5 hidden US dependencies in your martech stack you're probably overlooking
Your CMS is European. Your analytics is sovereign. You have a data processing agreement in place. And yet, with every visit, your website leaks IP addresses, browser data and behavioural information to American servers. Not through your core systems — through the details nobody checks.
The digital sovereignty debate focuses on the big building blocks: cloud infrastructure, CRM, CMS, analytics. These are the systems everyone knows and where most energy goes during a sovereignty audit.
But sovereignty leaks through the details. Through small decisions made years ago, never revisited, quietly routing data to American servers. Every visit. Every visitor. Without consent. Without notice.
Below are five of the most common — and most underestimated — dependencies we encounter during the Sovereignty Scan.
Google Fonts is the default choice for web developers worldwide: free, widely supported, trivial to implement. One line of CSS and you have access to over a thousand typefaces. It feels like a neutral infrastructure decision — a style choice, not a data choice.
But every time a visitor loads your website, their browser opens a connection to fonts.googleapis.com to fetch the typeface. That request sends the visitor's IP address to Google servers outside the EU. No cookie, no tracking pixel, no active choice by the visitor. Just a technical requirement of how remotely hosted fonts work.
And an IP address is personal data under the GDPR. Combined with a timestamp and domain name it is traceable to an individual — especially for Google, which can link it to a comprehensive profile.
→ Browser sends GET request to fonts.googleapis.com
→ Transmitted: IP address + User-Agent + Referer (your domain name)
→ Google processes this on servers outside the EU
→ No consent requested, no notification given
- Host fonts locally on your own server or CDN — at most an hour of work
- Use Google Webfonts Helper to download and self-serve fonts
- Consider Bunny Fonts as an EU-hosted CDN alternative
- Also check Adobe Fonts and Font Awesome CDN — same issue applies
This is the paradox that strikes us most during the Sovereignty Scan. Organisations invest time and budget building a sovereign martech stack — then put an American consent banner on top of it. The tool meant to guarantee that data only flows after consent, itself processes data before that consent exists.
The market leaders in consent management are predominantly American. OneTrust is headquartered in Atlanta, Georgia. TrustArc is in San Francisco. All of these tools load as the very first script on your page — by definition before the visitor has made any choice. On top of that, the consent tool stores a database of your visitors' privacy behaviour: consent logs, cookie preferences, timestamps. Stored at an American vendor, falling under the CLOUD Act.
- Consent Studio (consent.studio) — fully Dutch, built by Vallonic, no American parent company
- Klaro — open-source, self-hostable, no external data transfer
- Usercentrics — German (Munich), significantly better but verify ownership structure
Google Tag Manager is the nervous system of most marketing stacks: one container managing all tags, pixels and scripts. It feels like a neutral orchestration layer — a tool that controls other tools, but processes no data itself.
That picture is wrong. GTM contacts Google servers on every page load to fetch gtm.js. That request transmits the IP address, browser metadata and referrer URL. GTM also sets cookies and stores data via Local Storage. It is full data processing — even when no individual tags are active. And every tag managed through GTM is a potential backdoor: a third party with access to your container can inject scripts beyond your control.
Transmitted:
→ Visitor IP address
→ User-Agent (browser, OS, device)
→ Referer (full URL of current page)
→ Accept-Language (visitor language preference)
- Server-side GTM — run GTM on your own server so visitors make no direct connection to Google servers
- Strict consent flow — load GTM only after explicit consent (requires re-architecture of your tag setup)
- Matomo Tag Manager — open-source alternative, fully self-hostable
Organisations think carefully about their marketing email platform — bulk newsletters, campaigns, automation sequences. But transactional emails are almost never discussed in a sovereignty audit. That is a problem, because they systematically handle the most sensitive type of data: names, email addresses, order details, medical appointments, financial transactions, account information.
SendGrid (Twilio, San Francisco), Mailgun and Amazon SES are the dominant players. All American-controlled, all subject to the CLOUD Act, all with access to every email you send through their platform.
- Brevo (formerly Sendinblue) — Paris-based, covers both transactional and marketing email, GDPR by design
- Spotler Mail+ — Rotterdam, strong track record with Dutch public sector organisations
- Postal — open-source transactional mail server, fully self-hostable
- Self-hosted SMTP on your own EU infrastructure — maximum control
Forms are the moment an anonymous visitor reveals their identity for the first time: name, email address, phone number, company name, project description. The most valuable data in your marketing funnel. And they are processed by a system most organisations have never audited for sovereignty.
HubSpot Forms sends submissions directly to servers in Boston. Typeform has VC backing and infrastructure that is partly American. JotForm is in San Francisco. The moment someone clicks "Submit", their personal data goes straight to the form tool's server — unfiltered by your systems. And if that provider is American, that data immediately falls under the CLOUD Act.
