Sovereign cloud discussions are often framed around a single Cloud Service Provider (CSP), focusing on workload location, cloud regions, or provider nationality. In practice, sovereignty is defined by data control: where data is stored, how it flows, who can access it, and under which trust assumptions, especially in multi-cloud environments.

This talk presents a production-grade approach to designing sovereign data storage and flows across multiple public cloud providers. Based on real platform architecture, applied security research, and regulatory review, it explains how multi-cloud, when treated as a security primitive rather than a deployment choice, can help achieve sovereignty objectives. It also highlights why naive designs fail due to implicit CSP trust, centralized key management, insider access, and correlated outages.

The session explains how the architecture was validated in 2023 by the French Data Protection Authority (CNIL), the independent regulator enforcing GDPR in France, and has since been deployed in production.

It introduces the cryptographic foundations used to enforce data control by design, including fragmentation, threshold-based secret sharing, erasure coding, and all-or-nothing techniques, ensuring that no single CSP can access meaningful data.

The talk concludes with a concrete multi-cloud implementation, providing actionable patterns to build cloud-native systems where sovereignty is enforced by architecture and cryptography, not by CSP-centric assumptions or contractual trust.