European Alternatives to US SaaS: The Local-First Option
European businesses face real legal risks using US SaaS after Schrems II. Local-first software is the cleanest answer to EU data sovereignty concerns.
European businesses have been navigating a growing tension for the better part of a decade. American software products — Salesforce, HubSpot, Microsoft 365, Google Workspace — are the dominant tools of modern business. They're also products from companies subject to US law, which creates a genuine legal and compliance conflict for European organizations handling EU personal data.
The issue isn't theoretical. After Schrems II, the path to legal cross-Atlantic data transfers is narrower than it appears, and European regulators are increasingly active in enforcing it. A growing number of organizations are looking for European alternatives to US SaaS, or for architectures that sidestep the problem entirely.
Local-first software is the strongest version of that sidestep.
The CLOUD Act Problem#
The Clarifying Lawful Overseas Use of Data Act (2018) allows US law enforcement and intelligence agencies to compel US companies — companies incorporated or headquartered in the United States — to produce electronic data, regardless of where that data is physically stored.
This matters for the "European data center" argument. Many US SaaS vendors offer the option to have your data stored in EU data centers. Salesforce has EU data centers. AWS has EU regions. Microsoft has European data centers. The implication is that this protects European customer data from US government requests.
It doesn't, not entirely. A US company with EU data centers is still subject to the CLOUD Act. US authorities can request data stored in those European facilities, and the company is legally obligated to comply or contest the order in US courts. The geographic location of the servers matters for EU data protection law, but not for US access law.
The result is a genuine legal conflict: EU data protection law prohibits transfers to countries without adequate protection, but the US CLOUD Act means US companies may be legally required to produce data that EU law says should be protected.
What Schrems II Actually Means#
The Court of Justice of the European Union's 2020 Schrems II ruling invalidated the EU-US Privacy Shield framework and established that Standard Contractual Clauses alone are not sufficient for US transfers — companies must assess whether the legal framework of the destination country provides adequate protection.
The assessment almost always finds that US surveillance law (FISA 702, Executive Order 12333) provides insufficient protection for EU personal data. This means that technically, any transfer of EU personal data to a US company — whether or not it's stored in an EU data center — requires either a Transfer Impact Assessment concluding adequate protection exists (difficult to do honestly given FISA 702) or another legal basis.
The Data Privacy Framework (DPF) that replaced Privacy Shield in 2023 provides a current legal basis for US transfers for companies that certify under it. But Privacy Shield was struck down twice, and legal challenges to DPF are already underway. The legal ground under US-EU data transfers is not stable.
European SaaS: Better, But Not Complete#
The natural response is to look for European-headquartered alternatives. And there are legitimate options:
CRM: Twenty.com (French, open source), Folk (French), EspoCRM (Ukraine/EU), Vtiger (open source with EU-hosted options)
Productivity: Nextcloud (German), Collabora Office, OnlyOffice, Infomaniak (Swiss)
Email/Collaboration: Proton (Swiss), Tutanota (German), Infomaniak
These solve the CLOUD Act problem because they're not US companies. A French company is not subject to US CLOUD Act requests. A German company's servers in Germany are subject to German law, not US law.
But "European SaaS" still means sending your data to someone else's servers — European servers, yes, but still third-party infrastructure. You're still trusting a vendor with your business data, still accepting their privacy policies, still creating a data processor relationship, still subject to whatever security practices they maintain.
For many organizations, European SaaS is sufficient. For organizations with the highest data sensitivity requirements, or those that simply want to eliminate all third-party data exposure, local-first software goes further.
Local-First as Complete Data Sovereignty#
Local-first software — software that runs on your own hardware and stores data on your own infrastructure — is the cleanest possible answer to data sovereignty concerns.
When your CRM data is in a DuckDB file on a server in your office in Amsterdam:
- It is in the Netherlands, subject to Dutch and EU law
- It is not in anyone else's infrastructure
- No US company is in the data chain
- No CLOUD Act exposure exists
- No third-party privacy policy applies to your CRM data
- No vendor security breach can expose your data
This is categorically stronger than even European SaaS, because you've eliminated the third-party relationship entirely for the data itself.
