| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (Aruba S.p.A. is a privately held independent Italian company, HQ Ponte San Pietro (BG), no non-EU parent) -> entity entirely within EU, opt4. (src: https://www.arubacloud.com/data-sovereignty-aruba-cloud/) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Founder/family-controlled private Italian company with no external non-EU investors and a sovereign-cloud mission; takeover by a non-EU sovereign entity very unlikely -> opt5. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | Gaia-X day-1 member and SECA sovereign-API co-founder, so EU governance bodies with EU-actor participation influence roadmap/interoperability; final product roadmap company-controlled -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Privately funded from own operations and EU capital; no evidence of non-EU funding -> entirely EU-based funding, opt5. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, data centres, hydroelectric plants, staff and revenue concentrated in Italy/EU; economic contribution essentially fully in the EU -> opt5. |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | Gaia-X day-1 member and one of only two European Gaia-X Digital Clearing House nodes, co-founder of the SECA Sovereign European Cloud API -> strong participation in EU strategic programs, opt4. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Clear sovereign-cloud positioning with measured achievements (ACN QC3/AI3, CISPE, Gaia-X) and dedicated governance -> measured achievement and dedicated governance, opt3. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: vertically integrated EU operator owning its data centres and power generation, EU-maintained OpenStack core with documented portability; foreign chips/licensed components are residual only -> full autonomy & continuity, opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Subject exclusively to European law, all data and administrative management in Italy/EU -> contract under EU law only, opt3. (src: https://www.arubacloud.com/data-sovereignty-aruba-cloud/) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | high | immunity (pure-IT entity, no non-EU parent/nexus + ACN QC3 highest-grade sovereign qualification for strategic national-security PA data, SecNumCloud-equivalent); non-EU laws unenforceable -> verified legal immunity, opt5. (src: https://www.acn.gov.it/portale/en/w/in-56) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent and no non-EU corporate footprint, infrastructure outside CLOUD Act/FISA reach; access requests have no legal pathway and would be rejected -> requests always rejected, opt5. (src: https://www.acn.gov.it/portale/en/w/in-56) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | EU-only operator, essentially all revenue in the EU, offer designed for EU public administration; no non-EU export-control restrictions toward EU MSs or international orgs -> opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Platform IP (OpenStack-based stack, DC and management software) developed in-house in Italy; underlying components mixed but controlling IP mostly EU -> mostly within EU, opt4. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Proprietary IP held by the Italian company fully under EU jurisdiction -> fully under EU law, opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | medium | QC3 offer documents customer-managed encryption keys (BYOK); customer has primary control though provider can read data -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | QC3 offer provides comprehensive customer-accessible activity/access logs in EU DCs (full customer-controlled visibility), though not documented as real-time independently auditable -> full customer-controlled visibility, opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | medium | Under ACN QC3 (strategic PA data) + ISO 27001-family controls and comprehensive logging/CERT, deletion is technically verified with access logs -> deletion technically verified with logs, opt4. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: all data stored/processed in Italy and other EU countries (own DCs IT + CZ, EU partner infra), no third-country fallback -> exclusively EU, opt5. (src: https://www.arubacloud.com/data-sovereignty-aruba-cloud/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Private AI / GPU offering runs in EU DCs with EU-controlled pipelines and no data leaving the perimeter but relies on foreign (NVIDIA) accelerators -> EU-led AI on foreign accelerators, opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | high | Built on OpenStack/VMware standards to reduce lock-in, with documented export and formal migration services -> formal migration services available, opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack operated by Aruba's own Italian/EU teams from EU data centres; no critical operations by non-EU teams -> entire stack managed by fully EU-based team, opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering/operations staff Italy/EU based, no non-EU staffing; broad security clearances not claimed -> all EU staff, opt4. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support provided by Italian/EU-based specialists, all support staff EU-based; no documented security-cleared tier -> all support staff in EU, opt4. