Sovereignty Scan
Scan
Sovereignty Scan/Vendors/US-Anbieter
Risk indicator, not a GDPR compliance verdict. Point-in-time assessment based on public web stack signals.Methodology & LimitationsCorrect listing / submit response

Jurisdiction

US-Anbieter: GDPR Assessment & Vendor List

US-Anbieter unterliegen dem CLOUD Act und FISA 702. Staatlicher Zugriff bleibt rechtlich möglich, auch wenn Daten in der EU gehostet werden. Standard Contractual Clauses und ein Transfer Impact Assessment sind seit Schrems II erforderlich.

247 curated profiles402 total detectedJurisdiktion USA · CLOUD Act betroffen

Last updated:

Vendors

Sorted by category

Each entry links to a dedicated profile with GDPR verdict, ownership chain, data categories, migration plan and FAQ.

Sales-Content / Deal Rooms

All Sales-Content / Deal Rooms vendors

1 providers · Deal Rooms & Sales-Content-Plattformen

Analytics & Tracking

All Analytics & Tracking vendors

53 providers · Web-Analytics & Tracking-Tools

Other jurisdictions:EU- & EWR-AnbieterUK & SchweizAnbieterprüfung

Frequently asked questions

US-Anbieter: in brief

Are US providers inherently non-GDPR-compliant?

Not automatically. However: US providers are subject to the CLOUD Act and FISA 702. Even with EU hosting, the US parent company remains obligated to hand over data to US authorities on request. After Schrems II, standard contractual clauses alone are insufficient: additional technical and organisational protection measures and a Transfer Impact Assessment (TIA) are also required.

What does the EU-US Data Privacy Framework (DPF) change?

The DPF (in force since July 2023) is an adequacy decision for DPF-certified US recipients. It replaces the obligation to use SCCs for contractual arrangements. However: the CLOUD Act and FISA 702 are not repealed by the DPF. Government access remains legally possible. A new Schrems case against the DPF is already pending before the ECJ.

Which US providers are DPF certified?

Many large US providers have registered on the DPF list (Google, Microsoft, Salesforce, and many others). We flag DPF status on every US profile as an important differentiating factor, but not as a free pass. Processing fully free from government access is only achievable with genuine EU providers.

How did the Sovereignty Scan determine the jurisdiction?

We check the registered seat and parent company (commercial register, legal notice, privacy policy), the contractual partner for EU customers, the hosting region, and the subprocessor list. For multi-level structures (EU contractual partner + US parent), we label the primary jurisdiction and additionally flag ‘third-country transfer check required’.

Also by category

Vendor overview by application area

Terminbuchung26Lead-Routing & Terminbuchung8CRM33Formulare & Lead-Erfassung39E-Signatur7Sales-Content / Deal Rooms2Analytics & Tracking119Tag Management & CDPs20Session-Replay & Heatmaps9E-Mail-Marketing & Versand44Office & Kommunikation13Live-Chat & Support33Video-Konferenzen14Zahlungen20CDN17Hosting / Compute25DNS-Provider6Error-Tracking4

Next Step

Which US-Anbieter are running on your website?

60 seconds, no login. The Sovereignty Scan lists all detected tools with jurisdiction, ownership chain and matching EU alternative.

Start Sovereignty ScanBack to vendor directoryMethodology