Citadel
Sovereign

Advisory

← All case studies

Subsidiary jurisdiction

September 2025 · Canada / France

OVHcloud / Canada court order

Risk visible at

Risk: L0

Mitigated at

Mitigated: L2

— What happened
A Canadian court ordered OVHcloud’s Canadian subsidiary to produce data held by the French parent, ruling that the subsidiary’s control relationship created legal jurisdiction over French-held data. Choosing a European cloud provider to avoid US jurisdiction was not enough — subsidiary relationships can import foreign law regardless of where the parent is headquartered.
— Root cause
Vendor corporate structure not mapped below the contracting entity. No data processing addendum restricting processing to the named legal entity. Subsidiary relationships in Five Eyes jurisdictions create legal exposure that geography alone cannot solve.
— How our model mitigates this
Prevention (our model)
At Level 0, we map the full corporate ownership structure of every vendor — not just the contracting entity, but all subsidiaries, parent companies, and their jurisdictions. At Level 2, data processing addenda restrict all processing to the specific legal entity and jurisdiction named in the contract.
Detection (our observability)
A quarterly vendor corporate structure review flags new subsidiary registrations or acquisitions in Five Eyes jurisdictions. At Level 2, locally held HSM encryption keys mean that even if a subsidiary is compelled by court order, the data it can produce is cryptographically inaccessible.
— Our specific action
We build a vendor jurisdiction map as part of every Level 0 assessment — flagging any vendor with Five Eyes subsidiary exposure as HIGH risk. Contractual addenda and HSM key custody at Level 2 ensure that court orders issued in any foreign jurisdiction cannot be satisfied with meaningful data.

— Source & reference

Published source

Canadian data order risks blowing a hole in EU sovereignty

The Register

Read the source
Commission an assessment
Could this happen to you?
Our Level 0 assessment maps every exposure of this type across your digital estate — in 4 weeks, at a price a director can approve. The findings answer this question precisely.
Commission an assessment →

Citadel Sovereign Advisory

Your hardware, your software, your sovereignty?

sovereignty-services.com
info@sovereignty-services.com · © 2026