| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | ALWAYSDATA SARL is incorporated in Paris (91 rue du Faubourg Saint-Honore, 75008), a wholly French private company founded in 2006 with no non-EU parent (src: https://www.alwaysdata.com/en/). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Small founder-run French SARL with no external/non-EU investors disclosed; takeover by a non-EU sovereign entity appears very unlikely, though a small private firm could in principle be acquired. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | As a small provider, roadmap is set internally; customers can influence via support/community channels but there is no formal EU governance body. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Self-funded/bootstrapped French SARL (capital EUR 200k) with no disclosed non-EU capital; funding is effectively entirely EU-based. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | medium | All staff, infrastructure and revenue base are in France; economic contribution is fully within the EU. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Markets itself as 'the European Cloud' and hosts public-sector/academic clients (Academic Cloud), but no evidence of formal participation in Gaia-X or IPCEI-CIS; limited participation at most. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Positions explicitly as a sovereign European host with an OSS and decarbonised-energy posture (an action plan), but no measured achievement or dedicated sovereignty governance is published. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | low | own_stack (owns its servers/storage/network AS60362, all-OSS stack, in-house tooling on EU colocation, documented ability to internalise/source alternatives) -> SOV-1.8 opt5 'Full autonomy and continuity'; only residual non-EU dependency is commodity chips/hardware. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | A French SARL operating solely in France; the service is governed exclusively by EU/French law with no non-EU jurisdictional nexus (src: https://www.alwaysdata.com/en/). |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation but immunity NOT certified (no SecNumCloud 3.2 / EUCS-High) -> SOV-2.2 opt4 'Legal structures shielding from foreign law' (seal 2); this is the SEAL-2 ceiling on the legal axis. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent (pure-FR, no US/CN nexus) and no compelled-access pathway; foreign demands go via EU MLAT and would be rejected -> SOV-2.3 opt5 (seal 4). |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | low | Pure-FR provider serving EU with no foreign-controlled tech subject to export restrictions; the offer is shielded from restrictions toward EU Member States -> SOV-2.4 opt4 (seal 3). |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP (admin interface in Django, orchestration, tooling) is developed in-house in France; underlying components are third-party open source, so IP origin is mostly within the EU. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Alwaysdata's own IP is held by the French SARL under French/EU law; the OSS it uses is permissively licensed and not subject to a controlling non-EU IP holder. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | Managed PaaS where the provider operates the platform and can technically access stored data; no customer-held-key/hold-your-own-key offering is advertised, so control is primarily provider-side. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Provides access/activity logs through the admin panel but these are vendor-controlled and not positioned as real-time independently-auditable oversight. |
| SOV-3.3 | Secure deletion & proof of erasure | 2. Manual confirmation only | 50/200 | SEAL-1 | low | Data is deleted on account closure per policy but there is no published cryptographic proof-of-erasure or independent verification; manual confirmation at best. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: production (Equinix) and backups (Digital Realty/Interxion) all in the Paris region, exclusively France, no third-country fallback -> SOV-3.4 opt5 (seal 4) (src: https://blog.alwaysdata.com/2021/03/18/handling-the-disaster-as-a-cloud-provider/). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope AI service offered -> no foreign-AI dependency; per key judgment call (absence of AI), SOV-3.5 opt4 (seal 3). Customers may self-host OSS models but that is not a provider AI service. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Open-source-based PaaS with standard languages, MariaDB/PostgreSQL and standard export tooling (SSH/SFTP/dumps), giving documented standard data-export and portability with no proprietary lock-in. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | Entire stack is operated by the small French team; there are no non-EU operations teams involved in running the service. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Staff are based in France (100% remote within the country); all engineering/support skills sit in the EU, though there is no stated security-clearance regime. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support is provided directly by the French team ('100% human' service with a DPO) entirely within the EU. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation and knowledge base are maintained in France/EU (French and English); EU is the primary repository with no evidence of non-EU dependency. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Key suppliers are colocation (Equinix/Interxion) and commodity hardware; because it owns its equipment and runs OSS, it could source alternative facilities/suppliers and internalise functions if needed. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Publishes architecture details (paired switches/routers from two manufacturers, RAID1 SSDs) but does not provide a full component bill of materials, so disclosure of physical-component origin is only partial. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Servers and network gear are standard commodity hardware manufactured abroad (foreign chips/boards); manufacturing is of foreign origin with only partial disclosure. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode on the commodity servers, switches and storage is foreign and proprietary with no full provenance disclosure; partial at best. |
