Your Month-End Close Data Crosses Four Jurisdictions Before You See the Report
The Question Nobody Asks During Close
Month-end close is the most concentrated moment in the financial calendar. Three weeks of reconciliation, verification, and cross-checking compressed into the final sign-off. The CFO reviews the numbers. Checks the reconciliations. Clicks "Generate Report." Report appears in under 30 seconds.
What happens during those 30 seconds is the part nobody thinks about. The query your accounting software ran to generate that report didn't travel from your desk to your screen. It traveled from your desk to infrastructure in Virginia, São Paulo, Singapore, and back to your screen — routed through whichever data center had spare processing capacity when you clicked the button.
Ask your accounting software vendor one question you've likely never asked: during my last close process, which countries did my financial data transit through to generate my reports? If they can't answer — and most can't — that silence is the exposure this article is about.
Data Residency Is Not Data Processing
The accepted understanding about GDPR is that EU data residency protects your financial data. That understanding covers half the picture. EU data residency governs where data is stored. It doesn't control where data is processed when it flows through your accounting software's cloud infrastructure to generate a report. Your data can legally be stored in Frankfurt and processed in Virginia in the same transaction.
This distinction — between storage and processing — is the gap most European companies have never evaluated. Finance teams spent years ensuring GDPR compliance for data residency. They signed data processing agreements. They ensured EU server locations. Every step was correct and every step addressed a narrower problem than they thought.
When your cloud-based accounting software routes a month-end close query through globally distributed infrastructure, the jurisdictional protection changes depending on which data center handles the processing. And that routing decision isn't made by your finance team, your IT department, or your compliance officer. It's made by an algorithm optimizing for cost and speed.
The Laws That Follow Your Data Across Borders
US Cloud Act, Public Law 115-141 (2018): US law enforcement can compel any American-headquartered company to produce data stored or processed anywhere in the world. The EU data center location doesn't matter if the software provider is American. QuickBooks parent Intuit is headquartered in Mountain View, California. Sage has US operations and infrastructure dependencies. For both, US jurisdiction applies to data access requests regardless of which EU server holds your financial reports.
FISA Section 702 — renewed by US Congress in April 2024 — authorizes warrantless surveillance of non-US persons using US-controlled infrastructure. No notification to the affected company is required. No recourse exists.
Schrems II (2020) is the EU Court of Justice ruling that invalidated Privacy Shield data transfer agreements between the EU and US, specifically because US surveillance law made adequate data protection impossible. The court's reasoning applies directly: when financial data transits US-controlled infrastructure during report generation, the protections your data processing agreement promised may not hold.
TikTok received a €530M GDPR fine from the Irish Data Protection Authority in May 2025 for routing EU user data through foreign jurisdiction — the largest data protection penalty of 2025. Microsoft AI Research exposed 38TB of internal data including financial credentials and internal messages in 2024 (SecurityWeek). Neither incident involved a deliberate breach. Both involved data flowing through architecture paths that weren't fully mapped or controlled.
Performance Optimization Is the Vector
Finance teams didn't notice routing complexity grow because each architectural change was introduced as an improvement. First, accounting software moved from servers installed on company premises to cloud — better accessibility, lower maintenance. Then multi-cloud became the norm for reliability, meaning queries route across several cloud providers at once. Then AI processing was added, requiring routing to wherever spare processing capacity existed.
At each step, routing decisions moved further from the finance team's control. At no step was a consent form presented asking: "Do you want your month-end close data routed through US-controlled infrastructure?" The question asked was always: "Would you like faster report generation?" Those are different questions with different answers, and only one was asked.
Cloud providers headquartered in the US charge premium rates for data processed within US borders, restricted to US-domiciled companies. Everyone else? Queries routed to whichever region has spare capacity at the lowest cost. Your Q4 close data might be processed in Virginia, São Paulo, or Singapore. You don't choose. You don't know. You can't audit it.
92% of enterprise AI converges on OpenAI infrastructure, directly or through embedded tools (Kiteworks/Reco.ai/LayerX, 2025). When your accounting software's AI assistant helps generate your close report, there is a 92% probability the underlying AI processing routes through US-controlled infrastructure. Not because anyone chose it — because that's where the infrastructure is.
The Gap Nobody Owns
Nobody in the org chart is responsible for knowing the real-time routing path of financial data during report generation. The CISO (Chief Information Security Officer) monitors access and breach events. The DPO (Data Protection Officer — the person responsible for GDPR compliance) manages documentation. IT manages infrastructure contracts. Finance manages the close process. The routing path of a specific month-end close query through multiple cloud data centers falls between all four responsibilities.
Banking offers the parallel that makes this visible: a European bank's financial data cannot be processed through foreign-jurisdiction infrastructure without explicit regulatory approval under ECB supervisory guidelines. Banks must document and control the data routing of all financial processing operations. A company using standard cloud accounting software — processing the same sensitive financial data — has none of those routing controls in place.
An uncomfortable fact sits at the center of every European company's month-end close: the process that produces the most sensitive numbers your company generates runs on infrastructure you don't control, through jurisdictions you didn't choose, routed by algorithms optimized for cost rather than compliance. You sign off on the numbers. You don't sign off on the route they traveled to reach your screen.
The Exposure Accumulates
Waiting to address this is not a neutral position. The CLOUD Act has been in force since 2018. FISA Section 702 was renewed in 2024. EU AI Act enforcement begins requiring transparency documentation for AI systems in financial applications starting 2026. French tax authorities (DGFiP) and German authorities enforcing GoBD (Germany's bookkeeping compliance rules) audit trail standards are increasingly asking how financial data is processed, not just where it's stored.
Each quarter that passes with month-end close data transiting US-reachable infrastructure adds another quarter of accumulated legal exposure. EU AI Act and NIS2 — the EU directive requiring essential-service organizations to demonstrate cybersecurity control over their data flows — are moving toward requiring documentation of data routing in financial systems. The current undocumented state becomes a compliance failure, not just a risk. The regulatory question is when, not whether.
Sovereign Architecture Closes the Gap Permanently
Sovereign architecture resolves the tension between cloud performance and data control. The real question is whose infrastructure processes your financial data.
Stralevo runs every financial query on EU infrastructure the company controls. No cross-border routing. No US jurisdiction exposure. Full audit trail from query to report. When your auditors ask where your data went during the close process, the answer is: it stayed exactly where it was supposed to.
Answers come with source citations traceable to the exact document, page, and field. The AI already knows your chart of accounts, your reconciliation rules, your reporting templates — so the close process gets the same speed without the jurisdictional exposure.
One action for Monday morning: ask your accounting software vendor for a routing log of your last month-end close. Which infrastructure regions processed your queries, in what order, under which jurisdiction? If they cannot provide it, you've confirmed the gap. If the answer includes US infrastructure, you've confirmed the exposure.
Directors of finance who can demonstrate complete data routing control — every query processed on EU infrastructure, full audit trail from query to report — occupy a compliance position that differentiates them in enterprise procurement, regulatory examinations, and board-level risk conversations within the next two years.
You signed off on the report. You didn't sign off on the route it traveled to become a report. That's the gap worth closing before next quarter's close.