How Vault365 answers Veeam’s EMEA Data Sovereignty challenge – With Irish datacentre locations, LocalLock hardened repositories, and a Platinum VCSP Veeam partner commitment you can sign a contract around.
‘We Need to Talk About Data Sovereignty’
Veeam recently published a conversation starter for the EMEA region revolving around the issue of data sovereignty in our region, https://www.veeam.com/emea-data-soveregnity.html with a guide titled ‘We Need to Talk About Data Sovereignty’ – and Veeam is correct, we do need to talk about it, but also act on it.
The challenge we all face that Veeam lays out in the publication is not new, but it has never been more urgent. Between the EU’s GDPR obligations, and expanded scope of the NIS2 directive, the looming threat of the US Cloud Act, and the landscape of increasing political uncertainty, Irish organisations are operating with a more complex and highly consequential data governance burden than ever before.
We address these challenges directly by showing how Vault365 can help our customers achieve data sovereignty and immutable protection by keeping backups out of the public US owned hyperscalers.
Veeam’s EMEA Data Sovereignty page is explicit: ‘Data sovereignty is about an organisation’s control over its own data’ — ensuring their own continued access and restricting access by third parties. Location is just one part of that process. Vault365 was built specifically to satisfy the need for Local cloud storage and on-prem immutability, guaranteeing data sovereignty.
The problem with most Cloud Backup Providers
Before explaining how Vault365 solves the sovereignty problem, it is worth being precise about how most backup vendors will fail to solve it, even when words like “sovereign” and “compliant” are used in the sales collateral.
Issue 1 – The hyperscaler
The majority of BAAS products – including those who market themselves directly to EMEA – store their backup data in the public cloud in either Microsoft Azure, AWS, or Google Cloud.
This is not inherently wrong and has its use cases. But it creates a sovereignty and “all in one basket” risk. The US cloud Act allows the US government to compel US-Headquartered companies to disclose data stored anywhere is the world. This includes Irish region datacentres own by the hyperscalers. Backups also do not fit in the 3-2-1 rule when your MO365 backup data is stored in the same cloud as the production data. Or if your VM’s replicate to another location but you do not have backups stored outside of the ecosystem.
Issue2 – Sovereignty Washing
Some vendors claim data residency by pointing to the storage location while hosting their management servers outside of the storage location. And sometimes even outside the EU. This practice is known as sovereignty washing – meaning that while your backup data may be stored in Irish locations the keys that can decrypt it, the audit log access, and control plane that manages data retention, are all running under a different jurisdiction. An audit that asks where all parts of the backup solution resides will expose this.
Issue 3 – Recovery
Some vendors who sell backup to cloud services charge to restore data, some have a direct time and cost to restore while others are hidden charges in transactions and egress costs.
Charges levied every time data is read back from the storage layer can get unexpectedly expensive when you need certainty the most. During a ransomware event a customer may need to restore the entire footprint involving tens or hundreds of terabytes. This means the very time you need it, is when it costs you the most.
What to look for:
Ask your provider these questions:
· Where is the management plane hosted?
· Who holds the encryption keys?
· What is the cost to restore 10TB of data?
If these answers are not correct you have a gap that needs to be addressed.
How Vault365 Addresses the Sovereignty Requirement
Vault365 was designed from its foundation to be the answer to these concerns. Through an engineered approach and commercial contractual commitment Vault365 provides Irish owned and governed storage and management of your backup data. While also providing on-prem immutability options to allow you to keep your backups out of hyperscale datacentres.
Irish Data Centres — Sovereign by Design, Not by Accident
Vault365 operates its backup storage infrastructure from Tier III+ data centres located in the Republic of Ireland. This is not a marketing footnote — it is a contractual commitment. Every customer who engages Vault365 for cloud backup or Backup as a Service receives, as part of their service agreement, an explicit statement of data residency: their backup data is stored in Ireland, is processed in Ireland, and subject to the Irish Data Protection Commission as the competent supervisory authority under GDPR.
This matters enormously for GDPR Article 44 compliance. When data is processed exclusively within the EU, the cross-border transfer provisions of GDPR simply do not apply. There is no Standard Contractual Clause to worry about, no adequacy decision to monitor, no Schrems II exposure. The data is subject to European law. Full stop.