| SOV-5.4 | Origin of software | 5. Exclusively designed/maintained by EU teams | 143/143 | SEAL-4 | medium | NOT foreign_core: platform is exclusively OSS + in-house Django tooling maintained by the EU team, no licensed Google/MS/AWS core -> SOV-5.4 opt5 (seal 4), no SEAL-2 software ceiling. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Software is developed and released by the French team on EU-controlled infrastructure (their own GitHub-published projects and admin platform); EU control and execution, without an evidenced formal EU policy-gate regime. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | Depends on a few non-EU-headquartered but EU-located critical facilities (Equinix, Digital Realty/Interxion datacentres) and foreign hardware vendors; these are documented critical dependencies. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Primary suppliers (Equinix, Interxion) are large certified colocation operators subject to audit, but the full hardware supply chain is not represented as fully auditable; critical suppliers auditable. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Built on standard open protocols (SSH, SFTP, HTTP, standard SQL, WebDAV) with broad language/runtime compatibility, making it standards-based and broadly interoperable. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Core services run on open standards and open-source engines across the stack, reflecting a de facto policy of open standards for most core services. |
| SOV-6.3 | Open source availability | 5. Fully open-source, independent/EU governance | 200/200 | SEAL-4 | high | The infrastructure relies exclusively on open source (OS, HTTP, databases, mail, AV), the admin UI uses Django, and the company publishes its own code under open-source licences on GitHub. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Publishes a public architecture/help corpus and blog describing the platform's design; some meaningful public insight, though not customer-extensible source. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope HPC offering -> no imported black-box HPC dependency; per key 'no in-scope HPC' maps to SOV-6.5 opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | medium | No certifications held (no SecNumCloud / EUCS / C5 / ENS / ISO 27001 / EAL) -> EAL0/none -> SOV-7.1 opt1 (seal 1). A genuine SEAL-1 floor: no cert to map to EAL3-equivalent. Unlike the SecNumCloud-IaaS members of the cluster, Alwaysdata has no SecNumCloud basis, so per directive it is not inflated. |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | low | GDPR-aware with a named DPO and EU-only hosting, but no independently audited NIS2/DORA compliance or published certifications, indicating moderate compliance. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | No dedicated 24/7 SOC is advertised; security/incident handling is done by the small French team, best characterised as a hybrid/limited EU capability rather than a full EU SOC lifecycle. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a monitoring/admin portal with logs and metrics, but not full immutable tamper-proof EU-stored security logging guarantees; basic monitoring portal. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | As an EU provider it is bound by GDPR/NIS2 breach-notification duties; disclosure is moderate and regulation-aligned without an evidenced real-time CSIRT-sharing SLA. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operates its own infrastructure and OSS stack, giving moderate maintenance autonomy (it schedules and tests its own updates, subject to upstream vendor firmware/zero-day constraints). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: no certification bodies, no contractual full-audit regime advertised; per key, audits only via (absent) certification bodies -> SOV-7.7 opt2 (seal 1). SEAL-1 floor. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Hosts in Equinix/Interxion Tier-grade Paris datacentres that typically run modern PUE around 1.3-1.5 with efficiency roadmaps, but Alwaysdata publishes no specific PUE figure (src: https://www.alwaysdata.com/en/green-it/). |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | Demand-based 'minimum stock' ordering and long-lived hardware are basic circular practices, but no documented hardware reuse/recycling program is published (confirmed on the environment page) -> SOV-8.2 opt2 'Basic circular practices' (seal 0). This is the overall SEAL-0 gate (src: https://www.alwaysdata.com/en/green-it/). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Calculates annual emissions to fund offset projects (offsetting 200% of GHG emissions) and publishes green documentation, amounting to an annual environmental report (src: https://www.alwaysdata.com/en/green-it/). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | All infrastructure is in France, explicitly chosen for 'the most decarbonised energy in Europe', so energy is EU-sourced with a high renewable/low-carbon (nuclear+renewables) mix (src: https://www.alwaysdata.com/en/green-it/). |