→ POST request to api.hsforms.com (HubSpot, Boston 🇺🇸)
→ Name + email + phone number stored at HubSpot
→ Copy sent to your CRM via API
→ HubSpot holds the primary data — CLOUD Act applies
- Native forms in your EU CMS — Plate CMS and Prepr both support their own form processing
- Mautic — open-source marketing automation including forms, fully self-hostable
- Direct CRM integration via API — submissions go straight to your EU CRM, no intermediary SaaS tool
- Serverless form endpoints on your own EU infrastructure — straightforward to build, full control
The pattern behind all five
What these five dependencies have in common is not the scale of data exposure — that varies. What they share is how they came to exist: through small, pragmatic decisions that were never revisited. A developer who added Google Fonts because it was easy. A marketer who chose SendGrid because everyone uses it. An agency that installs GTM as a default on every project.
None of these decisions were unreasonable at the time they were made. But together they form a pattern of invisible dependencies that systematically export data to the US — with or without deliberate intent, with or without a DPA, with or without consent.
The Sovereignty Scan maps this pattern systematically. Not as an accusation, but as a starting point. Because most of these dependencies are fixable — with European alternatives that are functionally on par and in many cases also cheaper.
How many of these five are in your stack?
Request a free Sovereignty Scan. In 60 minutes we map all hidden dependencies — from fonts to forms — and build a prioritised action plan.
Book your free Sovereignty Scan →Veelgestelde vragen
Wat is digitale soevereiniteit in de context van martech?
Digitale soevereiniteit in martech betekent dat je volledige juridische en technische controle hebt over je marketing technology stack. Het gaat niet alleen om waar je data staat (datalocatie), maar ook over welke wetgeving erop van toepassing is (jurisdictie). Als je CMS, analytics of marketing automation draait bij een Amerikaanse provider, valt je data onder de Amerikaanse CLOUD Act — ook als de servers in Europa staan.
Een soevereine martech stack bestaat uit tools die volledig onder Europese jurisdictie vallen.
Waarom is de CLOUD Act een risico voor mijn marketing stack?
De CLOUD Act (2018) geeft de VS het recht om data op te vragen bij iedere Amerikaans-gecontroleerde provider, ongeacht waar die data fysiek is opgeslagen. FISA Section 702 gaat nog verder en maakt bulksurveillance van niet-Amerikaanse personen mogelijk.
Dit geldt voor alle grote US cloudproviders en SaaS-platformen — inclusief de tools in je martech stack. Concreet: als je CMS bij een Amerikaanse vendor draait, kan de VS je content en klantdata opvragen zonder dat jij of een Europese toezichthouder hiervan op de hoogte wordt gesteld.
Kan ik mijn bestaande martech stack soeverein maken zonder alles te vervangen?
Ja. Blastic hanteert een gefaseerde aanpak. We beginnen met een Sovereignty Scan om je risicoprofiel in kaart te brengen. Vervolgens ontwerpen we een composable architectuur met Europese vendors en migreren we stap voor stap, te beginnen bij de meest kritische componenten.
Je hoeft niet alles tegelijk te vervangen — en je levert niets in op functionaliteit.
Welke Europese CMS-alternatieven zijn er voor WordPress of Contentful?
Er zijn steeds meer krachtige Europese CMS-platforms. Plate CMS is een Nederlands CMS dat recent is gemigreerd naar volledig Nederlandse hosting bij Info Support. Prepr is een Amsterdams headless CMS met ingebouwde personalisatie en A/B testing.
Daarnaast zijn Umbraco (Denemarken) en Kentico (Tsjechië) sterke Europese DXP-platforms die Blastic als partner implementeert.
Wat kost een Sovereignty Scan?
De Sovereignty Scan is een vrijblijvend gesprek van 45 minuten waarin Blastic de kritische afhankelijkheden in je huidige martech stack in kaart brengt. Er zijn geen kosten aan verbonden.
Je krijgt een helder overzicht van je risicoprofiel en concrete aanbevelingen voor een soevereine martech stack.
Is digitale soevereiniteit alleen relevant voor de publieke sector?
Nee. Hoewel de overheid vooroploopt met het coalitieakkoord 2026 waarin digitale autonomie leidend wordt, is het thema breed relevant. Organisaties in de gezondheidszorg, financiële dienstverlening (DORA, NIS2), onderwijs en B2B-bedrijven met gevoelige klant- of IP-data hebben allemaal baat bij een soevereine martech stack.
Neem contact op en we bespreken wat dit voor jouw organisatie betekent.
Klaar om te beginnen?
Neem de regie terug over jouw digitale toekomst
Begin met een vrijblijvende Sovereignty Scan. In een gesprek van 60 minuten brengen we de kritische afhankelijkheden in je huidige stack in kaart en schetsen we een pad naar soevereiniteit.