Isabelle is renewing collaboration tools for a 150-person SMB. Leadership wants a reliable online meeting space; legal wants evidence, not “European cloud” badges on a sales deck. Before shortlisting three vendors, she prepares a grid even sales cannot dodge.
Why “European” is not enough in the contract
In RFPs, many vendors bundle datacenters in the Netherlands, US support teams and global CDNs under one label. Isabelle once received a DPA where the critical sub-processor—handling session metadata—appeared only in a technical annex, never discussed in demo.
Her goal is not to “ban the cloud,” but to know where traffic goes when twenty managers join a virtual office from sites in Paris and Brittany.
- Confusion between EU HQ and processing location
- Sub-processors missing from internal records
- “Sovereign” marketing with no verifiable hosting address
The 7 questions and what to verify
Isabelle turns due diligence into a binary checklist: vague answers eliminate the vendor before proof of concept.
She systematically asks for written answers per question, not a polished demo.
| Question | What to verify | Red flag |
|---|---|---|
| Where is data at rest hosted? | Country, region, hosting contract, HDS cert if healthcare | “European Union” with no country |
| Who processes audio/video? | Sub-processor list + signed DPAs | Unnamed CDN or SFU |
| Encryption in transit and at rest? | TLS, keys, public documentation | “End-to-end” with no scope |
| DPA and GDPR sub-processing? | Article 28, records, audit rights | US template not adapted |
| Data exit? | Export, timeline, format, deletion | No written procedure |
| Where are logs and for how long? | Location, retention, support access | Logs outside EU “for performance” |
| Who operates the infrastructure? | Operator, support, incident escalation | White label with no named operator |
What France hosting changes day to day
For Isabelle, pragmatic sovereignty lives in the contract and processing records, not anti-cloud rhetoric. A tool hosted in France with a named operator simplifies talks with cyber insurance and industrial clients auditing suppliers.
Meeting by Leagora relies on Leagora infrastructure, hosted in France with a GDPR-aligned approach; offers can fit an HDS frame when the sector requires it. Team (5), Project (12) and Workshop (25) rooms join in the browser with no install.
Scenario: shortlist and two-person trial
Isabelle keeps two vendors that answered the grid point by point. Before a fifteen-person pilot, she runs the free one-hour trial for two participants with her infra lead: guest path, screen share, legal notices on the site.
She also checks custom domain on paid plans—a *.leagora.io link reassures leadership less than a company subdomain for board meetings.
- Seven-question grid sent before any POC
- 1 h / 2 people trial to validate the real path
- Project (12) pilot then Workshop (25) if meetings widen
- Encryption and hosting docs filed with the DPA
Committee decision: evidence over slogans
In committee, Isabelle shows a green/amber table: two vendors documented France and sub-processors; the third stayed on marketing wording. Leadership approves a pilot on a collaborative space where session data and operator are readable in the contract.
She reminds the room that tool choice does not replace internal governance: recording retention, external invite rules and manager training remain SMB decisions.
Frequently asked questions
No. Isabelle reserves HDS for healthcare or client-imposed clauses; elsewhere France hosting plus a solid DPA is often enough.
Ask exact scope: which data, which hops, who holds keys. Compare with public documentation—do not accept a generic label.
No: compliance is about processing and hosting. Sizes (5, 12, 25) match meeting format, not a different legal regime.
The free one-hour trial for two participants validates the browser path and cross-checks sales answers with real experience.