CLOUD Act & work management: an RFP checklist
The jurisdiction questions to put in your RFP - sub-processors, access process, and why region alone doesn't settle it.
If your work-management RFP asks about region but not about vendor jurisdiction, it has a gap. The US CLOUD Act reaches data a US-headquartered provider controls, wherever it is stored - so 'hosted in the EU' doesn't settle the question on its own.
Use this checklist to put jurisdiction, sub-processors, and access process into your evaluation, alongside the usual security questions.
Key takeaways
- Region alone doesn't determine who can compel access - vendor jurisdiction does.
- Ask for sub-processors and the documented access-request process in writing.
- On-prem deployment keeps data inside your perimeter regardless of vendor law.
The questions to put in the RFP
- 1Where is the operating entity legally incorporated, and under which jurisdictions can it be compelled to disclose data?
- 2Which sub-processors touch customer data, and where are they located?
- 3What is the documented process if a government or third party requests access?
- 4Which deployment options keep data inside our own perimeter (on-prem, our tenancy)?
- 5Who holds the encryption keys, and can we hold them ourselves?
Why jurisdiction outranks region
A provider can store data in your region and still be reachable under foreign disclosure law if its operating entity sits in that jurisdiction. A vendor posture outside US jurisdiction removes the CLOUD Act avenue specifically; on-prem deployment goes further by keeping data inside your boundary entirely.
Keep reading
How sovereignty works in Homany
Where your data lives, who can reach it, and the controls that keep execution inside your boundary.
Read the security overviewWhere this fits in your evaluation
This checklist is the jurisdiction layer of a broader sovereign-deployment decision. The pillar playbook covers how the deployment model itself constrains residency, audit, and procurement.
Keep reading
The sovereign work management playbook
The full decision: deployment posture, jurisdiction, and keeping agents without giving up control.
Read the pillar guideHomany Security & Sovereignty
Security & deployment
Writes on hosting posture, data residency, and how teams keep execution inside their boundary.
Explore Homany
Keep reading
Deployment models, side by side
On-prem, local cloud, and managed tenancy compared, with reference architectures.
VisitKeep reading
Security & sovereignty
Where your data lives, who can reach it, and the controls that keep execution inside your boundary.
VisitKeep reading
For regulated enterprise
How teams under audit and residency requirements adopt sovereign work execution.
VisitRelated resources
- Guide
The sovereign work management playbook
How to run projects and operations on infrastructure you control - deployment posture, vendor jurisdiction, and keeping agents without giving up sovereignty.
- sovereignty
- on-prem
- data residency
8 min read
- Guide
Evaluating on-prem project management software
What to check when the deployment has to live inside your perimeter - and how to keep agents while you do it.
- on-prem
- evaluation
- deployment
4 min read
- Reference
How data sovereignty works in Homany
Where your data lives, who can reach it, and the controls that keep execution inside your boundary.
- security
- data residency
- sovereignty
Reference page
FAQ