DenchClaw is built on exactly this architecture. Local-first, open-source (MIT), running on your own hardware. EU companies can deploy it in EU infrastructure — their own offices, or EU cloud VMs they control — and have complete certainty about where their data is and who can access it.
The Open Source Advantage for European Organizations#
There's an additional dimension for European organizations: the opacity of proprietary software. When you use a closed-source US SaaS product, you can read their privacy policy and their terms of service, but you can't verify what the software actually does with your data. Code audits of closed-source software require vendor cooperation and NDA-protected access.
Open-source software is verifiable. Any technical person can read the DenchClaw codebase and confirm what data is transmitted where. The European Digital Identity framework and various EU digital sovereignty initiatives increasingly favor software with auditable codebases for public sector use.
DenchClaw's MIT license means it can be freely inspected, modified, and deployed by European organizations without licensing restrictions. A French company can fork DenchClaw, audit the code, modify it for their specific compliance requirements, and run it on-premise — with no dependency on an American vendor.
Practical Deployment for European Organizations#
For EU organizations wanting to use DenchClaw with full data sovereignty:
On-premise deployment: Run DenchClaw on hardware you own and control in your EU office or data center. Data stays on your infrastructure.
EU cloud VM: Deploy on a cloud VM in an EU region of an EU cloud provider (Scaleway, Hetzner, OVHcloud, Infomaniak). You control the instance; data stays in the EU jurisdiction. Note: even AWS/Azure EU regions are acceptable from a data residency standpoint if you're the operator and the VM is in the EU, though CLOUD Act exposure exists for the infrastructure layer.
Air-gapped for highest sensitivity: For organizations with classified or highly sensitive data, run DenchClaw in a fully isolated environment with no external connectivity.
Team deployment with internal sync: For distributed EU teams, run DenchClaw on an internal EU-based server accessible to all team members. Data never leaves your EU infrastructure.
Comparing European Options#
| Option | Data Location | Third-Party Access | CLOUD Act Exposure | Cost |
|---|---|---|---|---|
| US SaaS (Salesforce, HubSpot) | US/EU servers | Yes (vendor) | Yes (US companies) | High |
| European SaaS (Twenty, Folk) | EU servers | Yes (vendor) | No (EU companies) | Variable |
| DenchClaw local-first | Your machine/server | No | No | Free (open source) |
For most European organizations, European SaaS is a meaningful improvement over US SaaS. For those requiring the strongest possible data sovereignty guarantees, local-first is the only architecture that fully delivers it.
Frequently Asked Questions#
Does storing data with a European SaaS provider fully protect against US CLOUD Act requests?#
It significantly reduces the risk. EU-headquartered companies are not subject to the US CLOUD Act. However, if the EU company uses US-based infrastructure providers (AWS, Azure, Google Cloud), the infrastructure layer may have CLOUD Act exposure.
Is the EU AI Act relevant to CRM data?#
The EU AI Act primarily governs AI systems and their risk classification, not data storage per se. However, AI systems processing CRM data may fall under AI Act obligations depending on their use case. See our article on the EU AI Act and local software.
Can a US company use DenchClaw and claim EU data sovereignty?#
If a US company runs DenchClaw on EU-based infrastructure they control, the data is in the EU and EU data protection law applies to its storage. The CLOUD Act question is more complex — if the company is US-headquartered, the CLOUD Act still technically applies to them as a company, even for EU-stored data.
What about Dench Cloud — is it subject to US law?#
Dench is a US-based company (San Francisco, YC S24). Dench Cloud infrastructure is subject to US law. For maximum data sovereignty, European organizations should run DenchClaw on their own EU infrastructure rather than using Dench Cloud.
Ready to try DenchClaw? Install in one command: npx denchclaw. Full setup guide →
