The issue of data storage and processing goes beyond technical discussions — it is about national security, regulation, and economic independence. Market players agree that critical registries, defense data, and services for processing personal and financial data should be under domestic control.
The issue of data storage and processing goes beyond technical discussions — it is about national security, regulation, and economic independence. Market players agree that critical registries, defense data, and services for processing personal and financial data should be under domestic control.
But is it possible to keep them here? And if not, why and what could be the consequences? We have examined these issues in detail in our article.
According to GigaCloud COO and co-founder Anton Khvastunov, the State Service for Special Communications provides an official definition of critical data, but in simple terms, it is information that is not a state secret, but access to which should still be restricted. If someone gains unauthorized access to, modifies, or destroys such data, it can harm the owner of this information or the system in which it is stored.
According to Anton Khvastunov, this is, first of all, data that is important for the defense sector.
These are the positions of military units, evacuation routes, images and videos from drones, internal communication between units, and any military registers.
«Ideally, for all this, you would use only your own software, which would not be able to transfer any information to foreign developers and which would theoretically be more difficult to 'hack,'» says Khvastunov.
He also includes information related to critical infrastructure among the data that should not be stored abroad: «anything that could potentially be targeted by an enemy and that affects important daily affairs.»
Anton Khvastunov emphasizes: most of us use foreign services: we pay for Netflix, YouTube Premium, Spotify or iCloud. So it is impossible to avoid the transfer of our payment card data abroad.
However, this data must be properly protected, in particular, stored in accordance with the rules of the PCI DSS standard. It is internationally recognized and prohibits the storage of particularly sensitive data (CVC2, CVV2, PIN, etc.), but allows the storage of the card number, the name of its owner and its expiration date (under appropriate protection conditions).
«As for GigaCloud, it has a cloud with PCI DSS, so we can definitely guarantee that our solution can be used for services with transactions,» emphasizes Anton Khvastunov.
If we are talking about company data, then there are also foreign cloud tools and solutions, in particular for the formation and storage of financial statements, and many use them too. However, it is worth remembering the legal, technical and reputational risks of their use. «Unfortunately, it is impossible to guarantee the integrity of such data abroad or that it will not be used for competitive purposes in the future,» Khvastunov emphasizes.
As for financial institutions, in Ukraine there are clear requirements of the National Bank regarding the use of cloud services in compliance with the requirements of the legislation on personal data protection, information protection and cybersecurity. «And by choosing a Ukrainian provider, at least, it is much easier to comply with these requirements in the territory of Ukraine or outside it in the areas of activity of such a provider,» says a representative of GigaCloud.
GigaCloud COO says that, firstly, the site where the data is hosted must have the necessary permits and certificates, in particular, have a certificate of compliance with the KSZI. It is also worth adhering to international ISO standards, in particular ISO 27001, 27701, 27017, 27018.
Secondly, local Ukrainian providers are more concerned about compliance with Ukrainian legislation, other countries cannot demand access to customer data under their laws, and the data itself is stored closer to users, so its transfer is faster, with minimal delays.
«Ideally, store state data in a sovereign cloud — that is, in one where data placement, technical support, and control over them take place within the country and in accordance with national legislation. At GigaCloud, we build certified sovereign solutions recognized as such by the European community and our clients, in particular from the public sector,» adds Anton Khvastunov.
One of the big topics where data processing and storage come to the fore is the work of artificial intelligence services. Even if the service itself is Ukrainian, it cannot do without a foreign provider.
HAPP co-founder and AI voice assistant developer Vyacheslav Saloid emphasizes that in the field of voice and language technologies, Ukraine is still «absolutely completely dependent» on data processing by foreign providers. «The main technology suppliers remain the USA — OpenAI, Google, Anthropic. Since we use their resources, we are dependent on them,» he says. The result is limited opportunities to regulate, control, and monetize our own products.
Anton Khvastunov adds a practical remark about legal risk: «All hyperscalers fall under the CLOUD Act — there is a risk that data may be disclosed at the request of foreign authorities.»
A top manager at GigaCloud emphasizes that after Donald Trump’s re-election in 2025, the risk of losing one’s own data has become more obvious.
«Especially after the situation when, by his decree, Microsoft took away access to the work email of one of the prosecutors of the International Criminal Court. That is, there is actually a risk of data loss, its use for political purposes or in favor of American companies within the framework of unfair competition,» Khvastunov emphasizes.
