Insights

Compliance Data Ransom: How Are Export Fees Not Illegal?

0
 min read
July 17, 2026
By 
Lenny DeFranco

Data ransom is alive and well in compliance technology today. In the US, it’s even legal.

It’s a fact that stuns a lot of compliance officers when they learn about it. We know; we’ve been on the phone with some of them while they’re still coming to terms with it.

“It’s a $70,000 hostage situation,” said the CCO of one boutique firm trying to extract 1,342 gigabytes of data from a legacy vendor.

“That five-digit exit fee… I’m not even going to vent with you about that,” said the CFO of a small RIA, barely able to contain his ire.

“I don’t know how they get away with that,” said one VP trying to leave the same platform.

The answer, to put it simply, is that holding a firm’s data hostage is legal in the US. And since legacy vendors, unlike AI-native vendors, can do nothing else useful with a firm’s data, some have apparently concluded that the most productive use of their customers’ data is to hold it as leverage to artificially drive up switching costs.

“I think they snuck it into a contract extension. It wasn’t in the original contract,” lamented one incredulous Head of Compliance learning of his data egress fee.

“It’s a good way to burn bridges with your customers.”

Hadrius agrees, which is why we never charge data export fees for anyone migrating off our platform.

Data export fee calculator

Does your compliance solution charge an export fee? See how much you’ll owe to take your own firm’s data back.

Exit Cost Calculator
Hadrius
Cost Calculator

Data Exit Cost Calculator

Estimate the cost to export your data.

TB
$
Data volume 3,000 GB
Total Exit Fee
$150,000

Exit fee = data (TB) × 1,000 GB × cost per GB

How much do exit fees cost?

The number we see most commonly across the compliance archiving industry is $50 per GB, which is $50,000 per TB. 

Source: "The CCO's Guide to Evaluating Compliance AI"

Considering the nearly negligible physical costs of exporting a gigabyte of data, this egress fee is essentially infinite markup on a service that provides no incremental value to you, the customer.

What legacy vendors see as an inert mass of data, Hadrius understands as years of decisions and context.

Of course, the per-GB charge rarely accounts for the full cost. Vendors commonly layer on things like professional services fees, often $250–$300/hour, for their team to assemble the export or run a compliance search on your behalf. They throttle extraction, processing as little as a terabyte a week, stretching a migration that should take days into a project that takes months.

The effect is to punish the vendor’s longest-tenured customers, since the total export fee is a function of how much you've archived.

Especially egregious is the fact that none of this is surfaced up front. It shows up in the contract's fine print, or not at all until you try to leave — which is precisely why it functions as a switching cost rather than a service fee.

Why US law permits data ransom

It’s a question we hear often: “How is this even legal?”

The truth is, it probably shouldn’t be. The European Union has decided as much with the Data Act of 2025. This law, taking effect January 12, 2027, eliminates data egress fees for data processing services operating in the EU.

“In order to ensure a competitive market in the EU,” the European Commission says, “customers of data processing services (including cloud and edge services) should be able to switch seamlessly from one provider to another.”

Under US law, by contrast, holding a firm’s data hostage is legal if they agree to it in a contract.

The data laws we do have generally do not apply to business data. In the US, state regulations like the California Consumer Privacy Act (CCPA) are consumer protection laws. Consumers are defined by the CCPA as “natural persons who are California residents acting in an individual or household capacity.” Firms aren’t consumers. Hence, no legal protection for firm data.

Even in cases where the data of an actual California consumer is in question, the right that CCPA grants is the right to access/portability: a consumer can request the specific pieces of personal information a business holds about them. 

A financial services firm’s communications archive, by contrast, is business data, even if it contains employee or client records. The firm isn't a "consumer," and the vendor relative to that data is a service provider/processor, not a business selling the firm's personal information. Therefore, the entity-level relationship that would trigger CCPA rights is not present.

Why your data is so valuable

Ultimately, data ransom fees exist because legacy compliance vendors do not have better ways to turn your data into a business opportunity. It’s an important distinction between those providers and agentic compliance infrastructure like Hadrius.

Your data is among the most powerful assets you own. As compliance software built from first principles to leverage the capabilities of AI, Hadrius understands this. What older vendors see as an inert mass of information, we understand as years of decisions, context, and audit defensibility — which is exactly the foundation of agentic compliance.

Here’s how it works. Imagine your communications archiving tool flags a suspicious employee email about a trade. With legacy comms archiving, you will review this email with minimal context. With an AI-native archiving built atop an interconnected system of record, your compliance AI agent will be able to not only read the email contextually (actually understanding what it says) but cross-check the email against the employee’s trading activity, a relevant item in their U4, and other documents — and then serve it all up for your review.

The AI agent can’t do all this information-gathering if the data is siloed in point solutions; it needs to be in one interconnected system of record. Even the most powerful AI can’t help you understand data it can’t see.

Your data is what unlocks agentic compliance.

Legacy vendors, with bolted-on AI and narrow specializations, don’t know this. To them, your data is digital refuse governed by some retention policy. It’s no wonder they charge you export fees; to them, data is a cost center.

Demand better. The compliance providers who truly know how to leverage your data for your benefit have modern, AI-native data policies. Hadrius, for example, doesn't charge any export fees and we never train our system on your data. We have those policies because we understand how important data is to your compliance program.

Don’t wait for the law to catch up with an egregious business practice. Before you face a migration fee yourself, double-check your contract and ask your vendors what their data policy is. If they’re not doing enough to leverage your data today, there’s a good chance they’ll spring an unpleasant surprise on you when you migrate to a vendor who does.

Click here to read “The CCO’s Guide to Evaluating Compliance AI”

Share this article

Insights that Move Compliance Forward

Explore new ideas, proven strategies, and technology that’s transforming how firms stay compliant.

Enter your email below to opt-in
Unsubscribe anytime. By submitting, I agree to the terms and conditions of Hadrius.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
hadrius logo icon

We are Hadrius.

Hadrius is built for financial services compliance teams that demand more from their technology. Our privacy-first, policy-aware AI compresses review cycles, eliminates noise, and produces regulator-grade evidence on demand.

One vendor. One system of record.