Digital sovereignty is not a label you buy from a hyperscaler

Happy International Workers‘ Day. Let’s talk about sovereignty.

Every hyperscaler now offers a „sovereign cloud.“ Servers in Frankfurt, a data processing agreement, and suddenly they’re sovereign. They’re not. Sovereignty is not a data center location. It’s control. Control over your infrastructure, your data, your software, and the legal framework that governs all three.

ownCloud passes this test. The oCIS source code is Apache 2.0. Download it, build it, deploy it, modify it, run it forever without ever talking to us. If Kiteworks doubled support pricing tomorrow, you could fork the code and continue. Your data is on your infrastructure, not ours.

Yes, ownCloud is owned by a US company since late 2023. That’s a legitimate concern for European public sector customers thinking about CLOUD Act exposure. The CLOUD Act applies to data that a US company „possesses, has custody of, or has control of.“ If you run oCIS on your own servers, Kiteworks does not possess, have custody of, or control your data. We can’t reach into your instance any more than the Go compiler authors can reach into your compiled binary.

oCIS runs e.g. as the File Sync and Share Component in the European Open Science Cloud by the European Commission. It has run there through acquisition period, from oCIS 4 through 8. These organizations went through procurement processes that evaluated exactly these questions. Self-hosted, open source, on European infrastructure, with European operational control.

The OSPO (Open Source Program Office) formalizes this. Its manifesto commits to keeping the platform open source. Its governance charter defines how decisions are made. The DCO ensures contributors keep copyright. Structural commitments, not marketing claims.

Tomorrow: how Customers runs on software you can fork tomorrow.

—

This is part 10 of this blog post series.
See the earlier posts:

1. A (re)-introduction to the ownCloud community
2. What happens when you fork twice, get acquired, and keep shipping anyway
3. We killed our own CLA. Here’s why that’s a good thing
4. PHP 8.3. Yes, for Classic. Yes, we heard you
5. What 108 repositories taught us about open source hygiene
6. I’m a script kid running an OSPO. That’s the point
7. Your PR was written by an AI. We don’t care. (But we do have rules.)
8. Stewardship is not the same as control: A governance charter for people who’ve been burned before.
9. Twelve documents, zero marketing slop: anatomy of an open source manifesto
10. What two forks and a Lessons Learned document can teach you about trust