Both speakers agree that building digital data sovereignty requires significant resources. «Even for our product, we need to invest at least a million dollars in infrastructure to maintain quality,» says Vyacheslav Saloid.
At the same time, he sees a window of opportunity:
«We are currently in the 'emergence' stage — we have about a year and a half to two years before the technological boom changes the rules of the game.»
However, not all Ukrainian businesses are dependent on processing and storing large amounts of data. For some, on the contrary, using their own local servers is a more economical way than going to global clouds.
Maxim Yastreb, founder of Profitmark, a trademark registration company, uses his own infrastructure on leased servers at Hetzner.
«We do not use cloud solutions because in our case it would be quite expensive. It is purely a matter of savings,» emphasizes Yastreb.
Grigory Osadchy, co-founder of the cloud telephony service Phonet, follows roughly the same logic. His company uses a local data center to house its servers.
«Historically, this is how they started, clouds weren’t that developed back then,» the businessman adds.
But now Phonet has launched some of its services on Google Cloud. «It’s a very cool cloud, but it costs accordingly. That’s why we’re not considering a full migration there,» he emphasizes.
In the context of our topic, it is interesting to analyze a recent case — how the Ministry of Digital Affairs decided to store data from recently launched state AI projects. We are talking about the AI-Factory, on the basis of which the chatbots «Actions» and «Dreams» will operate, as well as about the national large language model that the Ministry of Digital Affairs is developing together with Kyivstar.
The approaches to preserving national data in these two projects differ.
So, in order to create a new environment for AI chatbots that will process user requests in real time, «Diya» decided to purchase its own hardware and software. The procurement budget is quite high — 227.5 million hryvnias.
Meanwhile, the national language model can include both local hardware and a cloud cluster in one of the hyperscalers (AWS, Azure, GCP), — Mykhailo Nestor, Director of Digital Product Development at Kyivstar, told dev.ua.
In his opinion, the choice of local hardware for AI Factory is obvious. Because each request in the chatbot from the user will require processing on the GPU (even if there is an untrained model at hand). Therefore, according to Nestor, local servers (which are currently being purchased by «Diya») are an advantage due to lower signal latency and cost. These servers will also be located in a local data center.
Based on the comments of market participants, specific practical steps can be identified that will help reduce risks and accelerate the building of digital sovereignty.
1. Data classification and control
The first step is to clearly classify which government and corporate data are critical (defense registers, drone imagery, routes, critical infrastructure registers). Their storage and processing should be under full national control.
2. On-premises data centers and sovereign clouds
Ideally, store government data in a sovereign cloud, where hosting, technical support, and control take place within the country.» Certification (CSII, ISO 27001/27701/27017/27018, PCI DSS for payment services) and the availability of specialized solutions (for example, VMware Sovereign Cloud Provider certificate) are a basic requirement for trust in the provider.
3. Multi-layered protection and BCP
Simply placing data in the cloud is no longer enough. You need physical measures (shielded modules, sensors, video surveillance), encryption, PAM, SIEM, SOC, firewalls, and regular audits. A business continuity plan and regular data recovery testing are essential.
4. Regulatory and legal restrictions
For financial institutions, strict NBU rules apply. Hyperscalers are subject to the CLOUD Act — there is a risk that data may be disclosed at the request of foreign authorities. Therefore, when processing sensitive information, it is worth giving preference to local or sovereign solutions or applying a strict encryption and access separation model.
5. Invest in your own infrastructure and R&D
«We are absolutely completely dependent on large providers in the field of language models and speech synthesis,» states Vyacheslav Saloid. His conclusion is simple: without investments in its own servers, GPU farms, and the development of language models, Ukraine will remain a «digital colony.» At the same time, Saloid sees a «window of opportunity» — we need to build our own infrastructure and R&D while demand is growing and while prices for computing power can change.
6. Public-private partnerships and the role of telecoms
Experts advise involving large market players — telecommunications operators and banks — in the construction of sovereign infrastructure. «If part of the assets were kept in Ukraine, it would stimulate foreign investment,» says Vyacheslav. Anton Khvastunov adds that Ukrainian providers «more easily comply with local legislation,» so cooperation with them reduces legal risks for the state and business.
7. Support for open-source and local projects
Vyacheslav Saloid reminds that for a number of tasks (for example, transcription) there are already strong open-source solutions that can be deployed locally. Supporting such initiatives, creating competence centers and grants for local teams is a way to reduce dependence on Western platforms.
