| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (Austrian Anexia Holding GmbH, 100% founder-owned by Alexander Windbichler, HQ Klagenfurt, no non-EU parent) -> SOV-1.1 opt4 (entirely within EU). (src: https://anexia.com/en/company/about-anexia) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Founder Alexander Windbichler remains 100% owner and CEO; privately held with no external/non-EU investors, making a takeover by a non-EU sovereign entity very unlikely. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | high | EU-controlled with own in-house R&D: Anexia develops the Engine platform and KVM stack in-house and the EU owner/management hold full roadmap authority -> opt4 (full EU influence). |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Privately, founder-owned Austrian company financed without external/non-EU capital; funding is entirely EU-based (self-financed PV park, EU credit standing). |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | Roughly 400 staff and HQ/main operations in Austria mean the majority of economic value and employment is in the EU, though it serves clients globally and has a US office. |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | CEO holds a seat on the CISPE board and Anexia is active in the CISPE Sovereign Cloud Committee and Gaia-X trust-label efforts, indicating strong participation in EU strategic programs. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Public sovereignty positioning, CISPE governance role, ISO programs and own PV park show measured achievement and dedicated governance aligned with EU industrial strategy, though without a hyperscale-level investment program. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | medium | own_stack-leaning: EU provider running its own KVM/Engine software in Austrian DCs; not dependent on a foreign parent and removed the VMware core, but residual non-EU hardware vendors mean ability to source alternatives/internalise rather than full autonomy -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Austrian/EU legal entities; the offering is governed exclusively by EU/Austrian law -> opt3 (exclusively EU law). (src: https://anexia.com/en/software-development/working-with-anexia/privacy-and-security) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation but NO certified immunity (no SecNumCloud/EUCS-High) and a non-EU operational nexus (NYC office, 100+ DC locations in 70 countries) -> legal structures shielding from foreign law, opt4 (seal 2); not verified statutory immunity. (src: https://anexia.com/en/company/about-anexia) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: pure-EU entity; Anexia publicly asserts only the European legal system applies and the CLOUD Act has no power over its services, so it would reject non-EU compelled-access requests as lacking legal basis -> opt5 (requests always rejected). (src: https://anexia.com/blog/en/how-cloud-computing-from-europe-secures-your-digital-sovereignty/) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | EU-headquartered with majority of revenue from European customers and no indication of export restrictions toward EU member states; specific shielding mechanisms toward intl orgs not documented -> opt3. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core IP is the self-developed Anexia Engine and KVM-based platform 'made in Austria'; management/orchestration software IP is mostly EU-origin, though underlying hardware IP is non-EU -> opt4 (mostly within EU). |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Anexia's own software IP is held by its Austrian entities under EU law; the proprietary platform IP sits fully under EU jurisdiction -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | As IaaS/managed-hosting, customers can manage their own encryption within VMs (customer primary control), but as operator Anexia retains administrative access and can read data; exclusive HYOK is not the documented default -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Infrastructure is auditable and monitored, but real-time independently auditable customer access logs are not documented; logs are largely vendor-controlled -> opt3 (seal 2). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | GDPR/ISO 27001 processes imply policy-based deletion with internal validation, but no published independent proof-of-erasure mechanism -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | Not eu_exclusive: 'protected in Europe' with Austrian DCs and EU residency, but a global 100+ location network in 70 countries and NYC office mean EU by default with tightly controlled exceptions, not a hard EU-only no-fallback guarantee -> opt4 (seal 1). [SEAL gate] (src: https://anexia.com/en/global-cloud) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No flagship in-scope proprietary AI service, so no foreign-AI model dependency; per key, absence of in-scope AI -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | KVM/Engine virtual data centers use standard documented export/import and documented APIs; standard documented export methods available -> opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops: entire stack operated by Anexia's own Austrian/EU teams with 24/7 support from Klagenfurt; no foreign team required -> opt5 (fully EU-managed stack). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Workforce of ~400 predominantly EU-based (Austria/Germany); engineering/ops skills are EU staff; no published security-clearance requirement -> opt4 (all EU staff, seal 3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | 24/7 support delivered from Klagenfurt by EU staff; all support EU-based, without documented formal security clearances -> opt4 (all EU support, seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation/knowledge maintained by EU teams in the EU; given a global footprint and US office, EU-primary with possible non-EU fallback -> opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Anexia owns its software and runs its own KVM platform; could re-source non-critical hardware suppliers and internalise over time -> opt4 (ability to source alternatives/internalise, seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Server hardware from standard global OEMs; no detailed published bill of materials for physical components -> opt2 (partial disclosure). