physically within that region’s borders. For example, customer data stored in the eu-central-2 region (Germany) remains in Germany.
What happens if a non-EU authority requests access to customer data?
Impossible Cloud is an EU-based provider subject exclusively to EU and German law. We are not legally obligated to disclose customer data to non-EU authorities, including those from the United States. Any such requests would be rejected unless they are routed through official EU/German legal channels and meet the applicable legal standards. In practice, this means they must go through the formal Mutual Legal Assistance Treaty (MLAT) process and are only considered in rare, serious criminal cases, such as terrorism or organized crime.
For customers storing data in the UK region, Impossible Cloud applies data protection standards aligned with UK GDPR requirements, offering a level of protection comparable to EU practices under UK/EU-style legal frameworks. While the UK has its own legal framework (e.g. Investigatory Powers Act), any potential access by UK authorities remains subject to strict legal procedures and oversight. Such situations are highly exceptional, and UK law continues to uphold strong principles of necessity, proportionality, and due process.
For customers storing data in the US region, the same principle applies: Impossible Cloud works with independent hardware providers to deliver its services but does not itself have any direct duty to share customer data with US or other non-European authorities. Any governmental request would need to be directed to the underlying US hardware provider, which operates under its own legal framework. While such providers may fall under the US CLOUD Act, potential access is limited to specific, legally defined circumstances and must follow formal judicial procedures.
Data Categories and Privacy Safeguards
What is customer data?
Customer data refers to all data, files, and objects (e.g. backups) that customers upload to the Impossible Cloud Storage. This is the customer’s own business data, over which the customer retains full control, including the choice in which region it is stored and how it is accessed.
What is partner data?
Partner data refers to the information Impossible Cloud processes to manage and operate partner relationships through the Impossible Cloud Management Console (ICMC). This includes partner account details, company and contact information, allocated storage capacities, usage metrics, and the hierarchical structures between distributors, sub-partners, and customers. Partner data is stored exclusively in Europe.
What does Impossible Cloud do to protect my privacy?
Impossible Cloud protects customer privacy through technical, organizational, and legal safeguards. Customers retain full control over the geographic location of their customer data, ensuring compliance with data sovereignty requirements. All customer data is encrypted in transit and at rest. In addition, we encourage customers to implement client-side encryption to maintain exclusive control over their encryption keys.
Our operations comply with GDPR and other relevant privacy frameworks. Geo-fencing mechanisms ensure that data remains within the physical and legal boundaries of the region chosen by the customer.
Who should I contact if I have questions on data protection with Impossible Cloud?
For questions regarding data protection, customers may contact Impossible Cloud’s data protection officer under privacy@impossiblecloud.com.