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | medium | Documentation/knowledge management within Italy/EU; primary repositories EU-based with no non-EU exposure -> EU-only primary repositories, opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Most suppliers EU-based and Aruba owns core facilities/power; for hardware it could source alternatives or internalise -> ability to source alternatives, opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Server hardware foreign-sourced (x86/NVIDIA) but as ISO-certified operator Aruba provides component transparency to customers/auditors with exceptions; provenance not EU-certified -> transparent with exceptions, opt3. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Hardware is foreign-designed/mixed-sourced but deployed, integrated and operated in Aruba's own EU data centres under ISO-audited supply-chain controls (EU audit rights), matching the uniform key for EU sovereign providers -> mixed sourcing, EU audit rights, opt3. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code in foreign-built hardware (BIOS, NIC, GPU) largely vendor black-box; only partial disclosure -> partial disclosure, opt2. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | Core cloud orchestration is OpenStack-based and maintained/customised by Aruba's EU teams plus own Cloud Panel/API; VMware is a licensed commercial component, not the whole platform (not foreign_core) -> core/essential parts maintained by EU teams, opt3. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software build and release for Aruba's own platform controlled and executed by its Italian/EU engineering org -> EU control & execution, opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | Foreign chips/GPUs and VMware licensing are documented, substitutable non-critical-at-platform-level inputs (own_stack: Aruba owns DCs/power and the EU-maintained core), matching the uniform key for EU sovereign providers -> few non-EU non-critical, documented, opt4. |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | medium | Running its own EU DCs with ISO 27001 / CISPE supplier audits, most suppliers are auditable beyond just the critical few -> most suppliers auditable, opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | high | Standards-based on OpenStack/VMware with open APIs and SECA standardisation; broadly compatible and portable but not fully open-by-default across all services -> standards-based and broadly compatible, opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | OpenStack and broad standards adoption plus active SECA open-API standardisation -> policy for most core services, opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Core platform built on open-source OpenStack but governance of Aruba's deployment is centralised within the company (not foreign_core) -> open source, centralised governance, opt3. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Publishes documentation and architecture insight and contributes to open initiatives (Gaia-X, SECA) -> some public insight, opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | GPU/HPC capability EU-hosted but built on a foreign (NVIDIA) accelerator stack; no EU-designed HPC silicon -> EU-hosted, foreign stack, opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | ACN QC3/AI3 (highest Italian sovereign qualification for strategic PA data) mapped to SecNumCloud-grade ~ EAL3-equivalent per key -> opt4 (EAL3). (src: https://www.acn.gov.it/portale/en/w/in-56) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | Independently audited ISO 27001/27017/27018/27035, CISPE Code of Conduct, ACN QC3/AI3, and DORA/NIS2/GDPR compliance -> fully compliant, independently audited, opt5. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling run by Aruba's EU-based CERT/teams supporting NIS2/DORA; full lifecycle in EU, formal ENISA sharing not explicitly claimed -> entire lifecycle by EU teams, opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get direct access to monitoring/logs stored in EU DCs under ISO 27001 controls; immutable tamper-proof guarantees not documented -> full direct access, logs stored in EU, opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Incident disclosure GDPR/NIS2-aligned with SLAs and monitored notification flow; real-time CSIRT integration not explicitly evidenced -> partial compliance, monitored flow, SLAs, opt4. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | medium | As operator of its own stack, Aruba schedules maintenance with customer notice and testing windows, retaining moderate autonomy except vendor zero-day patches -> moderate autonomy, opt3. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: ACN QC3 sovereign offer for strategic PA data implies tender-grade full audit rights for the contracting authority and independent EU bodies -> full independent audit, opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | medium | Green-by-design DCs with geothermal/free cooling targeting low PUE with improvement roadmap; no verified sub-1.3 figure published -> PUE<1.5 + roadmap, opt3. (src: https://www.datacenter.it/en/aruba-ecosustainability/energy-production) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Follows the Climate Neutral Data Centre Pact with documented sustainability/lifecycle practices -> documented program, opt3. |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | medium | Publishes detailed sustainability reporting under EU methodology (energy, efficiency, renewable self-production) and adheres to the Climate Neutral Data Centre Pact -> detailed EU methodology, opt4. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Campus uses only renewable energy, self-produced from owned hydroelectric plants plus solar, supplemented by grid with Guarantee of Origin -> only green EU energy, opt5. (src: https://www.datacenter.it/en/aruba-ecosustainability/energy-production) |