Just a few years ago, talking about digital sovereignty in the context of CRM and the’marketing orchestration would have provoked shrugs. This is no longer the case.
Global economic instability and shifts in the balance of power between the great powers have revealed that our economies and certain essential public services rely on digital infrastructures that are not our own. We are no longer immune to pressure from our allies, and this pressure could take the digital route.
At Badsender, this question also resonates with the values we stand for on a daily basis. The logic of European regulation on subjects such as privacy or AI seems to us to be the right way forward. European solutions often take better account of these constraints, which we consider to be good for the market and for individuals.
This article is not intended to be a comparison (at this stage), nor to point the finger at any particular solution. The aim is to provide a framework for reflection, This is a grid of criteria that every French or European organization should integrate when evaluating or re-evaluating its Customer Engagement Platform.
This article is freely available.
It took time and expertise!
This month, thanks to our customer-sponsors: Actito, Puig France, Voyageurs du Monde, CMI France, Cegeka, BPI France, Citeo, FFT, Castor & Pollux, Clarins, Mews Group. They enable us to publish free content. Thanks to them, Badsender is fulfilling its mission of educating the French emailing and CRM ecosystem to promote responsible email.
With over 10,000 monthly readers, if only 1% became customers, we'd continue this mission for a long time to come! Become a customer and benefit from our expertise while supporting the production of open knowledge.
The «safety choice» syndrome»
Let's be honest: when we talk about sovereignty with decision-makers, everyone agrees. «Ah yes, we should make sovereign choices. But when it comes to putting together an analysis grid for a call for tenders, these criteria take a back seat. The scenario is the same as for ecological issues: we approve the principle, but we don't translate it into action.
Why is this? Because there's a powerful reflex in organizations: the security choice. You choose the same solution as your competitors, the market leaders everyone's talking about, because if your migration project goes wrong, nobody can blame you for having made that choice. It's only human. But it's also a way of thinking that ignores very real risks (and misses out on many opportunities).
And, unfortunately, the public sector is not always better positioned on the subject. The same reflexes are at work.
The two arguments that should carry weight with a board of directors
Beyond the rhetoric of values, there are two very concrete arguments that should give any CIO or marketing/CRM department pause for thought.
- Legal compliance : RGPD is not an option, it's an obligation. But are you able to comply with the RGPD if you are subject to certain US legislation? The Cloud Act and FISA 702 allow U.S. authorities to...’demand access to data hosted anywhere in the world, If the service provider is a U.S. company or is owned by U.S. capital. Locating servers in Europe is not enough to protect data if the entity operating them is subject to US law.
- Service continuity If a political decision, economic sanction or technical failure cuts off access to a service on which you depend, will your CRM still be working on Monday morning? Are your e-mails going out? Are your campaigns running? This isn't a theoretical worst-case scenario, it's a question that every serious risk analysis should include.
The criteria grid: assessing the sovereignty of a Customer Engagement Platform
Sovereignty is not binary. There are many elements to evaluate, and each organization must set its own cursor. But to do so wisely, you need to know what to look for.
1. Data and infrastructure hosting
This is the fundamental criterion, the non-negotiable starting point.
Your customers' personal data must be hosted in a European data center, operated by a company with a European shareholding. This is the minimum condition for sovereignty.
But it's not enough to ask the question generically. We need to dig deeper:
- Where are application servers and databases hosted? What about backups?
- Who is the hosting company? Is it European? Is its shareholder base European, including indirectly?
- If the platform doesn't handle email routing itself, what third-party service is used to send it? Where is it hosted, and by which company?
2. Shareholders and governance
Hosting isn't everything. The question of who controls the company that publishes the platform is just as decisive.
- Is direct shareholding 100% European?
- What about indirect shareholding? A French company majority-owned by an American investment fund does not offer the same legal guarantees.
- What is the company's legal structure?
- In the event of a dispute or request for access to data by a foreign authority, which law applies?
3. Technological dependencies and risk analysis
A platform can tick all the above boxes and still remain fragile if it relies on non-European, non-substitutable technological building blocks.
- Is the MTA (mail server) a non-European proprietary software, or an open source solution (Postfix, for example)?
- Is the database a cloud service from an American hyperscaler, or an open technology (PostgreSQL, MariaDB) operated in-house or by a European service provider?
- If there are third-party bricks (customization engine, email builder, reporting tools...), where do they come from?
And above all: has the platform carried out a risk analysis on its own dependencies? If Cloudflare goes down or becomes inaccessible, can the platform continue to operate in degraded mode? If the main email routing fails, is there a back-up mechanism?
A sovereign platform is also one that is aware of its vulnerabilities and has planned alternatives.
