When a board approves an acquisition, records a sensitive HR decision or reviews a whistleblowing report, that information is among the most confidential a company holds. So a simple question deserves a precise answer: where does that data actually live? For Admincontrol Board Portal, the answer is deliberately narrow. All sensitive governance data is stored exclusively in two private data centres in Norway, within the European Economic Area (EEA), on infrastructure Admincontrol operates itself. Not a shared public cloud, not a US region, not a patchwork of sub-processors.

Running your own data centres is expensive and demanding. Most software vendors avoid it and rent capacity from the large cloud providers instead. Admincontrol made the harder choice on purpose, because for board and committee work, control over where data lives, who can access it and what happens when something fails is not a technical detail. It is the product.

KEY TAKEAWAYS
  • Admincontrol Board Portal keeps all sensitive board data in two private data centres in Norway, within the EEA. Only single sign-on session data and anonymised technical logs sit on Microsoft Azure.
  • Data residency is not the same as data sovereignty. Where a server sits matters less than who controls the infrastructure and which laws can reach it.
  • Owning the infrastructure removes single points of failure and third-party exposure, backed by AES-256 encryption, ISO 27001:2022 certified controls and an active-passive design with a recovery time objective under two hours.
  • Because Admincontrol is a European company running its own European infrastructure, board data is not directly exposed to the US CLOUD Act in the way a US-headquartered provider's data can be.

Where is board portal data stored?

For most SaaS tools, the honest answer is “it depends”. Data may be spread across several public-cloud regions, replicated to wherever capacity is cheapest, and processed by a chain of sub-processors the customer never sees. For governance data, that ambiguity is a liability.

Admincontrol takes the opposite approach. Every piece of sensitive Board Portal content lives on private infrastructure in Norway: board documents and attachments, agendas and minutes, decisions and resolutions, access rights and roles, portal configuration, and local audit trails. This is a private cloud, owned and run by Admincontrol, not rented space on a public platform.

Only two narrow categories of data ever touch Microsoft Azure, and neither contains board content. The first is single sign-on session data, limited to a user's name, email address and a session identifier. The second is anonymised technical logs, which hold technical identifiers and metadata only, with no personal or business data. The separation is strict and deliberate: the sensitive material and the plumbing that lets you log in are kept apart.

Data residency vs data sovereignty: what boards need to know

These two terms are often used interchangeably, and the difference matters. Data residency describes where data is physically stored. Data sovereignty describes whose laws govern it, and who can ultimately compel access.

A vendor can store your data in an EU region and still be subject to non-European legal reach, because sovereignty follows control of the infrastructure, not just the map coordinates of the server. “Sovereign cloud” badges from global hyperscalers can blur this line. The underlying platform, its parent company and its legal obligations do not change because a marketing label was applied.

Admincontrol's position here is straightforward, and we are careful not to overstate it. Board Portal data resides in the EEA, is protected under the GDPR, and a data processing agreement is available. Just as importantly, Admincontrol is part of Euronext, a European exchange group. The infrastructure, the company and the accountability all sit in Europe. That is a more defensible trust claim than a residency label alone, and it is one that US-headquartered pure-play vendors cannot make in the same way.

Does the US CLOUD Act reach data held in Europe?

This is the question that turns an abstract debate into a concrete risk. The US CLOUD Act, passed in 2018, allows US authorities to compel US-headquartered providers to hand over data in their control, regardless of where that data is physically stored. That includes data sitting in European data centres, and it is a recognised point of tension with the GDPR, whose Article 48 restricts transfers demanded by foreign courts.

For a board, the implication is uncomfortable. If your governance platform, or the cloud underneath it, is operated by a US company, the data can in principle be reached through US legal process even when it never leaves Frankfurt or Stockholm. Choosing a European provider that controls its own European infrastructure is the most direct way to reduce that exposure. It is one of the central reasons Admincontrol runs its own data centres rather than outsourcing the foundation of its most sensitive product.

