When people talk about data sovereignty, they usually talk about servers, cloud regions, and legal jurisdictions. That matters, but it misses where most company knowledge actually lives.
It lives in the office suite.
Documents. Email. Calendars. Chat. Shared drives. Meeting notes. Spreadsheets. Presentations. Identity. Search. Retention. Admin logs. Vendor integrations. Increasingly, AI assistants.
That is the real control plane for the business.
This is not an anti-cloud argument
Microsoft 365 and Google Workspace are useful products. They solved real problems. They made collaboration easy, especially for teams that did not want to run infrastructure.
That convenience is valuable. I am not pretending otherwise.
The issue is what happens when convenience becomes dependency. Over time, the office suite stops being "where documents live" and becomes the place where the business thinks, remembers, approves, and communicates.
Once that happens, leaving is no longer a software decision. It is an operating model change.
That is why the desire for open source and self-hosted alternatives keeps coming back. It is not because mainstream tools are useless. It is because the more work they absorb, the harder it becomes to tell where the company's knowledge ends and the vendor's platform begins.
Data residency is not the same as control
Large vendors have improved their data residency controls. Microsoft's EU Data Boundary commits to storing and processing customer data and personal data for covered enterprise services inside a defined European boundary, subject to documented exceptions. Google Workspace data regions let administrators choose geographic storage and processing locations for covered data in supported services and editions.
Those controls matter. They are not meaningless.
But they are still vendor-defined controls inside a vendor-owned platform. The scope, exceptions, product coverage, support access, metadata handling, optional features, and future roadmap remain part of the vendor's architecture.
That may be acceptable. For many companies, it is.
But it is not the same as owning the workspace.
What the office suite really controls
The office suite usually controls more than people realize.
It controls identity because users log in through it all day. It controls files because every draft, contract, invoice, and policy ends up there. It controls communication because email and chat carry the decisions that never make it into formal records. It controls calendars because meetings reveal relationships, priorities, and business rhythm.
It also controls retention. If a document is deleted, archived, held for legal discovery, restored from backup, indexed for search, or exposed to an AI assistant, the office suite is usually involved.
That makes it a security boundary.
If you would not casually outsource your production database without understanding the controls, you should not casually outsource your knowledge base either.
AI raises the stakes
Before AI, the office suite stored business knowledge. Now it can act on that knowledge.
That changes the risk profile.
An AI assistant connected to your documents, email, calendar, and chat can be useful. It can summarize meetings, draft replies, find policies, prepare briefs, and route work. But it also creates a new question: who gets to process the memory of the company?
If the workspace is fully rented, the AI path is usually rented too. The provider defines what features exist, what gets indexed, what logs are kept, what administrators can see, and what product changes arrive next quarter.
Again, that may be fine. But it should be a decision, not an accident.
What an owned workspace looks like
An owned workspace does not mean you write every line of software yourself. It means you can make enforceable decisions about where your data lives, who can access it, how it is backed up, how it is searched, and which AI systems can touch it.
For some teams, that may mean self-hosted file collaboration with tools like Nextcloud and browser-based document editing with Nextcloud Office or Collabora. For others, it may mean a regional managed provider, a hybrid workspace, or only moving the most sensitive workflows.
The important part is not the logo. The important part is control.
Can you restore the system without the vendor? Can you export the data cleanly? Can you audit access? Can you block a feature that processes data globally? Can you keep sensitive AI workflows inside your own boundary? Can you explain the architecture to a customer without hand-waving?
Those are the questions.
You do not have to move everything
The wrong answer is to announce a heroic migration and break the business.
The better answer is to classify the work.
Some data can stay in mainstream cloud suites. Some data should move to a controlled workspace. Some data should never touch AI at all until the governance is ready.
A small firm might start by moving board materials, client workpapers, legal files, security documentation, or AI retrieval libraries into a sovereign workspace while leaving everyday email and calendars alone. That is still progress.
Sovereignty is not all or nothing. It is a set of decisions that reduce dependency where dependency creates real risk.
The founder question
For a founder, the practical question is not "Should I leave Microsoft or Google?"
The better question is: where does my company memory live, and who controls it?
If the answer is "a vendor controls almost all of it," you may still choose to stay. But at least make that choice with your eyes open.
The office suite is no longer just office software. It is the nervous system of the company. Treat it like infrastructure.