Skip to main content
MEGA logo

MEGA

Verified

“New Zealand-governed, Hong Kong-owned β€” but its data sleeps in the EU.”

Operating HQ
πŸ‡³πŸ‡Ώ Auckland, New Zealand
where it's run
Legal domicile
πŸ‡³πŸ‡Ώ New Zealand
where it's incorporated
Ultimate parent
πŸ‡­πŸ‡° Hong Kong
Where data lives
πŸ‡ͺπŸ‡Ί EU only (no US)
Encryption
Zero-knowledge
Users
300M+
36/100
Sovereign: Not
Control ↑
19
Data β†’
53

36 = midpoint of Control 19 & Data 53

ConfidenceMedium (72%)

Sovereignty Quadrant

Control ↑ who owns & governs the company  Β·  Data β†’ where your data lives. Every dot is a company β€” click to open it.

Where your data lives β†’ Who controls the company β†’ 7 companies Β· fully non-EU (0/0) TikTok β€” Data 32, Control 24 Google β€” Data 16, Control 14 Youtube β€” Data 14, Control 16 Ionos β€” Data 90, Control 90 Disneyplus β€” Data 16, Control 12 Telegram β€” Data 34, Control 14 Carrefour β€” Data 100, Control 32 Corriere β€” Data 100, Control 100 Microsoft β€” Data 26, Control 14 Amazon β€” Data 14, Control 10 Amazon β€” Data 66, Control 0 Reddit β€” Data 14, Control 10 Netflix β€” Data 24, Control 20 LinkedIn β€” Data 14, Control 16 Reuters β€” Data 26, Control 0 Pinterest β€” Data 12, Control 12 Discord β€” Data 16, Control 20 AliExpress β€” Data 18, Control 12 Twitch β€” Data 18, Control 16 Samsung β€” Data 62, Control 4 Canva β€” Data 24, Control 20 Spotify β€” Data 30, Control 68 Apple β€” Data 16, Control 16 GitHub β€” Data 16, Control 10 Uber β€” Data 16, Control 16 Salesforce β€” Data 20, Control 14 Deepl β€” Data 70, Control 78 Airbnb β€” Data 18, Control 18 Shopify β€” Data 18, Control 18 Mastercard β€” Data 36, Control 16 Dropbox β€” Data 14, Control 10 HubSpot β€” Data 24, Control 10 Notion β€” Data 22, Control 16 Stripe β€” Data 30, Control 30 Zalando β€” Data 52, Control 88 Figma β€” Data 18, Control 10 SAP SE β€” Data 68, Control 78 Atlassian β€” Data 18, Control 18 Proton β€” Data 72, Control 54 Miro β€” Data 100, Control 44 Klarna β€” Data 44, Control 42 Ecosia β€” Data 60, Control 92 Zoom β€” Data 20, Control 14 Adyen β€” Data 84, Control 84 GitLab β€” Data 26, Control 14 Slack β€” Data 14, Control 20 Hetzner β€” Data 84, Control 96 Deezer β€” Data 62, Control 66 Typeform β€” Data 100, Control 52 OVHcloud β€” Data 82, Control 94 Tutanota β€” Data 100, Control 100 BlaBlaCar β€” Data 54, Control 76 Qwant β€” Data 56, Control 88 Bitwarden β€” Data 28, Control 20 Contentful β€” Data 34, Control 48 Personio β€” Data 34, Control 58 Ikea β€” Data 34, Control 100 Whatsapp β€” Data 14, Control 12 Instagram β€” Data 28, Control 22 X β€” Data 14, Control 16 Avast β€” Data 60, Control 0 Paypal β€” Data 24, Control 32 Kaspersky β€” Data 56, Control 0 Dailymotion β€” Data 100, Control 74 Snapchat β€” Data 12, Control 14 pCloud β€” Data 60, Control 52 Tresorit β€” Data 52, Control 62 53 19 MEGA
MEGA β€” verified peers β€” automated estimate (0–50 pillars, normalized)

Every number below traces to 16 sourced facts across 7 independent sources, last verified 2026-06-12. 4 open questions hold confidence at 72% β€” they lower confidence, never the score.

