Cubbit

What Is Cubbit?

Most cloud storage providers keep your data in one data centre. If that facility goes down, your data goes with it — unless you pay for cross-region replication. Cubbit takes a fundamentally different approach. The Bologna-based company encrypts every file, splits it into fragments, and distributes those fragments across multiple certified data centres in your chosen EU regions. No single location holds a complete copy of anything. The result is storage that is sovereign, resilient, and architecturally resistant to single points of failure.

Founded in 2016 as a spin-off from the University of Bologna, Cubbit has grown into a team of over 60 people serving more than 400 organisations. The investor list reads like a who's who of European institutional trust: CERN, the European Commission (via Horizon 2020), Barclays, CDP Venture Capital, and Techstars. That backing signals something beyond typical venture confidence — scientific and governmental institutions have validated the underlying technology.

Cubbit operates two products. DS3 Cloud provides instant access to geo-distributed storage through a managed service, with data stored in partner-certified data centres across the EU. DS3 Composer is a software-defined storage solution that organisations can deploy on their own infrastructure for fully self-hosted sovereign storage. Both are 100% S3-compatible, meaning migration from AWS, Wasabi, or any S3-based provider requires no code changes.

The target market is organisations that need more than simple storage — those facing regulatory requirements around data residency, backup immutability, and compliance with frameworks like NIS2 and DORA. Healthcare providers, financial institutions, government agencies, and managed service providers make up the bulk of Cubbit's customer base.

Key Features

Geo-Distributed Architecture

Cubbit's core differentiator is its data distribution model. When a file is uploaded, it is encrypted client-side, split into multiple fragments using erasure coding, and distributed across geographically separate data centres. The mathematics ensure that data can be reconstructed from a subset of fragments — if several nodes go offline simultaneously, the remaining fragments are sufficient for full recovery. This provides multi-region resilience without the cost and complexity of traditional cross-region replication. Organisations get geographic redundancy included in the base price, not as a premium add-on.

Geo-Fencing Controls

Sovereignty is not just about keeping data in Europe — it is about controlling exactly where in Europe. Cubbit's geo-fencing feature allows administrators to specify, per bucket, which regions may store data fragments. A French healthcare provider can restrict fragments to French and German data centres. An Italian financial institution can mandate storage exclusively within Italy. This granularity matters for organisations navigating different member-state interpretations of GDPR and sector-specific data localisation laws.

DS3 Cloud and DS3 Composer

DS3 Cloud is the managed service: instant provisioning, S3-compatible endpoints, and a web console for bucket management. Cubbit handles infrastructure, certifications, and maintenance. DS3 Composer, by contrast, ships the geo-distributed storage technology as a software licence that organisations deploy on their own hardware. Composer appeals to enterprises and service providers who need complete infrastructure control or want to build sovereign storage services on top of Cubbit's technology.

Immutable Backups with Object Lock

For backup workloads, Cubbit supports S3 Object Lock in both Governance and Compliance modes. Locked objects cannot be modified or deleted during their retention period, providing ransomware protection that meets regulatory requirements. The integration with Veeam Backup & Replication enables enterprise backup teams to use Cubbit as a validated immutable storage target without custom development.

Zero Hidden Fees

Cubbit's pricing model uses a single flat rate per terabyte per month. Egress fees, API call charges, deletion fees, and bucket replication costs are all zero. The company claims savings of up to 80% compared to hyperscalers, though actual savings depend on access patterns. For organisations whose AWS bills are inflated by egress charges and cross-region replication fees, the savings are genuine and significant.

Pricing

Cubbit does not publish per-terabyte rates on its website, directing potential customers to request a quote instead. This quote-based approach is common in enterprise storage but creates friction for teams doing initial cost comparisons. The company's marketing claims savings of up to 80% versus AWS S3, which would position pricing somewhere between EUR 3 and EUR 7 per terabyte per month depending on volume and commitment.

Both DS3 Cloud and DS3 Composer are priced per terabyte per month with no egress or API fees. DS3 Cloud includes managed infrastructure and certifications in the rate. DS3 Composer pricing reflects the software licence alone — infrastructure costs are separate and depend on the customer's deployment.