What happens when a single cloud region fails?

Concentration risk is the other side of the coin. When thousands of services depend on the same public-cloud region, a single fault can cascade. In October 2025, a defect in one Amazon Web Services region in the United States disrupted services for around fifteen hours, taking down apps and platforms used by millions of people worldwide. Nine days later, a faulty configuration change in Microsoft Azure caused a global outage affecting Microsoft 365, Teams and other enterprise tools. Neither event was caused by an attacker. Both were reminders that renting your foundation means inheriting someone else's failure modes.

Downtime is not free. Analyst estimates commonly put the cost of critical-system downtime in the thousands of dollars per minute. For a board trying to close a meeting, sign a resolution or meet a filing deadline, the platform being unavailable at the wrong moment is far more than an inconvenience.

Admincontrol mitigates this with an active-passive architecture across its two Norwegian data centres, with a recovery time objective under two hours and load balancing handled by NetScaler. Because Admincontrol owns both sites, resilience is designed in, not inherited.

How Admincontrol's architecture protects your board data

The pieces fit together into a single principle: keep the sensitive material in one controlled place, and protect it at every layer.

  • Two private data centres in Norway, within the EEA, operated by Admincontrol.
  • Strict data separation, so only SSO session data and anonymised logs sit on Azure.
  • AES-256 encryption for stored data and TLS encryption for data in transit, following Euronext Corporate Solutions cryptographic standards.
  • A demilitarised zone (DMZ) with a NetScaler load balancer and the web application layer in front, and the database and storage held safely behind it.
  • Mandatory two-factor authentication for new portals, with single sign-on handled through a dedicated identity service.
  • ISO 27001:2022 certified information-security controls, GDPR compliance and an available data processing agreement.

This is enterprise-grade security without the enterprise-grade complexity, and it is the reason a board can adopt the platform without a lengthy security fight with its own IT function. The same commitment to European hosting runs across the wider suite, including Admincontrol Data Room and its certified security controls.

Lessons from recent incidents

The value of this design becomes clearest when you look at what goes wrong elsewhere. In 2025, the Philadelphia Inquirer reported that BoardDocs, a board-meeting product used across the US public sector, exposed confidential files, including legal memos protected by attorney-client privilege, after a misconfiguration caused documents marked private to appear in the application's search results. The root cause was not exotic. It was a configuration error on a shared product surface.

That is exactly the class of risk that strict separation, controlled infrastructure and rigorous access design are meant to contain. No architecture can promise that human error will never occur. But an architecture that keeps sensitive governance data on infrastructure the vendor controls, separated from everything else and protected at every layer, gives you far fewer ways for a small mistake to become a public one.

Frequently asked questions

Where is Admincontrol Board Portal data stored?

All sensitive board data is stored in two private data centres in Norway, within the European Economic Area, on infrastructure Admincontrol operates itself. Only SSO session data and anonymised technical logs reside on Microsoft Azure.

Is the Board Portal GDPR compliant?

Yes. Data is hosted in the EEA in line with the GDPR, and a data processing agreement is available on request. Information-security controls are certified to ISO 27001:2022.

Does the US CLOUD Act affect my board data?

The CLOUD Act can reach data controlled by US-headquartered providers wherever it is stored. Admincontrol is a European company, part of Euronext, running its own European infrastructure, which is the most direct way to reduce that exposure.

What happens if a data centre goes down?

The Board Portal runs in an active-passive configuration across two Norwegian data centres, with a recovery time objective under two hours and NetScaler load balancing to support continuity.

CONCLUSION
Where your board data lives is a governance decision, not a back-office one

For board and committee work, where data lives shapes your regulatory exposure, your resilience and your ability to demonstrate to regulators, auditors and investors that governance is handled responsibly. Admincontrol made the deliberate, and more demanding, choice to run its own European data centres so that the answer to “where is our data?” is clear, short and defensible. See how Admincontrol Board Portal keeps your governance data secure and in Europe.

Request a demo

Share this post