Data sovereignty in Mauritius: which data should never leave the island?

Not all of a Mauritian company's data needs to stay on the island — but some of it should never leave. A four-level classification grid — public, internal, sensitive, critical — settles the question quickly, and the hybrid model it leads to is now widely endorsed: local cloud for health, security and finance, international hosting for the rest.
A debate that has gone public
In April 2026, a widely noted op-ed by Avinash Meetoo framed data sovereignty as a critical issue for Mauritius, recommending a hybrid model: local cloud for health, security and finance data, international hosting for the rest. The topic has moved beyond technical circles: as government and businesses digitise their services, the question "where is our data, and who can access it?" becomes a matter of public policy as much as of architecture.
For a company, the issue is not ideological but intensely practical: knowing, category by category, what may leave, what may leave under conditions, and what must stay. It is also a negotiating lever: a company that knows the classification of its data negotiates with its cloud providers from a position of strength, clause by clause, instead of accepting general terms wholesale.
The four-level classification grid
There is no need to assess every file one by one: four levels are enough to classify the bulk of a company's information assets.
| Level | Typical examples | Hosting rule |
|---|---|---|
| Public | Website, brochures, press releases | Anywhere — optimise for cost and reach |
| Internal | Working documents, wikis, project management | Your choice, with access control and backups |
| Sensitive | Customer data, HR files, personal data | Locally by preference; every transfer framed and documented |
| Critical | Health, finance, security, trade secrets | On the island, in a private cloud — and never in a public AI |
The "sensitive" level largely overlaps with personal data: the obligations of the Mauritian Data Protection Act — and of the GDPR for anyone serving European customers — apply there. Our practical DPA + GDPR guide to compliant hosting details the rules case by case.
The hybrid model in practice
A reference architecture follows naturally from the grid. A local private cloud hosts the sensitive and critical levels: customer databases, HR files, financial data, core business systems. Public content and globally distributed services rely on international platforms, which are better placed for worldwide delivery. The two worlds communicate over controlled, encrypted and logged links — every outbound flow is a documented choice, not an accident.
This choice is becoming realistic again as the local offering matures: the high-tech zone announced around the Côte d'Or technopole confirms the rise of hosting on the island. We analysed what local hosting really changes in terms of latency, law and costs.
Sovereignty does not mean fragility
Keeping data on the island only makes sense if resilience is taken just as seriously: off-site backups, a disaster recovery plan tested regularly, continuous monitoring and an on-call rota. Cyclone season is a yearly reminder — sovereignty without business continuity is a fragile promise, and our DR checklist ahead of cyclone season covers the practical steps.
That pairing of sovereignty and resilience — local private cloud, automated disaster recovery, monitoring under SLA — is in fact the core of what SOVALYX does: hosting locally, with continuity guarantees that are measured and contractual.
Checklist: classify your data in one week
- Days 1-2 — inventory: list the major data sets (applications, databases, file shares, mailboxes). Aim for complete coverage of data sets, not of individual files.
- Day 3 — classify: assign a level (public, internal, sensitive, critical) to each set, together with the business owners concerned.
- Day 4 — confront reality: check where each set is actually hosted today, who accesses it, and where copies transit.
- Day 5 — list the gaps: critical data hosted off the island, undocumented transfers, copies sitting in SaaS tools or public AIs.
- Then — prioritise: plan migrations by risk level, starting with critical. A conversation with an architect is often enough to scope the work in a single meeting.
How SOVALYX can help
SOVALYX can run this classification exercise with you: the infrastructure & AI diagnostic inventories your data sets, checks where they are actually hosted and flags copies sitting in SaaS tools or public AIs. Your sensitive and critical levels belong in our resilient private cloud hosted in Mauritius, with internal private LLMs so that no data ever leaves for a public AI. And because sovereignty without continuity is a fragile promise, the baseline includes an automated, regularly tested disaster recovery plan and 24/7 monitoring under SLA.
Talk sovereign hosting with an engineer🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.
Reviewed and optimised by AI.