THE SMART
EV NETWORK.
Skip to main content Skip to footer
Back
Your charge point is not a standalone device. Every session generates data that travels across networks, software layers, and servers managed by companies you may never have considered. Do you know where your charging infrastructure data is going, who has access to it, and what happens when something in that chain goes wrong?
Last Updated: 03 April, 2026

Do You Know Where Your EV Charging Data Is Going?

Written by Will David Last updated: 3 April, 2026

Every time a driver plugs into one of your charge points, data moves. It travels across networks, through software layers, past servers you probably have never thought about, managed by companies you may never have heard of.

Most charge point owners have no idea how far that journey goes.

That was fine once. It is not fine now.

Your Charge Point Is Not a Standalone Device

A charge point connected to the internet is a connected device in the truest sense. It talks constantly to management software, to payment systems, to load management tools, to reporting dashboards.

That communication travels via a data connection. Either a hardwired ethernet or Wi-Fi connection at the site, or a SIM card providing mobile data. In both cases, a third-party company is carrying that traffic. Someone you have contracted with, even if you have never thought of them in those terms.

And that is just the first layer.

Beyond the connection sits the charge point manufacturer's communication architecture, your payment processor, and your charge point management system (CPMS). Each one handles data about your infrastructure, your users, and your money.

The question is: do you know where each of those companies is based, where their systems live, and who is accountable if something goes wrong?

The Problem Runs Deeper Than You Might Think

Before we break down each layer, it is worth stating something that applies to all of them.

What happens to your data if a supplier is acquired? What if they shut down a service without notice? What jurisdiction governs how they handle your data and your users' data?

These questions matter at any time. Right now, they matter more than ever.

The last few years have made one thing impossible to ignore. What happens when the region where a supplier's infrastructure sits becomes unstable? When the engineers maintaining critical systems are not at their desks because the world outside their window has become dangerous? Server continuity and software support do not pause for geopolitical events. But the people behind them are human. If any part of your charging supply chain depends on a team based in an active conflict zone, that is not a theoretical risk. It is a live one.

There is a subtler version of this risk that is easier to miss. A supplier may tell you their servers are hosted in Europe. That may be true. But hosting location is not the same as data control. If the parent company is headquartered in a country whose national laws compel businesses to share data with the state on request, regardless of where the servers physically sit, then a European hosting address offers limited protection. The data may be stored in Frankfurt or Amsterdam, but who can access it, and under what legal framework, is a separate question entirely.

Hosted in Europe is not the same as controlled in Europe. Ask both questions of every supplier in your chain.

The Four Layers of Your Charging Infrastructure

1. Your Charge Point Manufacturer

Most modern charge points use OCPP, the Open Charge Point Protocol, which is widely understood to prevent vendor lock-in and protect asset owners. But as we explored in our previous blog on OCPP vs proprietary protocols, "OCPP compliant" does not always mean what it sounds like.

Some manufacturers route communications through their own cloud gateway, an undisclosed layer sitting between your charge point and your management software. Your data passes through their servers. Servers you did not choose, in locations you may not know, subject to laws that may not be your own.

2. Your Connectivity Provider

Behind every SIM card or managed network connection is an operations team, a network infrastructure, and a set of routing decisions. If traffic is being routed through infrastructure in less stable or less regulated parts of the world, that risk sits quietly inside your network. Three contracts removed from you, but yours to deal with when something fails.

For public sector operators, fleet managers, and critical infrastructure owners, a connectivity failure in the underlying network becomes your operational problem, regardless of where the root cause lies.

3. Your Payment Solution

Every contactless payment, every in-app transaction, every open-access session generates financial and personal data. That data passes through a payment gateway, and PCI DSS compliance is a baseline, not a complete answer.

Your users' payment details, charging history, and location at specific times are personal data under UK GDPR. You are the data controller. You are responsible for understanding where it goes and who can reach it.

4. Your Charge Point Management System

Your CPMS is the operational core of your charging network. Access control, tariff management, load balancing, reporting, fault management. Everything passes through it.

Is it built and maintained by a UK-based team, or is it a UK brand name fronting a platform developed and operated elsewhere? Is the company independent, or a subsidiary of a larger international group whose priorities may not align with yours? For government bodies, NHS trusts, and enterprise operators, these are not optional questions. They go directly to supply chain security and the kind of accountability that public sector procurement frameworks are designed to protect.

This Is Not Theoretical

It would be easy to read the above as precautionary. The kind of due diligence that matters in principle but rarely bites in practice.

It is already biting.

In recent weeks alone, we have seen clients experience SIM-based connectivity dropping out, traced back to instability in overseas network management infrastructure. We have seen payment terminal failures linked to issues in software maintained outside the UK. We have heard directly from operators affected by CPMS outages tied to overseas development and hosting dependencies.

These were not hardware failures. The charge points were fine. The problem was somewhere else in the chain. Somewhere the operator had no visibility, no leverage, and no way to escalate.

That is the real risk. Not a compliance checkbox missed on a procurement form. Not a GDPR audit finding. Live infrastructure, offline, because a critical dependency sits in a part of the world where something went wrong and the operator had no way to influence the outcome.

Accreditations matter. Certifications matter. But they are not a substitute for knowing where your infrastructure actually lives and whether the people managing it are reachable, accountable, and operating in a stable environment.

The Questions You Should Be Asking Every Supplier

Use this as a checklist. Put it in your next tender. Send it to your existing suppliers. A supplier with nothing to hide will answer every one of these without hesitation.

Where is your infrastructure hosted?

  • What country are your servers located in?
  • Is your hosting location the same as your country of incorporation?
  • If hosted in Europe, is the parent company subject to any laws requiring data disclosure to a foreign government?

Who is managing it and from where?

  • Where is your development and engineering team based?
  • Where are your network operations managed from?

What data are you handling and how?

  • What data passes through your systems and at what point?
  • Are there any undisclosed intermediary layers between my infrastructure and your platform?
  • What are your data retention policies?
  • Are you UK GDPR compliant and can you provide evidence?

Can you prove your credentials?

  • What certifications do you hold (ISO 27001, PCI DSS, etc.)?
  • Are you accredited on any government procurement frameworks?
  • Who are your existing public sector or enterprise clients?

Clenergy EV: Built Here, Accountable Here

We ask these questions ourselves, and we are confident in every answer.

Clenergy EV is a fully independent British company, founded in Wales and headquartered in Pencoed. Every member of our team, developers, helpdesk, field engineers, accounts, is directly employed by Clenergy EV, based in the UK, and fully security vetted. Our platform runs on AWS London. The data we control, your network data, session data, and management data, stays in the UK. Where we use specialist subprocessors such as payment providers, we do so transparently and ensure they meet the same standards we hold ourselves to.

We hold ISO 9001, ISO 14001, and ISO 27001 certifications. We are accredited on the Crown Commercial Service framework and G-Cloud. We already manage infrastructure for some of the largest fleets and biggest organisations in the UK.

We are not a global platform retrofitted for the UK market. We built this here. We invested here. We are answerable here.

The World Has Changed. Your Questions Should Too.

Understanding your supply chain has always been good practice. Right now, it is essential.

The questions above are not difficult to ask. A supplier with nothing to hide will answer them without hesitation. One that cannot answer them clearly is telling you something important.

If you want to understand how Clenergy EV approaches data security, UK infrastructure, and supply chain accountability, use the form below to get in touch or book a meeting with Michael Nixon.

Your infrastructure is only as secure as the weakest link in your supply chain. Now is the time to find out where yours are.

Contact Us
Share via:
More from the industry View more