Vault365 is also ISO27001 certified, proving via third party verification that Vault365 can handle, secure and store your data to the highest standard.
Veeam states their approach to addressing the data sovereignty is to use its local partners with the ability to offer local services.
No US CLOUD Act Exposure
Because Vault365 is an Irish-incorporated company operating solely on Irish infrastructure, it falls outside the jurisdictional reach of the US CLOUD Act. A US law enforcement request cannot compel Vault365 to produce data, because Vault365 is not a US-based provider and its infrastructure is not operated by a US-based entity. This is not a technical workaround — it is a structural jurisdictional reality that hyperscaler-backed backup vendors simply cannot offer.
A key differentiator is that Vault365 is one of only three Veeam service providers in the country to hold Veeam’s highest partnership level at platinum status. Vault365 was also named Irish partner of the year in 2025, and Vault365 holds the highest amount of Veeam accreted architects and engineer’s among all VCSP partners in Ireland.
LocalLock – Hardened Immutable Repository for On-site Recovery
For companies that do not want to use cloud storage at all or need a backup copy outside of their production workload in the cloud, LocalLock is the answer.
Vault365’s LocalLock is not just immutable storage, it is the gap closer for companies who need local backup storage that is secure and immutable. While LocalLock can address any companies need, it is of particular use for organisations in the Healthcare, Government, Financial and Pharma industries where data must remain within the confines of their own facilities.
What makes LocalLock different?
LocalLock is not simply a NAS or storage server, with immutable storage, it is a fully hardened appliance with segregated out of band management and monitoring of the hardware, provided as a service. In practice here is what the appliance provides;
- Object Lock Immutability
- Once a backup is written the blocks of data become locked and are immutable. No level of Veeam administrator can change this. The immutability period must pass before any backup data can be changed or deleted. This immutability is within the filesystem meaning that even if the control plane is compromised or even destroyed the immutable data still cannot be changed.
- No Admin Override
- Veeam’s repository connection operates on a single use credential that is destroyed once the first connection to the storage is made. This means no persistent credentials are stored anywhere in Veeam, and even a fully privileged Veeam administrator cannot access the backup storage system. LocalLock further secures access by disabling SSH, and out of band management is a custom system segregated from the customer network. No bad actor, even with credentials can access the system via the network or ILO.
- Fully Managed by Vault365
- LocalLock is not a product Vault365 ships and leaves you to manage. The Vault365 engineering team remotely monitors the appliance 24/7, handles capacity management, firmware updates, and performance tuning, and provides proactive alerting if any backup job fails or if immutability integrity is at risk. Customers pay a simple appliance-based monthly fee, and several appliance sizes to choose from, with no egress charges for restores.
How Vault365 Implements the 3-2-1-10 rule
Vaults365’s backup services are designed to deliver all five components of Veeam recommended backup strategy as a managed service.
• 3 copies of your data — production data + at least 2 backup copies
• 2 different storage media types — preventing a single hardware failure from affecting all copies
• 1 copy off-site — Vault365’s Irish datacentre receives encrypted, incremental backup copies
• 1 copy air-gapped or immutable — LocalLock provides the on-site Object-locked immutable copy
• 0 errors verified — backup jobs can use Veeam’s SureBackup automated verification and integrity checks
Critically, all of this is done as a service with both Cloud and local backups being immutable and secure, all the while every block of data stays within Ireland and Irish governed companies jurisdiction, the entire 3-2-1-1-0 rule is achieved without ever crossing the Irish border.A combination that most organisations thought would be commercially unavailable outside of building their own infrastructure at high cost.
In Conclusion
Veeam is correct to frame the conversation of data sovereignty, this question must be answered now and Vault365 is perfectly placed to provide that answer.
Control, Transparency, and Trust are all addressed by Vault365 services.
Backup data must be under your control not the control of a hyperscale US governed company.
As Vault365 is Irelands leading VCSP platinum partner and as Veeam’s Irish partner of the year, with the highest standard of accreditations, Vault365 is perfectly positioned to provide the best in Backup services to the Irish market.
If you are an Irish organisation reviewing your backup strategy, your GDPR compliance posture, or your NIS2 readiness — and you want to have the data sovereignty conversation with a partner who has already answered every question — contact us at sales@vault365.com
