Data sovereignty, digital independence, European clouds: these terms have quickly become part of everyday language for IT decision-makers in recent months. Growing uncertainty around the Cloud Act and the unpredictable policies of the U.S. government are prompting organizations to rethink where their data lives. Digital autonomy has never been more relevant. But while it may feel new, the concept itself certainly isn’t. Our colleagues Bart Laarhoven (CTO) and Yannis Haritos (Chief Compliance & Security Officer) explain how we approach digital autonomy at Grexx.

Bart: “A few years ago, when someone asked where their company data was stored, they mostly wanted reassurance. Data sovereignty was a checkbox — something you arranged if regulations required it. Think of financial institutions, healthcare organizations, or utilities. For most other organizations, it simply wasn’t a major concern.”

That mindset has changed significantly in recent years. With the introduction of the GDPR/AVG in 2018, organizations, from multinational corporations to sports clubs, were forced to become much more conscious of how they handle personal data.

Recent geopolitical developments have further accelerated that awareness. The Cloud Act, which allows U.S. government agencies to request access to data stored by American companies, makes one thing clear: where your data is stored determines who can access it.

Bart: “It’s good to see awareness increasing. But to me, it doesn’t feel like a hype, it feels more like we were lagging behind for a long time. Organizations are now asking the right questions: Where is my data hosted? Who can access it? Can it be used to train AI models? What happens to my data if I stop using a service? These are questions IT professionals should always be able to answer.”

Digital independence as a priority

At Grexx, digital independence has always been a core principle. Since our founding in 2000, we have aimed to remain as digitally autonomous as possible, and that’s exactly what we offer our customers: freedom of choice, full control and flexibility when building applications on our platform. Since 2006, we have worked exclusively with Dutch providers and our own infrastructure. Partly because we serve large financial institutions and telecom companies as clients, but also because it aligns with our own vision. 

“All applications our customers develop, or that we develop for them, run in Dutch data centers, on our own servers, fully managed by us. There are no external parties looking in, no third parties with access, and no influence from Big Tech. To put it bluntly: if the U.S. government decided tomorrow morning to block certain services, it wouldn’t affect our customers at all. And that matters, because many of our customers rely on our platform to digitize and automate critical business processes. Those are not systems where you want to take unnecessary risks,” says Bart.

AI sharpens the focus on governance and compliance

In addition to geopolitical developments, it is also the technology itself that is bringing governance and compliance more into focus. “The rapid development of AI also requires us as a society, and IT professionals in particular, to think more carefully about how data is used. Small mistakes can have large consequences. That’s something our team takes very seriously,” says Bart. 

Yannis adds: “Within the platform we provide tools such as audit trails, metrics and dashboards that give full transparency into what happens to data inside an application. Our platform allows extremely granular control over user roles and permissions, so you can define very precisely who has access to which data.

We apply the same principle to AI agents. Organizations can safely deploy agentic AI within our applications because we clearly define which data an agent may, and can, access. We keep data access as narrow as possible and make every interaction transparent: who accessed which data, when, and how. This prevents the infamous ‘black box’ scenario — applications where no one truly knows what’s happening behind the scenes.”

A comprehensive compliance program

Yannis: “We have been ISO 27001 and NEN 7510 certified continuously since 2017. For hosting, we partner with the Dutch provider Leaseweb, which is also ISO 27001 and NEN 7510 certified. Every customer has their own dedicated database, completely separated from other customers, on servers fully under our own management. Backups are stored within the Netherlands. There is no shared hosting, and our infrastructure is straightforward and transparent. Everything is clearly organized and properly secured.”

These certifications don’t just strengthen our own digital security — they also help our customers meet their own compliance requirements. Through a carve-out approach, organizations can include Grexx’s compliance controls within their own certification process. We provide all supporting documentation to make that possible. In addition to ISO 27001 and NEN 7510, we also maintain a SOC 2 ISAE 3000 assurance report, and our platform fully complies with both the GDPR and the AI Act.

Staying as independent as possible

Vendor lock-in is a common concern in discussions about digital sovereignty. Choosing a supplier creates a certain level of dependency. That is also true at Grexx. 

“If you build an application on the Grexx Platform, you obviously need our platform to run it. That’s logical. But we actively try to keep that dependency as limited as possible,” Bart explains.

“We offer the possibility to run and develop the Grexx Platform on our customers’ own servers. That’s often not necessary, but the option is there. We provide daily exports and ensure that our customers always have access to and control over their data.

 If you choose Grexx as a partner, a certain level of dependency is inevitable, but we are very transparent about that and support our customers in everything they need to remain as independent as possible.”

Digital independence has been our standard for 25+ years

At Grexx, digital independence isn’t a recent strategy — it has simply been the standard for more than 25 years. Because we believe it should be obvious: keep control over your critical processes, truly understand what your software does, and always know what happens to your data. That’s what we stand for.

If you have questions about digital independence or data sovereignty within the Grexx Platform, we’d be happy to discuss them with you. And if you’d like to explore how we can help your organization become digitally autonomous, feel free to book a discovery call. We’re happy to think along with you.