Control ↑

Who legally and economically controls the company

19/100
8 facts Β· 5 sources Β· mixed confidence
Legal & Jurisdiction
22

Operating entity is incorporated in New Zealand (Mega Cloud Services Limited) and the terms are governed exclusively by New Zealand law and arbitration. EU law reaches MEGA only indirectly via GDPR's extraterritorial scope (it serves and processes EU users), not via establishment or enforceable domicile. No EU operating entity holds the service. Scores low because the controlling legal home is firmly outside the EU.

Why 22? 4 sourced facts · click to expand
Mega Cloud Services Ltd, Auckland, inc. 29 Nov 2012

Operating entity incorporated in New Zealand

businesscheck.co.nz (NZ registry data) Β· as of 2026-06-12

New Zealand law + arbitration

Service governed by NZ law and arbitration exclusively

CyberInsider MEGA review Β· as of 2026-06-12

GDPR-compliant globally

Claims GDPR compliance for all users worldwide despite non-EU domicile

WHTop MEGA review Β· as of 2026-06-12

Level 21, Huawei Centre, 120 Albert St, Auckland

Registered office is a foreign-tenanted Auckland tower (Huawei Centre)

businesscheck.co.nz Β· as of 2026-06-12

Control & Ownership
15

Voting and economic control sit outside the EU. The NZ operating company is 99.83%-owned by Hong Kong-based Cloud Tech Services Limited, named as the ultimate holding company. Behind that, control traces to Chinese investors (Li Zhi Min ~43%, Yang Jianhong ~24% per the 2015 majority-control raise) and the company's Megaupload/Kim Dotcom origins. Privately held, no listing. Zero EU voting or economic majority.

Why 15? 4 sourced facts · click to expand
Cloud Tech Services Ltd, Kowloon HK β€” 99.83%

Hong Kong holding company owns 99.83% and is the ultimate parent

businesscheck.co.nz (NZ registry data) Β· as of 2026-06-12

Li Zhi Min 43%, Yang Jianhong 24%

Chinese investors took majority control in 2015 raise

NZ Herald Β· as of 2015-08

Dotcom origin, exited 2015

Founded by Kim Dotcom as Megaupload successor; he severed ties in 2015

Wikipedia (Mega service) Β· as of 2026-06-12

Private, ~18 shareholders via HK holdco

Privately held; no public listing venue

NZ Herald Β· as of 2015-08

Data β†’

Where your data lives and who can reach it

53/100
8 facts Β· 5 sources Β· mixed confidence
Data & Infrastructure
62

Unusually strong for a non-EU company. User files are stored only in jurisdictions the European Commission deems adequate under GDPR Art. 45 β€” Belgium, France, Germany, Luxembourg, Netherlands, Spain, Sweden, plus Canada and Japan β€” and MEGA states none of your files are stored in or served from the US, removing direct CLOUD Act exposure. CloudRAID datacentres are concentrated in the EU. Critically, encryption is client-side/zero-knowledge: keys never leave the user's device, so even the operator cannot decrypt content. Held below 80 because the infrastructure is operated by a non-EU-controlled company and provider/datacentre operators are mixed (some leased, e.g. EU colocation), not EU-sovereign-owned, plus latency copies can transit other countries (e.g. Mongolia).

Why 62? 4 sourced facts · click to expand
BE, FR, DE, LU, NL, ES, SE, CA, JP; no US

Files stored only in GDPR Art. 45-adequate jurisdictions; none in the US

CyberInsider MEGA review Β· as of 2026-06-12

LU, DE, FR, NL, ES, BE (+CA, soon SE)

CloudRAID datacentres concentrated in EU

WHTop MEGA review Β· as of 2026-06-12

E2E, keys stay on device

Client-side zero-knowledge encryption; operator cannot decrypt

CyberInsider MEGA review Β· as of 2026-06-12

Datacenter Luxembourg S.A.

Primary IPs resolve to EU colocation (Luxembourg)

myip.ms Β· as of 2026-06-12

Operations & People
40

Genuinely mixed. Head office and registered domicile are in Auckland, New Zealand (CEO Stephen Hall), with disclosed European operational footholds β€” a European office in Salamanca, Spain and a head office cited in CsomΓ‘d, Hungary, plus representatives in Luxembourg. So real staff and operations touch the EU, but corporate leadership and reporting are NZ-centred. Workforce geography and reporting currency are not EU-anchored, so this lands mid-range rather than EU-centered.

