The Sovereignty Problem Hiding in Your PaaS
I spend most of my time building on AWS. I genuinely enjoy it. The depth of services, the control, the ability to lock down a VPC until nothing moves without you knowing about it. When we built CasePilot, our document verification platform for mortgage brokers, I obsessed over the data isolation. Every tenant’s documents processed in AWS London, encrypted at rest and in transit, IAM policies scoped to the microservice level. I can tell you exactly where a customer’s document sits at any point in the pipeline.
That’s the bar I set for myself. And it’s increasingly the bar that EU enterprise buyers set for their vendors.
The PaaS trap
Here’s what I see happening to early-stage SaaS companies. You start on Render, Railway, Base44, Vercel, whatever gets you to market fastest. Fair enough. The DX is good, deploys are painless, and you’re focused on product.
Then you get traction. A prospect in Germany asks three questions:
- Where does our data physically reside?
- Who can access it?
- Can you prove it?
And you realise you can’t answer any of them. Not really.
Render’s available regions are Oregon, Ohio, Virginia, Frankfurt, and Singapore. No UK region. If you’re a UK company serving UK customers, your closest option is Frankfurt. And Render is US-headquartered, which means CLOUD Act jurisdiction applies regardless of which region you pick.
Base44 is worse. Their infrastructure is completely opaque. You don’t control server config, regions, or scaling rules. You can’t even choose where your app runs. Their own documentation confirms this: “Deployment, hosting, and scaling are fully managed. You do not control server config, regions, or scaling rules.”
So you’ve got a UK SaaS business, potentially handling customer data, deployed on infrastructure where you can’t confirm the data stays in the UK, let alone satisfy an EU buyer’s requirements. A US court can compel disclosure of data stored on US-owned infrastructure regardless of where it physically sits. Sophisticated buyers in financial services, healthcare, and government know this.
You don’t own your infrastructure. And eventually, your customers will notice.
Why this is getting worse
Post-Brexit, the UK is a “third country” as far as the EU is concerned. We have a GDPR adequacy decision, but it’s not permanent and it doesn’t satisfy every procurement team. Beyond GDPR, there’s now:
- DORA (Digital Operational Resilience Act) is mandatory for financial services from January 2025. It has explicit requirements around ICT third-party risk, including where infrastructure providers sit in the chain.
- NIS2 is a broader critical infrastructure directive with supply chain security requirements.
- German enterprise culture means many companies simply won’t sign off on US-owned infrastructure, adequacy decision or not. It’s a trust and compliance position, not a legal technicality.
If you’re a UK SaaS company wanting to sell into regulated sectors domestically or expand into the EU, your infrastructure choices become a commercial blocker, not just a technical one. UK financial services, healthcare, and government buyers are asking the same questions. Even processing personal data through the ICO’s lens becomes fuzzy logic when you can’t point to where it actually lives. As engineers, we hate fuzzy logic. The EU is just louder about it.
The sovereignty spectrum
Not every workload needs full sovereignty. But it helps to understand the options:
US hyperscalers with EU regions. AWS, Azure, GCP all have EU regions. AWS even has a dedicated EU sovereign cloud offering. I haven’t used it personally, but the pitch is European-operated, European-staffed, no data leaves the EU. It’s the pragmatic middle ground for most companies. You get AWS’s services with a sovereignty wrapper.
EU-owned cloud providers. OVHCloud, STACKIT (Schwarz Group), Scaleway, Hetzner. Fully EU-owned, no CLOUD Act exposure. I’ve attempted to get set up on OVHCloud and STACKIT. Honestly, the startup credits process is painful. STACKIT in particular seems to restrict access to certain EU residents. I couldn’t get through as a UK company. OVHCloud’s onboarding isn’t much better. These are real barriers for smaller companies trying to evaluate the platforms.
UK sovereign options. Civo is UK-based and Kubernetes-native. I haven’t tried them yet but they’re on my list. There’s also self-managed Kubernetes on bare metal providers like Hetzner, though that’s a significant operational commitment.
Your own infrastructure. On-premise or co-located. Maximum control, maximum overhead. Makes sense for specific workloads in highly regulated environments.
What I actually recommend
For most UK SaaS companies expanding into EU:
Start with AWS EU regions if you’re already on AWS. You know the tooling, you can deploy a parallel stack in Frankfurt or Paris, and you can enforce data residency with SCPs and IAM boundaries.
Architect for portability from day one. Containerise everything. Use Terraform. Don’t hardcode AWS-specific services into your core logic if you think you might need to deploy elsewhere later. This doesn’t mean avoid AWS services. It means keep your blast radius known.
Get off PaaS before you need to. The migration from Render to self-managed infrastructure is painful when you’re doing it under pressure from a prospect’s procurement team. Do it when you have breathing room.
Be able to answer the three questions. Where does data live? Who can access it? Can you prove it? If you can’t answer these clearly, you’re not ready for EU enterprise sales.
The uncomfortable truth
As an infrastructure engineer, platforms like Render and Railway genuinely worry me. Not because they’re bad products. They’re excellent for what they do. But they abstract away exactly the things that enterprise buyers care most about: control, isolation, and provability.
When I built CasePilot, I chose to handle mortgage documents. Payslips, bank statements, identity documents. Deeply sensitive personal data. I could have deployed on a PaaS and been live in a day. Instead, I spent the time setting up proper infrastructure on AWS London with tenant isolation, encryption, audit trails, and the ability to point at a specific region and say “your data is here, and only here.”
That’s not over-engineering. That’s the cost of entry for regulated industries. And if you want to sell into the EU, it’s the cost of entry there too.
If you’re a UK SaaS company thinking about EU expansion and wondering what your infrastructure needs to look like, get in touch. This is what we do.