AI Data Sovereignty
When you share business data with AI,
where does it actually go?
Most businesses using AI tools haven't asked this question carefully enough. Which country does the AI platform operate from? Who has access to the data you send it? What do their terms of service say about using your data to train future models? And does any of this put you in breach of UK GDPR?
The core issue
ChatGPT, Claude and Gemini are US companies. That matters for UK data.
OpenAI (ChatGPT), Anthropic (Claude) and Google DeepMind (Gemini) are all US-headquartered companies. When you send data to their AI platforms — even via API — that data is processed on servers subject to US jurisdiction and US law.
This creates several categories of risk for UK businesses:
UK GDPR third country transfers
UK GDPR restricts transfers of personal data to countries outside the UK/EEA unless adequate safeguards are in place. The US no longer has automatic adequacy status following the Schrems II ruling. Sending customer data to a US AI platform without appropriate transfer mechanisms (SCCs, BCRs, ICO guidance) may constitute an unlawful transfer.
US CLOUD Act
The Clarifying Lawful Overseas Use of Data Act allows US law enforcement and intelligence agencies to compel US companies to hand over data stored on their servers — even if that data belongs to foreign nationals or is stored outside the US. Data you send to US AI platforms can be subject to this.
Training data usage
Many AI platforms' standard terms of service include rights to use submitted data to train or improve their models. This may mean your proprietary business data, client information or confidential communications become part of a training dataset — potentially accessible to the AI's outputs for other users.
Sector-specific compliance
For businesses in financial services, healthcare, legal or other regulated sectors, the requirements are even stricter. Sending client data to an external AI platform without specific contractual protections can breach FCA, CQC, SRA and other regulatory obligations.
This isn't just theoretical
The ICO has published guidance on using generative AI tools under UK GDPR and is actively monitoring compliance. Fines for unlawful data transfers can reach £17.5 million or 4% of annual global turnover.
More practically: the business risk of confidential data leaking into AI training datasets — and potentially resurfacing in a competitor's AI output — is real and growing.
What sovereignty actually means
The spectrum from "total exposure" to "full data sovereignty".
Not all AI tools carry the same level of risk. Where your chosen AI sits on this spectrum determines your exposure.
The Zoho difference
Why Zoho's approach to AI is fundamentally different to OpenAI's.
Most major software platforms have bolted AI onto their products by integrating OpenAI or another US AI provider via API. When you use "AI features" in these tools, your data is being sent out of the platform to a US AI service — even if you didn't know that was happening.
Zoho took a different approach. They built their own AI — Zia (Zoho Intelligent Assistant) — from the ground up, running entirely within the Zoho technology stack. Zoho owns and operates all its own infrastructure: its own data centres, its own security stack, its own AI models.
Critically, Zoho is a privately held company. It's not publicly traded, not backed by US venture capital in ways that create data monetisation pressure, and has publicly committed to never selling customer data. The company's founder, Sridhar Vembu, has been vocal about building technology that respects user privacy over advertising or data revenue models.
What Zia does inside Zoho
CRM Intelligence
Analyses your sales pipeline, suggests next actions, scores leads and flags anomalies — all from within your Zoho CRM data without sending it elsewhere.
Email & Communication AI
Drafts emails, suggests responses and summarises email threads — using the context of the conversation in Zoho Mail and CRM, not an external AI.
Analytics & Forecasting
Interprets your Zoho Analytics dashboards, surfaces trends and generates narrative summaries from your own data.
Support AI
Powers intelligent responses in Zoho Desk using your knowledge base and customer history — your data stays in Zoho.
Workflow AI
Automates complex multi-step processes within Zoho Creator and CRM — again, no data leaves the ecosystem.
OpenAI / ChatGPT
- US company (Delaware incorporated)
- Subject to US CLOUD Act
- Consumer plan terms allow training data use
- Data processed on US infrastructure by default
- Backed by Microsoft — significant commercial pressure on data
- No UK/EU data residency guarantee on standard plans
OpenAI Enterprise
- US company — jurisdiction unchanged
- Data processing agreement available
- Training use excluded by contract
- EU data residency available on some plans
- Still subject to US CLOUD Act
- Significant per-seat cost
Zoho + Zia
- Privately held — no external investor data pressure
- AI runs within your own Zoho account data
- EU data centre option available
- GDPR-compliant processing by design
- No third-party AI API exposure by default
- Built into tools you're probably already using
Choosing the right AI
A practical framework for AI tool selection under UK GDPR.
Classify your data first
Before choosing an AI tool, understand what data you'll be putting into it. Is it personal data under UK GDPR? Is it commercially sensitive? Is it subject to sector-specific regulation (FCA, SRA, CQC)? The classification determines the level of protection required.
- Will you input customer names, emails or personal details?
- Does the data include financial or health information?
- Is any of it subject to professional confidentiality obligations?
- Could any of it give competitors a meaningful advantage if leaked?
Audit the AI platform's legal basis
For any AI tool you're considering, find out: where is the company incorporated? Where is data processed? Do they have a Data Processing Agreement you can sign? What does their ToS say about training data use?
- Is there a DPA available — and have you actually signed it?
- Where are servers physically located?
- What's their Sub-processor list?
- What happens to your data if you close your account?
Assess transfer risk
If data is going to a third country (e.g. the US), you need an appropriate transfer mechanism. Standard Contractual Clauses (SCCs) are the most common, but they require a Transfer Impact Assessment for US transfers, and you must document this.