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Servers, CPUs and network gear manufactured outside the EU by global vendors; integrated by Anexia but foreign origin with at best partial disclosure -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS on commodity servers is proprietary to foreign hardware vendors; provenance at best partially disclosed -> opt2. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: Anexia migrated 12,000 VMs off VMware to a homebrew KVM/open-source platform (Engine + Netcup KVM) by 2024, so the large majority of core platform software is now EU-maintained; residual OS/firmware foreign -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Anexia's own platform/KVM software is controlled and built by its Austrian engineering teams -> EU control and EU execution, opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | After dropping VMware, remaining non-EU critical dependency is mainly foreign hardware within an otherwise EU-controlled, documented stack -> opt3 (few non-EU in critical services, documented, seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | ISO 27001 and DPA subprocessor lists make critical suppliers auditable, but not all suppliers down the chain -> opt3 (critical suppliers auditable, seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Standard KVM/IaaS interfaces and the Engine's documented APIs provide partial openness; interoperable with common tooling but not fully open-by-default -> opt3 (seal 2). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Use of common virtualization (KVM) and networking standards implies partial core adoption of open standards, without a published open-standards-by-policy commitment -> opt3 (seal 2). |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | The Anexia Engine core is proprietary/vendor-controlled (client libs/Terraform provider are open, core is not); source-available-strict tier -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Anexia publishes architecture/technical insight (Engine architecture blogs, KVM migration writeups, CSA STAR self-assessment, ISO scope) giving some public insight -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No EU-designed processor program; any HPC capacity would be EU-hosted in Austrian DCs on a foreign hardware/software stack -> opt2 (EU-hosted foreign stack / no in-scope HPC, seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | Certs are ISO 27001/27701 + CSA STAR Level 1 (no C5/ENS/EAL/SecNumCloud); per key ISO-27001-only maps to ~EAL1 -> opt2 (seal 1). [SEAL gate] (src: https://anexia.com/en/company/about-anexia/certification) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Independently audited ISO 27001/27701 plus CSA STAR and GDPR compliance show partial-to-broad compliance with EU regulation, but no explicit NIS2/DORA attestation -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and 24/7 monitoring run by EU teams from Klagenfurt with EU threat intel; formal ENISA/CSIRT sharing not documented -> opt4 (entire lifecycle EU teams, seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get monitoring/log access via the Engine portal with logs stored in EU data centers; immutable tamper-proof logging not specifically documented -> opt4 (full access, EU-stored, seal 3). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | As an EU/Austrian provider Anexia discloses incidents under GDPR and aligns with NIS2, matching moderate GDPR/NIS2-aligned disclosure -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Anexia controls its own KVM platform and maintenance scheduling with customer notice/testing windows -> moderate maintenance autonomy, opt3 (seal 4). |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | No certified audit_rights: independent audits occur via TUV Nord (ISO) and CSA STAR self-assessment (partial independent control), but customers cannot have any entity perform a full independent audit -> opt3 (seal 1). [SEAL gate] (src: https://anexia.com/en/company/about-anexia/certification) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern redundant DCs with efficiency investment but no specific verified PUE published; conservative managed PUE below ~1.5 with sustainability roadmap -> opt3 (seal 4). (src: https://anexia.com/blog/en/pv-park-renewable-energy-for-sustainable-data-center-infrastructure/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | ISO 14001 environmental management implies a documented hardware lifecycle/recycling program, but no EU-certified circular-economy lifecycle published -> opt3 (documented program, seal 3). (src: https://anexia.com/en/company/about-anexia/certification) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | ISO 14001 certification since 2022 with annual TUV Nord audits implies regular environmental reporting; no detailed EU-methodology or fully EU-audited GHG report published -> opt3 (annual report, seal 2). (src: https://anexia.com/en/company/about-anexia/certification) |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | Operates its own Austrian PV park (1.16 ha, Jaidhof) supplying clean energy directly to its DCs and emphasises traceable renewable energy -> opt4 (only EU energy supplies, high renewable). (src: https://anexia.com/blog/en/pv-park-renewable-energy-for-sustainable-data-center-infrastructure/) |