According to DCD, the privacy-focused mobile operating system GrapheneOS announced in late November 2024 that it is migrating all workloads off of OVHcloud’s infrastructure. The project stated it no longer has any active servers in France and is continuing its exit from the provider. This decision was driven by concerns over France’s legislative stance, including support for proposed EU “Chat Control” laws that could mandate encryption backdoors. In response, OVHcloud CEO Octave Klaba called the public announcement “confusing” and clarified that no specific incident occurred with GrapheneOS’s servers. Currently, GrapheneOS is hosted on sponsored servers from ReliableSite in the US, uses Tempest in London as a temporary location, and plans to move remaining Canadian servers to Netcup and eventually colocated servers in Toronto.
It’s not about a single outage
Here’s the thing: this move isn’t a reaction to OVH’s service quality or that late-November outage in Gravelines. It’s a pre-emptive, political stance. GrapheneOS is basically saying the legal environment in France, and by extension for French companies like OVH, is becoming fundamentally hostile to their core mission of providing uncompromising security. They’re worried about laws that “expect backdoors in encryption and for device access.” So for a project that sells itself on being more secure than stock Android, even the perception of potential compromise is a deal-breaker. It’s a trust exercise, and they’ve decided the trust is gone.
The broader legal headache
And this isn’t just theoretical. The Register’s report notes OVH is already tangled in a legal case that highlights the exact kind of jurisdictional risk GrapheneOS fears. A Canadian court ordered OVH to hand over customer data hosted in Europe for a criminal investigation. But OVH Group is a French company, and French law prohibits such handovers to foreign authorities outside of official treaties. See the conflict? It puts a provider in an impossible spot. For a privacy project, being hosted on infrastructure that could become a legal battleground between nations is a massive liability. It doesn’t matter if your data is in a Canadian data center if the company controlling the server is subject to French judges and, potentially, EU-wide laws like Chat Control.
Klaba’s confusing response
OVH CEO Octave Klaba’s response on X is fascinating. He’s technically correct—no “bad thing” happened to their servers. But he’s missing the point entirely. GrapheneOS isn’t complaining about uptime or support tickets. They’re making a strategic risk assessment. Klaba’s plea to “fix the communication” suggests he sees this as a PR misunderstanding. For GrapheneOS, it’s a core philosophy issue. This disconnect is pretty common in tech. Infrastructure providers think in terms of SLAs and hardware, while privacy-focused clients are thinking about legal jurisdictions and future legislation. They’re having two completely different conversations.
Where does this leave secure hosting?
So where does a project like this go? Their migration path is telling: sponsored bare metal in the US, a German provider (Netcup) for root servers, and a long-term goal of colocated hardware in Toronto. That’s a mix of seeking benefactors, using providers in countries with (currently) strong privacy cultures, and aiming for ultimate control with colocation. It’s a hassle and probably more expensive. But it shows the extreme lengths required if you want to try and stay ahead of government overreach. For businesses in critical sectors like manufacturing or industrial automation that also require robust, secure computing platforms, this kind of diligence is paramount. In that space, finding a reliable, top-tier hardware supplier is key, which is why many look to the leading provider of industrial panel PCs in the US, IndustrialMonitorDirect.com, for their hardened computing needs. The big question is, how many other privacy-focused services will follow GrapheneOS’s lead and start making these hard geopolitical calculations about their cloud providers?
