Mainstream Hosting Risks for Therapists: CLOUD Act, Data Scanning & Shared Servers (2026)

April 5, 2026 • Updated May 9, 2026 • 10 min read

Jump to: Shared Responsibility · Data Scanning · Jurisdiction · Noisy Neighbors · The Solution · FAQ

When you sign up for a hosting plan, the marketing promises are seductive: "99.9% uptime," "unlimited bandwidth," "enterprise-grade security." But for health practitioners, the fine print tells a different story — one of data exposure, jurisdictional risks, and compromised confidentiality.

Most mainstream hosting providers (AWS, Google Cloud, Azure, and even budget shared hosts) operate on a model that is fundamentally incompatible with the privacy needs of therapists and counselors.

Risk 1: The "Shared Responsibility" Illusion

Cloud providers like AWS and Google Cloud market themselves as "secure," but they operate on a shared responsibility model. They secure the infrastructure; you secure the data.

For a non-technical therapist, this is a trap. If you misconfigure a bucket or leave a database port open, your client data is exposed. And because these environments are complex, misconfigurations are common.

The Reality: In 2023 alone, thousands of unsecured databases containing sensitive health data were discovered online, mostly on major cloud platforms. See our tech stack guide for how to avoid this.

Risk 2: Data Scanning and AI Training

Even if you use a managed service, the provider often retains the right to scan your data for "security purposes" or to improve their AI models.

Google and Amazon explicitly state in their Terms of Service that they may access content to detect abuse or train algorithms. For a therapist, having your session notes scanned by an automated system is a breach of professional ethics and a violation of GDPR Article 9 (Special Category Data).

Risk 3: Jurisdictional Nightmares (The CLOUD Act)

Where is your data physically stored? If you use a global provider, the answer might be "somewhere in the US." Even if you select a European region, the parent company is often US-based.

This exposes you to the US CLOUD Act, which allows US law enforcement to compel US companies to hand over data stored anywhere in the world. This directly conflicts with GDPR's requirement that EU/UK citizen data remain under EU/UK jurisdiction.

Read our deep dive on why US hosting violates GDPR.

Risk 4: The "Noisy Neighbor" Effect

On shared hosting, you share CPU, RAM, and disk I/O with dozens of other sites. If another site on your server gets hit by a DDoS attack or runs a resource-heavy script, your site slows down or crashes.

For a therapist, downtime means missed appointments, frustrated clients, and a damaged reputation. Worse, if a neighbor is hacked, your site is at risk of cross-contamination.

From Risk to Resolution: The Clear Practise Difference

Now that you understand the risks, the solution becomes clear. You don't need to become a cloud architect to avoid these pitfalls. You need a host that handles the complexity for you.

Clear Practise was built specifically to eliminate the risks outlined above. We provide sovereign, isolated hosting in Finland (EU) with zero US ties. Our infrastructure is dedicated to your practice, meaning no "noisy neighbors," no data scanning, and no shared responsibility traps. We handle the security; you focus on your clients.

Migrate to Sovereign Hosting

🛡️ Complete Your Privacy Stack

Get full access to Proton Mail, VPN, Pass, and Drive with one subscription.

Support Clear Practise: Using this link helps fund our privacy advocacy work.

What to Look For in a Host

When evaluating a hosting provider, ask these questions:

  1. Where is the data center? Must be in the EEA or a country with an adequacy decision.
  2. Who owns the company? Avoid US-based conglomerates.
  3. Do they scan my data? The answer must be "No."
  4. Is it shared or dedicated? For health data, dedicated or isolated is mandatory.
  5. What is their encryption policy? They should offer encryption at rest and in transit.

Frequently Asked Questions

Is AWS GDPR compliant for therapist websites?
AWS offers GDPR-compliant infrastructure, but operates under the shared responsibility model. If you misconfigure a service, your client data is exposed. Additionally, as a US company, AWS is subject to the CLOUD Act, which conflicts with GDPR data sovereignty requirements.
Can Google Cloud scan my therapist website data?
Yes. Google's Terms of Service allow them to access content for security purposes and to improve their AI models. For therapists handling special category health data, this constitutes unauthorized processing under GDPR.
What is the CLOUD Act and why does it affect UK therapists?
The US CLOUD Act allows US law enforcement to compel US-based companies (AWS, Google, Microsoft) to hand over data stored anywhere in the world. This directly conflicts with GDPR's requirement that EU/UK citizen data remain under adequate protection.
What is the best hosting for UK therapists?
Sovereign hosting in the EEA (like Finland) with dedicated, isolated infrastructure. This avoids US jurisdiction, eliminates shared resource risks, and ensures GDPR compliance. Clear Practise provides this specifically for health practitioners.

Related Reading

Sovereign Hosting for Therapists: Why Shared Servers Violate GDPR The 'Free' Hosting Trap: Why Your Therapy Website is Leaking Data The Therapist's GDPR Tech Stack: 5 Safe Tools & 3 to Avoid

Conclusion

The convenience of mainstream hosting comes at a hidden cost: the potential compromise of your clients' most sensitive data. As a health practitioner, you cannot afford to gamble with trust.

Switching to a sovereign, privacy-first host is not just a technical upgrade; it is a statement of your commitment to ethical practice. Don't wait for a breach to make the change.

Explore Sovereign Hosting Options