Why 40? 4 sourced facts · click to expand
Auckland, NZ

Head office / HQ in Auckland, New Zealand

Wikipedia (Mega service) Β· as of 2026-06-12

Salamanca ES + CsomΓ‘d HU

European offices in Salamanca (Spain) and CsomΓ‘d (Hungary)

WHTop MEGA review Β· as of 2026-06-12

Stephen Hall, CEO

CEO is Stephen Hall

BusinessDesk (via search) / Tracxn Β· as of 2024-03

300M+ registered users

Large global user base

CyberInsider MEGA review Β· as of 2026-06-12

Aligned to the EU Commission’s official Cloud Sovereignty Framework (SEAL, Jun 2026) β†’

What we don’t know 4 open questions β€” they lower confidence, never the score
  • ?

    Who ultimately controls Cloud Tech Services Ltd (Hong Kong) today, and what are the current beneficial-ownership percentages?

    The 2015 figures (Li Zhi Min 43%, Yang Jianhong 24%) predate the consolidation into the HK holdco; current control could shift the ownership score up or down.

  • ?

    Are MEGA's EU datacentres owned/operated by EU entities, or leased from non-EU or hyperscaler operators?

    If colocation is on US-controlled providers, CLOUD Act exposure could re-enter despite EU geography, lowering the infra score.

  • ?

    Exact current country list and proportion of data by jurisdiction (and the role of latency copies, e.g. Mongolia).

    Affects how cleanly 'EU-resident' the data actually is and whether non-adequate transit occurs.

  • ?

    Whether MEGA has an EU establishment or only a GDPR Art. 27 representative.

    Determines how directly EU regulators can enforce against the company versus relying on extraterritorial reach.

EU Cloud Sovereignty Framework lens

SEAL targets cloud-provider sovereignty; this is an analogous mapping for a consumer/B2B encrypted storage service, not a certification.

Strategic

Strategic control sits with a Hong Kong holding company and Chinese investors; no EU strategic anchor.

weak

Legal & jurisdictional

Incorporated in NZ, governed exclusively by NZ law and arbitration; EU reach is only extraterritorial via GDPR.

weak

Data & AI

Data stored only in GDPR-adequate jurisdictions, never the US; client-side zero-knowledge encryption keeps keys with the user.

strong

Operational

HQ and leadership in NZ, but real operational offices in Spain and Hungary plus EU representatives.

moderate

Supply chain

EU/Canada/Japan datacentre footprint, but operator ownership of those facilities is unverified; some EU colocation confirmed (Luxembourg).

moderate

Technological

Proprietary CloudRAID + client-side crypto with source published for verification, but the platform is closed and non-EU-controlled.

moderate

Security & compliance

Strong zero-knowledge model and stated GDPR compliance; encryption design has historically drawn scrutiny and there's no public EU certification.

moderate

Environmental sustainability

No verified data found on energy sourcing or sustainability commitments.

not assessed
EU alternatives
πŸ‡¨πŸ‡­ Tresorit tresorit.com with caveats

End-to-end encrypted storage with EU/Swiss datacentres and an EU operational base, but owned by Swiss Post (non-EU Switzerland) β€” strong privacy, control not EU.

πŸ‡¨πŸ‡­ pCloud pcloud.com with caveats

Offers EU (Luxembourg) data region and client-side 'Crypto'; Swiss-headquartered, so outside EU jurisdiction though GDPR-aligned.

πŸ‡ͺπŸ‡Έ Internxt internxt.com EU-controlled

EU-incorporated (Valencia) zero-knowledge encrypted storage with EU data residency β€” a genuinely EU-controlled MEGA peer.

How the method works

Methodology v2 (provisional): the score is the midpoint of two axes β€” Control (who owns and governs the company) and Data (where your data lives and who can reach it). Each axis is scored only on verified evidence; unknowns reduce confidence, never the score. Every input below is sourced; the weights and judgments are open to challenge.

Spotted an error? Every claim is sourced β€” challenge it and we correct the record.
  • 2026-06-12 β€” Initial golden profile, authored from primary sources (human + AI review).

Report Incorrect Data

Found an error in this company's profile? Help us improve our data by submitting a correction.

Required so we can follow up if needed. We won't share your email.

Verified 2026-06-12 Β· Human + AI joint review (sources independently checked) Β· Methodology