- Have you completed a Transfer Impact Assessment?
- Have UK SCCs been incorporated into your DPA?
- Is your Data Protection Officer (or equivalent) aware?
- Have you updated your privacy policy to disclose this processing?
Consider sovereign alternatives
For many business AI use cases, there are sovereign or near-sovereign alternatives that provide comparable capability without the transfer risk. Zoho ZIA for CRM, email and analytics AI; EU-hosted open-source models for specific tasks; UK AI providers for regulated sectors.
- Can Zoho ZIA provide the AI capability you need?
- Is there an EU/UK-based AI provider in your sector?
- Could a self-hosted open-source model serve this use case?
- What's the cost-benefit of enterprise licensing vs. a sovereign alternative?
Document your decisions
Whatever you choose, document it. Under UK GDPR's accountability principle, you must be able to demonstrate that you made informed decisions about data processing. A brief record of the assessment, the tool, the transfer mechanism and the business justification protects you if the ICO comes knocking.
- Is this in your Record of Processing Activities (RoPA)?
- Have you done a Data Protection Impact Assessment (DPIA) if required?
- Are staff trained on what data they can and can't input into AI tools?
- Is there an AI use policy in place?
How we help
AI implementation that doesn't compromise your data or your compliance.
AI strategy & governance
We help you develop an AI adoption strategy that includes data governance from the start — which tools, which data, which safeguards, which documentation.
Learn more →Zoho ecosystem deployment
We deploy Zoho as your business operating platform and activate Zia's AI capabilities within it — giving you powerful AI that never leaves your data ecosystem.
Learn more →Sovereign AI agents
We build AI agents that work with your Zoho data, your CRM, your documents and your processes — without routing sensitive information through US AI platforms.
Learn more →Compliance documentation
We help you build the documentation around your AI use: DPAs, RoPA entries, DPIAs, transfer assessments and staff policies — so you can evidence compliance if needed.
Learn more →Staff AI training
Practical training for your team on what AI tools they can use, with what data, and what constitutes a compliance risk — turning policy into practical behaviour.
Learn more →Data audit & classification
Before any AI deployment, we help you understand what data you hold, how it's classified, and what protection it requires — the foundation of any compliant AI strategy.
Learn more →Common questions
AI data sovereignty — the questions we get asked most.
Can I use ChatGPT for work if I don't put customer data into it?
Yes, with care. Using ChatGPT for drafting generic communications, brainstorming ideas or processing publicly available information carries much lower risk. The concern arises when personal data (customer names, emails, addresses), commercially confidential information or regulated data enters the prompt. Many businesses have a blanket 'no personal data in consumer AI tools' policy as the simplest way to manage this.
Does the Enterprise version of ChatGPT or Claude solve the problem?
It significantly reduces the training data risk — enterprise agreements typically include a DPA that excludes your data from training use. But it doesn't change the jurisdiction question: data is still processed by a US company subject to US law including the CLOUD Act. For most business use cases this is an acceptable risk with appropriate documentation. For highly regulated sectors or sensitive data, additional measures are needed.
Is Zoho GDPR compliant?
Yes. Zoho has GDPR compliance documentation, Data Processing Agreements, and EU/UK data centre options. As a privately held company, Zoho's business model is subscription revenue rather than data monetisation — which aligns their interests with protecting customer data. They're also not subject to US Big Tech legislation in the same way as OpenAI or Google.
What's a DPIA and do I need one for AI?
A Data Protection Impact Assessment is a UK GDPR requirement for processing that is 'likely to result in a high risk' to individuals. AI tools that process personal data at scale, use automated decision-making or introduce new technologies are often in scope for a DPIA. The ICO's guidance specifically addresses AI. We can help you determine whether a DPIA is required and complete it if so.
Can I build AI that uses my data without any of these risks?
Yes — self-hosted or sovereign AI deployments can eliminate third-country transfer risk entirely. This typically involves deploying an open-source language model on your own infrastructure (or a UK/EU cloud host), connecting it to your business data via a secure integration, and keeping all processing within your control. The cost has come down significantly as open-source models have improved. We build these solutions.
The cost of inaction
What using US AI platforms without oversight could cost you
Most businesses using AI tools have never audited what data is going in, where it's going, or whether they have a lawful basis for it. That's not a theoretical risk — it's the kind of gap the ICO investigates.
Financial risk
UK GDPR fines reach £17.5 million or 4% of global annual turnover, whichever is higher. For a business turning over £2m, that's up to £80,000 for a serious breach. But the bigger cost is often operational — regulatory investigation, legal fees, customer notification requirements and reputational damage far exceed the fine itself.
Legal & regulatory risk
UK GDPR Article 46 requires appropriate safeguards for data transfers outside the UK. US AI platforms are subject to FISA and Executive Order 12333, giving US intelligence agencies broad access to data held by US companies. For businesses in regulated sectors — legal, finance, healthcare — this is an active compliance issue, not a future concern.
Procurement & competitive risk
Enterprise and public sector clients are increasingly requiring suppliers to demonstrate compliant AI use as a condition of contract. Businesses without a documented AI governance position are losing procurement opportunities to competitors that can evidence their data handling. AI compliance is becoming a commercial requirement, not just a legal one.
Want AI that works for your business without putting your data at risk?
Book a free discovery call. We'll assess your current AI tool usage, identify any compliance gaps, and show you what a sovereign AI strategy could look like for your business.