The shift to cloud-first communications was meant to simplify operations. But for too many organisations, it’s opened up a new class of strategic risk: data sovereignty in an age of AI-driven UC.
For years, businesses have prioritised cost, uptime, and feature sets when evaluating UC and UCaaS platforms. Now, a fourth factor is forcing its way onto boardroom agenda: sovereign control over data, infrastructure, and legal exposure.
Artificial intelligence is increasingly shaping how unified communications platforms operate, often behind the scenes. At the same time, regulators are imposing stricter rules on how and where data can be stored, processed, and analysed. Sovereignty is now a reputational, legal, and operational hazard that is already hitting some of the world’s most recognisable vendors and public bodies.
So, without scaremongering, let’s discuss what the issue is and why this matters to you.
Why UCaaS is not automatically a Safe Regulatory Bet
Most organisations still equate “data residency” with sovereignty. That’s a costly misconception.
It can be helpful to think that Sovereignty ≠ Security ≠ Privacy”
Sovereignty is about legal control over data, where it’s stored, who can access it, and under which laws. Security is about protecting data from unauthorized access or breaches, while Privacy is about ensuring personal information is handled according to regulations and individual rights. For example, a UC platform may be secure and private, but if data can be accessed by foreign governments under laws like the US CLOUD Act, it’s not sovereign.
So, the core issue lies not just in where data is stored, but who controls it, who can access it, and under which jurisdictional rules. Many UCaaS vendors operate under U.S. ownership or host parts of their architecture in multi-tenant environments with global data routing.
What this means in practice:
- Your UC data might reside in Frankfurt but be legally exposed in California.
- AI modules could process your call recordings in one country and train models in another.
- Metadata, logs, or diagnostic telemetry may fall outside your control entirely.
The sovereignty model of most UCaaS platforms was built for scale, not compliance.
As highlighted in Damovo’s recent post on geopatriation for critical communications, sovereignty must be designed from the inside out, not to added after regulators come knocking.
When Sovereignty Gaps Become Headlines
Several public-sector and enterprise organisations have already discovered, very publicly why UC sovereignty is not optional.
In 2023 the French government prohibited certain public bodies from using M365 and Teams in the cloud. The same year Zoom updated its terms of service, faced backlash over perceived AI training rights, then amended them and pledged not to train models on customer content without consent.
More recently in 2025: Microsoft’s Official Admission That Sovereignty Cannot Be Guaranteed. In July 2025, during a hearing before the French Senate, a Microsoft executive acknowledged that even with EU‑data‑centred infrastructures the company “cannot guarantee” data sovereignty whenever U.S. laws (such as the CLOUD Act) apply. That admission undercut confidence in “sovereign‑cloud” assurances and sparked concern among EU public‑sector and regulated organisations.
In the UK this year, a 2022 Ministry of Defence data breach came to light where highly personal info on a spreadsheet about 19k Afghans who had assisted UK forces, was exposed. This incident demonstrates that sovereignty risk is about where data is stored, but also about who can access it, under which legal regime, and whether the organization has effective control over data flows.
How AI Is Quietly Redefining Sovereignty in UC
And just to add some complexity, Sovereignty risk is evolving rapidly due to how AI is being operationalised inside UC platforms.
Consider:
- Auto-routing engines shift data between regions in milliseconds for performance reasons.
- Transcription and summarisation models process entire conversations, creating derived data that may not be covered by your original SLA.
- LLMs integrated into UCaaS platforms are often trained off platform, using a broader corpus of data, including yours.
Gartner predicts that over 60% of UCaaS vendors will embed AI assistants into their platforms by 2026. But few have disclosed how those models are trained, where processing occurs, or what jurisdiction governs the AI layer.
So, not a feature gap but a sovereignty gap.
Vendors Are Playing Catch-Up. Here’s How
In response to growing scrutiny, vendors are making sovereignty claims. But maturity levels vary:
Microsoft
- In Feb ‘25 Introduced the EU Data Boundary, committing to store and process Microsoft 365 data within the EU.
- Lauch of Microsoft Sovereign Cloud keeping data in Europe, under European Law with local National clouds like the Delos Cloud in Germany.
- But the Cloud Act is still a risk, and many are not convinced data will not end up with the US Authorities.
Zoom
- Offers regional data hosting and has updated AI policies post-controversy. The plans to open a UK data center in 2026 is seen as key to winning new public customers in-country.
- US ownership mean it’s still subject to the UC Cloud act. Allowing customers to specify that data is processed in EU/UK data centers, is seen as somewhat reducing the risk of cross-border transfers.
Cisco Webex
- One of the few proactively investing in customer-owned encryption keys and sovereign cloud deployments. Deservedly seen as amongst the most trusted vendors in Europe.
- Offers higher levels of client-side control but not all geographies available yet.
RingCentral, 8×8, Other SMB Vendors
- Partner with European infrastructure providers but rely heavily on shared multi-tenant models, which can dilute true sovereignty.
The market has been clearly reactive, not proactive, and as we’ve seen, these claims don’t always translate to real-world sovereignty.
