Izak-Jan van den Nieuwendijk Portfolio Manager Public Cloud
22 June 2026

A business Claude or ChatGPT subscription: who controls your data?

A business subscription to ChatGPT, Claude or Gemini covers a lot, but not who controls your data. This article covers four questions to answer before purchasing a business AI subscription. 

The checklist is complete. No model training on your data: done. Data processing agreement signed: done. SSO, audit logs, a tidy security report: done, done, done. The organisation has moved from “everyone secretly using ChatGPT” to a proper, business AI subscription. Problem solved, right? 

Almost. Because ticking boxes does not answer the question that matters most to organisations handling sensitive data: who controls the data? Where is it stored, who manages the keys, what leaves the organisation’s own environment, and which law applies? 

The risk that is not on the checklist

AI adoption is moving fast. A business subscription to Claude, Gemini or ChatGPT appears to be the logical response: it makes AI usage visible, manageable and contractually governed. It also reduces the risk of Shadow AI. 

But there is a second issue, and it is a legal one. The American CLOUD Act (a federal law from 2018) requires US technology companies to hand over data upon request from US authorities, regardless of where that data is physically located. What matters is not the location of the server, but who manages the data and has access to its contents. That conflicts with the GDPR, which in many cases prohibits the transfer of personal data to foreign authorities without a European legal basis. 

Here is the uncomfortable truth that is rarely stated plainly: organisations working with the most advanced AI models will almost always encounter US technology somewhere in the chain. The realistic question is therefore not whether that chain is avoidable, but how much data is exposed to it, and who retains control over the rest. 

What an enterprise subscription does and does not cover

Viewed through the lens of data control, it’s important to consider what a business subscription to a public AI platform such as ChatGPT Enterprise, Claude for Work or Gemini for Google Workspace actually provides. The improvements are real: no model training on your data, stronger security controls, and in some cases European data residency options. 

But the fundamental architecture remains unchanged: the entire data landscape including every prompt, every conversation history, every uploaded document and every user account, is permanently stored and managed by the platform provider. That information is readable by the provider within its legal context. The same provider determines the architecture, holds the keys and is the legal point of contact in the event of a data request. Data residency moves the servers; it does not transfer control. 

For organisations in the public sector, the financial sector and other regulated environments, this is a concrete concern, not an abstract one. The EU AI Act (deadline: August 2026) and the GDPR require organisations to demonstrate, with evidence, where their data is, who can access it and on what legal basis. 

Four questions to answer before committing

Assessing an AI platform on data sovereignty requires looking beyond the privacy policy. Four questions determine the actual risk:

  1.  Where is the data stored?Not just during processing, but permanently: conversations, documents, accounts.
  2. Who manages the encryption keys? Whoever holds the keys has de facto access and can be compelled to hand over data.
  3. What leaves the controlled environment? The smaller the data flow to external parties, the lower the legal exposure.
  4. Is it demonstrable? Compliance is not a promise but a burden of proof: certifications, audit functions, insight into usage.

A business subscription to a public platform returns the same answer across all four questions: the provider decides. A platform built around data sovereignty reverses that entirely.

For organisations that take these four questions seriously, a concrete follow-up question should be asked: does such a platform exist, and what does it look like in practice? Solvinity Secure Chat answers that along exactly those four dimensions.

Secure Chat: maximum control, minimum footprint

Solvinity Secure Chat is a fully managed SaaS AI chat platform, built on open-source technology and hosted in European data centres. The design principle is straightforward: the organisation retains control. Only what is strictly necessary leaves the secured environment. 

Mapped to the four questions, this looks as follows: 

Storage: in Europe, within the organisation’s own environment. All stored data (conversations, documents, user data) remains within the EEA. Each Secure Chat environment is built exclusively for one organisation, with fully separated infrastructure, storage and processing. No multi-tenant storage, no shared environments. The location of the data is demonstrable. 

Keys: data is encrypted with HSM encryption keys. As a result, neither Solvinity nor the AI model providers have access to the contents of stored conversations and documents. What cannot be read cannot be transferred. 

Data flow: reduced to the minimum. Staff work with the latest models from OpenAI and Anthropic, but only the traffic required to generate a response reaches the model, without storage at the model provider and without reuse for model training. All current and future data remains within the European environment, under the organisation’s own keys. 

Demonstrability: built in. Secure Chat is based on open-source software and meets BIO, ISO 27001 and SOC 1, 2 and 3 standards. It also supports compliance with the GDPR and the EU AI Act. The AI Adoption Dashboard gives management, IT and compliance teams precise insight into how AI is used across the organisation. Adoption becomes measurable rather than assumed. 

The difference from a public AI platform lies not in which models are used, but in the balance of control surrounding them. A subscription hands the entire data landscape to the provider. With Secure Chat, that landscape remains with the organisation: stored in Europe, encrypted with the organisation’s own keys, with a data flow towards the models that is minimised and contractually defined. Preferring not to use American models? That is also an option with Secure Chat. 

The question to answer before committing

“Does the provider use our data for training?” is a starting point, not an endpoint. The question a regulated organisation must answer before adopting an AI platform is broader: “who controls our data, including the storage, the keys and the data flow, and can we demonstrate it?” 

Answering that question honestly reveals the difference between a business wrapper around a public AI platform and a platform built from the ground up around data sovereignty. 

Get started with Solvinity Secure Chat

Interested in how staff can work with the latest AI models safely and responsibly, while the organisation retains full control over its data? Get in touch today to schedule a demo. 

Other articles

more articles

More