Enterprise plans add dedicated account management, priority support, SLAs, and compliance consulting. Volume discounts are available for large deployments. For organisations comparing Cubbit against Impossible Cloud (EUR 7.99/TB) or Wasabi ($6.99/TB), the unpublished pricing requires a sales conversation that could have been avoided with transparent rates.

The lack of a free tier or self-service trial means evaluation requires engagement with the sales team. For smaller organisations or developers exploring options, this adds a barrier that competitors with public pricing do not impose.

EU Compliance & Privacy

Cubbit holds ISO/IEC 27001:2022 and ISO 9001 certifications, demonstrating audited information security and quality management systems. As Cubbit S.r.l., an Italian company, all operations fall under EU jurisdiction with no exposure to US legal access mechanisms.

The geo-distributed architecture provides a compliance advantage beyond certifications. Because data fragments are distributed across multiple locations, no single data centre operator — even if compelled by a local authority — holds enough data to reconstruct meaningful information. This architectural data protection layer complements legal and organisational measures.

Cubbit explicitly supports compliance with NIS2 and DORA requirements, which are increasingly mandatory for organisations in critical infrastructure and financial services sectors. The geo-fencing capability enables per-regulation data residency controls, satisfying member-state-specific requirements without separate storage deployments.

GDPR compliance covers data processing agreements, data subject access request support, and transparent data handling documentation. For healthcare organisations in France, Cubbit's partners operate HDS-certified data centres, enabling health data storage that meets national regulatory requirements.

Who It's Best For

Regulated enterprises in finance, healthcare, or government where NIS2, DORA, or sector-specific data localisation laws mandate demonstrable sovereignty and certified security. The ISO 27001 certification and geo-fencing controls satisfy compliance teams.

Backup-focused IT teams needing immutable, geographically distributed backup storage. The combination of Object Lock, geo-distribution, and Veeam compatibility provides enterprise-grade data protection at a fraction of hyperscaler cost.

Managed service providers building sovereign storage offerings for European clients. DS3 Composer enables white-label deployments on the MSP's own infrastructure.

Organisations with unpredictable access patterns that currently pay significant egress fees. The flat-rate, zero-egress model eliminates cost uncertainty.

The Verdict

Cubbit offers something genuinely different in the European storage market: geo-distributed architecture that provides multi-region resilience and sovereignty by design, not as a bolt-on feature. The CERN and European Commission backing lends credibility that marketing budgets cannot buy. The ISO certifications, NIS2 alignment, and geo-fencing controls make it a strong fit for regulated industries. The limitations matter, though. Quote-based pricing creates unnecessary friction, the geo-distributed approach introduces latency for some workloads, and the ecosystem is smaller than established alternatives. For organisations where sovereignty and resilience outweigh ecosystem breadth, Cubbit's architectural approach is a compelling differentiator.

Frequently Asked Questions

Is Cubbit GDPR compliant?

Yes. Cubbit S.r.l. is an Italian company with ISO/IEC 27001:2022 certification. All data is stored in certified EU data centres, and geo-fencing allows you to control exactly which regions store your data fragments. Data processing agreements and DSAR support are included.

How does Cubbit's geo-distributed storage differ from standard S3?

Standard S3 stores data in a single region by default. Cubbit encrypts, fragments, and distributes data across multiple EU data centres automatically. This provides multi-region resilience without the additional cost of cross-region replication, and no single location holds a complete copy of your data.

What is the connection between Cubbit and CERN?

CERN is both an investor and partner. The European Commission also backed Cubbit through Horizon 2020 funding. This institutional support validated the geo-distributed storage technology at a scientific and governmental level.

Can I use Cubbit with Veeam for backups?

Yes. Cubbit supports Veeam Backup & Replication with S3 Object Lock for immutable backups. The integration requires Veeam version 9 or higher and supports both Governance and Compliance lock modes for ransomware protection.

What compliance frameworks does Cubbit support?

Cubbit holds ISO/IEC 27001:2022 and ISO 9001 certifications. The platform aligns with GDPR, NIS2, and DORA requirements, and partner data centres support HDS certification for French healthcare data. Geo-fencing enables per-regulation data residency controls.