What Damovo Clients Are Doing Differently
At Damovo, our clients aren’t waiting for regulators to force a rethink. They’re acting now. Here’s how we’re helping:
- Sovereignty Readiness Audits
We assess UC platforms against detailed sovereignty markers: jurisdictional exposure, data flow transparency, AI data handling, and contractual loopholes.
- Geopatriated UC Design
Following our geopatriation-first approach, we design UC solutions that prioritise legal control, compliance resilience, and operational transparency.
- Vendor SLA Dissection
Our advisory team works with procurement and legal teams to interpret the fine print: where data goes, who sees it, and under what laws.
- Hybrid Architecture Enablement
We support hybrid UC models where sensitive workloads stay on-prem and non-critical functions use UCaaS, giving control back to the client.
- Continuous Legal Monitoring
We actively track EU legal shifts and regulatory updates to ensure clients are always ahead of the compliance curve.
Final Thought: Control Is the New Capability
Start with a “what about me” checklist:
- Which laws apply to my org (GDPR, CLOUD Act exposure, sector‑specific rules)?
- Where is each of my UC/AI workloads stored, processed, logged, and backed up?
- What is in my vendor contract about AI training, telemetry, and support data?
- Quiz your vendor on control encryption keys and admin access, and are operators EU‑based?
With AI accelerating and cloud platforms becoming more-opaque, organisations that treat sovereignty as an architecture-level decision will protect more than just compliance, they’ll protect continuity, trust, and user control.
Damovo is ready to help you embed that control into every layer of your UC environment.
| Vendor | Data residency & “sovereign” options (EU) | Customer‑controlled keys / admin control | AI / model‑training posture (public info) | Primary legal exposure / notes |
| Microsoft (M365, Teams) | EU Data Boundary completed for core Cloud services, keeping most customer and support data for within EU/EFTA regions; Microsoft Sovereign Cloud and national projects such as Delos Cloud target higher‑assurance public‑sector and regulated workloads. | Customer Key and Double Key Encryption for M365, plus expanding external key management and EU‑only operations in sovereign offerings.news.microsoft+1 | States that customer content is not used to train foundation models without consent and is adding EU‑only processing options for in‑scope AI workloads.news.microsoft+1 | Despite EU hosting and sovereign initiatives, the US CLOUD Act and corporate structure can still create perceived exposure; real sovereignty depends on contract terms, key control and operational segregation.kuppingercole+1 |
| Cisco Webex | EU data centres and sovereignty‑focused options using trusted European partners and dedicated instances for public sector and regulated industries.webex+1 | Mature customer‑managed key capabilities via Webex Key Management / external KMS, supporting strong tenant‑level control over content access.webex+1 | Markets security, encryption and compliance for its AI features; public material gives less detail on regional training corpora, but stresses encrypted processing and controls.webex+1 | US‑headquartered but able to reduce effective exposure when combined with EU‑based partners, key custody and data‑location controls.kuppingercole+1 |
| Zoom | Regional data hosting for meetings, recordings and some AI features, with an expanded EU/UK footprint including a UK data centre positioned for AI‑first collaboration.zoom+2 | Encryption and some customer key options for specific workloads, though key ownership is less central in positioning than for Webex or some security‑first providers. | After a 2023 ToS backlash, Zoom now commits that customer content will not be used to train AI models without consent and describes regional options for AI Companion processing.axios+2 | US‑headquartered with global infrastructure; sovereignty hinges on configuration of data routing and clear contractual limits on AI, telemetry and cross‑border transfers.zoom+1 |
| Mitel | Strong focus on hybrid, on‑prem and partner‑hosted private cloud; Mitel Secure Cloud introduces hosted “trusted” and “sovereign” tiers, dedicated instances, options for in‑country or regional hosting via partners siliconangle+3 | Emphasis on environments where customers or local partners operate the infrastructure and control access; UC and contact‑centre products include encryption and security hardening, and sovereign tiers are designed for in‑country operations.mitel+3 | Public messaging is more about secure, regulated deployments than large multi‑tenant AI assistants; AI/analytics are typically embedded in specific solutions, which can reduce unintended cross‑tenant model‑training exposure.mitel+1 | Architecture and commercial model favour national or partner‑run private clouds and classic on‑prem, which aligns well with strict sovereignty requirements; legal exposure depends on which entity hosts and processes the data (Mitel, partner, or customer).maintel+2 |
| Avaya | Offers hybrid deployments, which can be hosted in EU data centres or customer/partner facilities to meet data‑residency and sovereignty requirements, including for DORA‑sensitive financial services.avaya+1 | Supports dedicated, single‑tenant and on‑prem deployments where customers or partners control infrastructure and access; Avaya security guidance emphasises strong hardening, TLS, SRTP, and multi‑layer protections for UC and SBC components.avaya+2 | Recent “Infinity” platform positioning highlights the ability to run in‑country, in sovereign clouds or secure enclaves, with single‑tenant by default for large enterprises and public sector, which helps contain data for AI and analytics within defined environments .activatecx | Like Mitel, Avaya’s sovereignty strength lies in private, hybrid and partner‑operated models rather than hyperscale UCaaS; cross‑border transfers for cloud services are handled via SCCs and similar mechanisms, so overall exposure depends on chosen deployment and sub‑processors.avaya+3 |
Contact Damovo to schedule a sovereignty readiness audit