4. Embedded AI: the new Trojan horse
It's a point that few people yet associate with sovereignty, yet it's about to become central.
More and more customer engagement platforms are integrating artificial intelligence functionalities: content personalization, predictive scoring, send time optimization, text generation. These functionalities are becoming an integral part of daily platform use.
But with which AI? The most powerful models today are American. If your European platform sends your customers' data to an LLM hosted in the U.S. to personalize your campaigns, you have a sovereignty problem.
Questions to ask :
- Which AI solution is integrated into the platform?
- Is customer data transmitted to third-party AI services? If so, which ones, and where are they hosted?
- Does the platform use open source models or European solutions?
- If the platform's AI brick is down, is the platform still usable?
5. Channel sovereignty
We're thinking about infrastructure, hosting and shareholding, but there's a second blind spot when it comes to thinking about the sovereignty of these platforms: the channels themselves.
Email is an open protocol, decentralized, standardized. SMS relies on interconnected telecom operators. The web is an open space. These channels are not structurally dependent on a non-European player.
On the other hand, the rise of customer engagement strategies based on WhatsApp (Meta) or RCS (Google) creates a direct dependency on Californian companies that can change the rules of the game, rates or access conditions at any time, unilaterally.
This is not to say that these channels should be abandoned. But it does mean that a sovereign customer engagement strategy is also one that diversifies its channels and doesn't put all its eggs in one basket. If tomorrow your main channel is WhatsApp and Meta changes its pricing policy or conditions of use in Europe, what's your plan B?
6. Contribution to the ecosystem
This last criterion may be the least immediately operational, but it reveals a publisher's posture.
- Does the platform use open source components? If so, does it contribute back to the projects it uses?
- Is the bulk of R&D and jobs located in Europe?
A platform that consumes open source without ever contributing, that locates its R&D outside Europe while claiming to be European, these are signals to be taken into account in an overall assessment.
Summary table of CRM Marketing sovereignty criteria
To help you along, here's a small summary table that we'll be updating as we go along.
| Axis | Criteria | Question to ask the publisher |
|---|---|---|
| Hosting | Server localization | Where are application servers, databases and backups hosted? |
| Hosting company | Is the host a European company with European shareholders? | |
| Email routing | If the platform doesn't handle email routing itself, what third-party service is used? Where is it hosted and by whom? | |
| CDN | Are images hosted in Europe? | |
| Shareholders and governance | Direct shareholding | Is the publisher's direct shareholding 100% European? |
| Indirect shareholders | Is indirect shareholding (funds, parent company) 100% European? | |
| Applicable jurisdiction | In the event of a dispute or request for access to data, which law applies? | |
| Technological dependencies | MTA / email routing | Is the delivery server open source or non-European proprietary? Is there a backup mechanism? |
| Database | Is the database an open technology or a cloud service from an American hyperscaler? | |
| Third-party bricks | Are third-party components (rendering, email builder, customization, reporting) European or substitutable? | |
| Risk analysis | Has the platform documented its dependencies and provided for operation in degraded mode? | |
| On-board AI | AI solution used | Which AI solution is integrated? Is it European or open source? |
| Data transit | Is customer data transmitted to third-party AI services outside Europe? | |
| Channel sovereignty | Dependence on proprietary channels | Does the CRM strategy rely on channels controlled by non-European players (WhatsApp, RCS)? |
| Diversification | Is there a plan B if an owner channel changes its access conditions? | |
| Contribution to the ecosystem | Open source | Does the platform contribute to the open source projects it uses? |
| R&D and jobs | Is the bulk of R&D and jobs located in Europe? |
Don't change everything, but stop ignoring
This article is not a call to migrate platforms in a hurry. Migrations of Customer Engagement Platforms and other CRM Marketing platforms are heavy projects that occur cyclically, every 4 to 5 years on average (sometimes with even longer cycles). If you migrated to a new platform a year ago, sovereignty doesn't justify starting all over again.
On the other hand, the next time you put your Customer Engagement Platform out to tender, include these criteria in your analysis grid. Ask the publishers these questions. Demand precise, documented, verifiable answers.
What's next?
This article is a first step. We are convinced that digital sovereignty in the field of customer engagement and marketing orchestration deserves to be explored far beyond this initial reflection.
We plan to continue this work, in particular by publishing a self-assessment form which would enable industry players to be compared on the basis of objective, transparent criteria.
In the meantime, we'd be delighted to talk with Customer Engagement Platform publishers, integrators and users on these topics. What do you think? Which criteria are you ready to commit to? Which ones do you feel are missing from this grid? The conversation is open.
Leave a Reply