Hosted in France or by a French company? The real test

Your ATS vendor assures you that your candidates' data is hosted in France. Fine. But hosted by whom, exactly? The answer to that question decides whether the US government can access it or not. And in most cases, it can.

On 10 June 2025, under oath before the French Senate's inquiry commission on public procurement, Anton Carniaux, Director of Public and Legal Affairs at Microsoft France, was asked directly by a senator: can you guarantee that French public data hosted by Microsoft will never be transmitted to the US government? His verbatim reply: "No, I cannot guarantee it." Said before a parliamentary commission, in France, about infrastructure installed in France.

The semantic trap that suits everyone

On ATS and HRIS sales decks, the phrase is everywhere: "data hosted in France". It is accurate, and it is misleading. Two very different hostings hide behind those four words, and they have nothing to do with each other.

The first is physical storage. A datacenter in Courbevoie, Marseille or Frankfurt operated by Azure, AWS or Google Cloud Platform, sometimes resold under a white label by a French reseller. The servers are in Europe. The operators are American. So is the applicable jurisdiction.

The second is hosting by an entity governed by French law. The capital, the management, the contract, the subcontractors: everything stays inside the Union's legal perimeter. The Cloud Act has no grip there, because it cannot compel a French company to hand over data it holds.

The difference fits in one line: jurisdiction attaches to the entity, not to the data. This is not a subtlety. It is the legal principle that organises all US extraterritorial regulation since 2018.

Cloud Act and FISA 702: the two laws that change everything

The Cloud Act, passed in 2018, lets US judicial authorities obtain, on a warrant, data held by a US company wherever it is stored in the world. Targeted, judicial, enforceable.

FISA 702, quieter and broader, authorises US intelligence agencies to collect communications of non-Americans located outside the United States, without an individual warrant. That is no longer targeted, it is bulk.

The two regimes coexist. They apply to US companies and their subsidiaries, regardless of the physical location of the data. No commercial contract, no encryption managed by the host, can neutralise them.

What it means for an HR director

A CV is personal data under GDPR. Name, email, phone, career path, sometimes a photo or family situation. The data controller is the recruiting company. Not the ATS vendor. Not the host. You.

Two points to keep separate. On one side, GDPR sanctions security failures, and it does so hard (486 M€ in CNIL fines in 2025). Being with a US provider in Europe is not in itself a GDPR breach. On the other side, the Schrems II ruling (2020) and transfers outside the EU remain a risk zone: if your provider transmits data to its US parent on a production order, you may be deemed responsible for an unlawful transfer. The Cloud Act does not materialise through a fine, it materialises through access you do not control.

The case we see too often: an ATS edited in Lyon, hosted in Paris, that calls Azure OpenAI to score CVs automatically. The request leaves France, crosses the Microsoft network, comes back with a score. Candidate data is sent to a US subcontractor, for a few milliseconds or longer. The Cloud Act applies there. The sales deck does not say so.

Trusted clouds: progress, not independence

In recent years France has brought out so-called "trusted cloud" offerings, built as joint ventures between a French operator and a US hyperscaler, and SecNumCloud-qualified. On the legal side, this is a genuine step forward: the operator is French, the keys are in France, the Cloud Act does not bite on the qualified perimeter.

But it has to be called what it is. It is legal sovereignty on non-sovereign technology. If the US publisher cuts the licence tomorrow, the offering stops. Industrial dependency remains. For an HR director, it is a cursor to place.

Three questions are enough

To audit an ATS, HRIS or career-site vendor, three questions fit in one email.

1. Who operates the service? Company, capital, applicable law.
2. Where is the data hosted? With a French operator in its own right, or with a hyperscaler resold under a white label.
3. The AI that scores the CVs, where does it run? Under what law, with which subcontractors.

If the vendor answers precisely, you know where you are putting your candidates. If the answers are vague, the answer is already there.

Our position

At Intuition Software, JobAffinity is hosted at Scaleway, a French operator running French datacenters. The company that publishes the product is French, under French law, with no US capital dependency. Our AI runs on our own infrastructure, with no calls to GPT, Gemini, Claude or Grok. It is not a posture, it is the only design that lets an HR director answer their DPO without flinching.

Digital sovereignty is not declared. It is contracted, audited, and read in the list of subcontractors. The rest is sales decks.

Sources

• French Senate, Microsoft France hearing, Public Procurement inquiry commission, 10 June 2025
• Clubic, "Microsoft face au Sénat : l'aveu qui fait vaciller la souveraineté numérique française", June 2025
• Blog du Modérateur, "Souveraineté numérique : l'Europe peut-elle s'affranchir des États-Unis ?", 2025
• CJEU, Schrems II ruling, C-311/18, 16 July 2020
• ANSSI, list of SecNumCloud-qualified providers
• US Congress, CLOUD Act H.R. 4943, 2018