Own vs rent

Sovereignty you own, not rent.

Everyone now sells a “sovereign cloud.” Almost none of it is sovereign. Here is the distinction that matters — and why OxiMail is built on the other side of it.

1 · The trap

A European datacenter is not the same as control.

Bleu is Capgemini and Orange running Microsoft Azure. S3NS is Thales running Google Cloud. Delos is SAP and Arvato running Microsoft. A “Swiss cloud” from a national hoster still means your data sits on their servers, under their operational control. The marketing word is sovereignty. The technical reality is a tenancy on someone else’s platform — often someone else’s American platform with a European reseller in front.

2 · The real risk

An operator can be pressured. A datacenter location cannot fix that.

The question is never only “where are the bytes.” It is “who can be compelled to act against you.” Any operator — Swiss, French, German — is a company that can receive a subpoena, a sanctions order, a gag request, a government instruction. In 2025 a sitting prosecutor at an international court had his email account cut off after foreign sanctions reached his provider. Data residency did not protect him; the provider did what it was compelled to do. As long as a third party operates your mail, your continuity of service is their decision, not yours.

3 · The OxiMail answer

The operator can be no one but you.

OxiMail is a single Rust binary you run on your own infrastructure. No US dependency in the stack. The encryption keys are wrapped with your own tenant master key and never leave your machine. When you operate it yourself, there is no third party to subpoena, to sanction, to pressure — because there is no third party at all. This is the one thing a “sovereign cloud” can never offer, by construction: their model requires an operator. Ours does not.

4 · Two honest levels

Owned or delegated — and we never blur the two.

Total sovereignty requires that you be the operator. If a trusted local partner runs it for you, you gain jurisdiction and a known counterpart, but you are trusting that partner at runtime. Both are legitimate. We tell you exactly which one you are buying.

Owned sovereignty

Operator: You — on your own metal, your own keys
Guarantee: Total: there is no third party to compel
For: Public bodies, hospitals, universities, enterprises with a DSI
How: Run it yourself, or have us deploy and hand it over

Delegated sovereignty

Operator: A local MSP or hoster, in your jurisdiction
Guarantee: Jurisdictional: a trusted operator reads at runtime
For: SMBs and teams without their own ops capacity
How: A partner runs OxiMail for you under local law

5 · The honest part on encryption

At-rest encryption, by design — not an end-to-end gas factory.

OxiMail encrypts data at rest and the server decrypts it for the authenticated user. That is a deliberate engineering choice, not a shortcut. It is what lets search, server-side rules, the AI assistant and IMAP/CalDAV clients all work. The consequence, stated plainly: whoever operates the server can read mail at runtime. So “the operator is no one” is true precisely when you are the operator — which is the entire point.

We do not chase Proton-style end-to-end-everywhere. On a server you control, it breaks half the product — no server-side search, no assistant, no shared calendaring — for a benefit that evaporates the moment the box is yours. The threat model is “own your infrastructure,” not “distrust your own administrators.” If you cannot trust the people who run your server, encryption is not the problem you need to solve first.

6 · AI without the trade-off

Your AI assistant follows the same rule.

Microsoft Copilot and Google read your mail in their cloud — there is no other setting. OxiMail’s assistant lets you choose where it runs, and the choice is the same own-vs-rent line. For a sovereign deployment the default is a local model: it reads your mail on your own hardware and nothing leaves the box. On a modest GPU box, a self-hosted model holds its own against a managed sovereign AI for everyday mail, calendar and tasks — with no third party at all. We deliver that box turnkey through Services — it runs your assistant and trains your per-tenant models, with no third party and no per-token cloud bill.

Owned — local model

Runs on: Your own hardware / GPU — incl. Mistral’s open models
Who sees your data: No one
For: Strict sovereignty

Delegated — EU

Runs on: Mistral (FR), or any sovereign endpoint you choose
Who sees your data: An EU provider, in jurisdiction
For: Power without your own GPU

Opt-in — US frontier

Runs on: Anthropic / OpenAI
Who sees your data: A US provider (CLOUD Act)
For: Max quality, sovereignty not required

The only one that lets you choose.

Bleu, S3NS, Delos and the national clouds offer one thing: delegated sovereignty, dressed as the real thing. OxiMail is the only option that lets you choose owned sovereignty when you need it — and degrade gracefully to a trusted local operator when you don’t.

Have us deploy it Talk to us