Sovereignty by design, not as an afterthought

Where your data sits is the easy question. Who can compel access to it — and under whose law inference runs — is the one that decides how European engineering teams deploy AI.

Sovereignty used to be a storage question. That's changing fast — and for organisations running large projects full of highly sensitive requirements data, the shift isn't academic. It's why Basewise is moving to a fully sovereign stack and offering it as the default.

The reach of the US CLOUD Act is pushing the EU toward stricter rules, and those rules now shape how companies deploy AI and how governments buy it. Here's what we're building, and what's already in place.

What we offer today

Our platform is built for organisations that can't compromise on control or auditability. We lead with the dedicated single-tenant license because it's the clearest expression of how we build: full isolation, a contractual SLA, and customer data kept completely separate.

It runs on Microsoft Azure — a secure, scalable foundation with real strengths in network reliability, security tooling and enterprise integration. Around that we add what matters for sensitive work: requests route through a private API rather than public, consumer-grade endpoints, so your data never touches them. Access runs through Entra ID, fitting your existing identity setup. And the platform is modular — AI Chat, automated requirements extraction, AI Traceability — each switched on as you need it.

On compliance, our position is simple: we align with ISO, GDPR, SOC and NIST; all personal data is processed and stored inside the EU; and your data is never reused for another customer, for training, or for generic model improvement. Strict separation, full logging, real traceability — so an audit has something to stand on.

Licensing, deliberately simple

Underneath both, the infrastructure is hybrid and built to be replaceable — we can change the underlying stack without disturbing the application layer or how customers work. That's the practical thing that makes a sovereignty upgrade possible later, without anyone rebuilding how they operate.

What we're building next

We're actively building a sovereign offer. It doesn't replace the platform — it's an optional path that adds sovereign components for customers who need them, in two parts you can select against your own risk profile.

We only ever refer to sovereign infrastructure, sovereign inference providers and European-controlled layers — never to specific subcontractor brands. That's on purpose. Sovereignty is a question of control and jurisdiction, not of whose logo sits on the data centre. Azure stays available for customers who prefer it; there's no all-or-nothing migration to sign up for.

Why this matters for enterprise AI

For systems engineering teams, AI sovereignty isn't theoretical. It reaches straight into requirements management, traceability and auditability. The moment you feed product data into an AI system, you need to know where it's processed, who can compel access, and whether inference sits under a foreign jurisdiction.

Meanwhile the EU Data Act now sets obligations that pull directly against the CLOUD Act, leaving providers caught between the two. And the risk has turned concrete: a Dutch government move to block a cloud acquisition over jurisdictional risk, and a contractor leak that exposed sensitive government cloud credentials. Analysts including IDC, Gartner and Deloitte project a sustained shift of sensitive workloads toward sovereign infrastructure through the end of the decade — driven by exactly these jurisdictional concerns.

For Basewise customers, all of that confirms a choice we made early: your requirements data, traceability matrices and allocation models deserve infrastructure that holds up under European law.

How to think about sovereignty decisions

Weigh sovereignty with the same rigour you bring to safety-critical design. Four questions do most of the work.

01 | Where is your data processed, not just stored?
Residency answers storage. Sovereignty answers the harder one: processing jurisdiction and inference location. If your provider can't tell you where inference happens, you don't have sovereignty.

02 | Who can compel access, and under which law?
The CLOUD Act reaches data controlled by US-headquartered companies wherever it physically lives. An EU data centre doesn't close that gap if the control layer stays exposed. What matters is the legal regime over the operator.

03 | Do you have contractual isolation and audit rights?
Shared environments and generic model training create reuse risks no privacy policy fully removes. You want strict separation, full logging, and explicit guarantees against reuse for training or other customers.

04 | Can your architecture add sovereign components without a rebuild?
Infrastructure shouldn't lock you into one provider or one legal regime. A modular platform lets you add sovereign servers or inference as your requirements change — without replacing your stack or retraining your people.

Our dedicated license already answers the third and fourth questions for many customers today. The sovereign offer answers the first and second for those who need it.

Practical, not ideological

We don't bash hyperscalers. Azure delivers real value in security, scale and integration, and it stays a core part of what we run. But European engineering organisations work in a legal and geopolitical environment that's asking for more control — and our answer is to build that control in by design: a fully isolated single-tenant platform now, optional sovereign servers and inference for those who need them, a shared tenant that becomes EU-sovereign by default, and one consistent architecture throughout.

The first step — sovereign servers — lands by the end of June 2026. Until then, and after, the platform keeps running the way enterprise AI demands: stable and manageable at scale.