| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | centron GmbH is incorporated in Hallstadt (Amtsgericht Bamberg HRB 3986), Germany, an EU member state, with all legal control entirely within the EU. (src: https://www.centron.de/en/iso-27001-certification/) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Privately held, founder-owned German GmbH run since 1999 by its founders/owners Monika and Wilhelm Seucan (succession within the family, with Dominik Seucan as CEO from 2025); no external/VC capital or public listing make a non-EU takeover very unlikely. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | Roadmap is set internally by the owner-managers with customer feedback via support and account channels; no structural EU-actor co-governance body is documented. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Self-funded, profitable founder-owned German company with no external or non-EU investors; financing is entirely EU-based. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | Workforce, HQ, R&D and owned data centres (Hallstadt, Nuremberg, Coburg, Frankfurt) are in Germany; only a single Zurich facility lies outside the EU, so the large majority of economic activity is in the EU. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Member of eco / EuroCloud and positioned as a German sovereign-cloud provider, but no documented active role in Gaia-X working groups or IPCEI-CIS; participation is limited at best. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets a 'made in Germany / GDPR-compliant European cloud' sovereignty proposition aligned with EU industrial goals, amounting to an action plan rather than measured, governed achievement. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack (vertically integrated EU provider: owned German data centres, EU staff, self-operated OpenStack/Ceph/K8s; foreign chips are residual hardware only, with continuity/exit possible) -> SOV-1.8 opt5 'Full autonomy and continuity'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | As a German GmbH with an EU-only corporate structure and primary data centres in Germany, the service is governed exclusively under EU/German law. (src: https://www.centron.de/en/iso-27001-certification/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation but NO certified immunity (no SecNumCloud 3.2 / EUCS-High held) -> SOV-2.2 opt4 'Legal structures shielding from foreign law' (seal-2 ceiling). The purely German structure shields from the US CLOUD Act but immunity is not certified. (src: https://www.centron.de/en/iso-27001-certification/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent (purely German/EU ownership, no US/CN nexus able to compel access) -> not subject to CLOUD Act/FISA/PRC law; requests have no legal basis and are rejected -> SOV-2.3 opt5 (seal 4). (src: https://www.centron.de/en/iso-27001-certification/) |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | medium | EU sovereign offer with no export-control restrictions toward EU member states; part of the offer is shielded from restrictions toward EU MSs -> SOV-2.4 opt4 (seal 3). |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Operational and platform IP (OpenStack integration, management software, data-centre design) is developed in the EU; physical hardware/chip IP (Intel, AMD, NVIDIA) is foreign, so IP is mostly but not fully EU-origin. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | high | The IP-holding entity is the German centron GmbH, fully under EU law. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | The OpenStack/Ceph platform supports S3 server-side encryption with customer-provided keys via Barbican; absent default confidential-compute/HSM, the provider operating the infrastructure could technically read unencrypted data. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Access and usage logs exist within the managed platform and audit evidence is provided under ISO 27001/BSI scope, but oversight is vendor-controlled and not real-time independently auditable. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows documented ISO 27001/BSI IT-Grundschutz policy and is validated internally, but without per-request independently verified cryptographic proof of erasure to the customer. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | NOT eu_exclusive: data is EU by default but a Swiss (third-country) data centre exists as a controlled exception, with no contractual no-third-country-fallback guarantee -> SOV-3.4 opt4 'EU by default, tightly controlled exceptions' (seal-1 ceiling). (src: https://www.centron.de/en/datacenter-en/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI offering is GPU IaaS (NVIDIA A4000 / RTX 6000 Ada) on which customers run their own open-source/auditable models EU-hosted (EU-led/EU-hosted AI); no black-box managed AI, only the accelerators are foreign -> opt4 'EU-led AI, foreign accelerators' (consistent with the cluster's open-model-on-foreign-GPU providers). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based export via S3-compatible object storage, Kubernetes, container images and standard Linux VMs avoids proprietary lock-in and supports formal migration off-platform. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops (entire stack operated by centron's own German teams from German data centres, no foreign operational dependency) -> SOV-4.2 opt5 'Entire stack managed by fully EU-based team' (seal 4). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering, operations and apprenticeship/training are concentrated in Germany; staff are EU-based with no documented security clearances. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | 24/7 support is delivered by centron's own staff based in Germany; no documented security clearances for support personnel. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation and knowledge repositories are maintained in-house in Germany, primarily EU-only. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Core suppliers/facilities are EU-based and the platform is self-operated; centron can source alternative hardware suppliers or internalise functions, with foreign chip vendors being the residual dependency. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Server components rely on foreign chips/parts (Intel, AMD, NVIDIA); component origin is only partially disclosed. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Hardware is integrated and operated in Germany on mixed/foreign-origin components with EU audit rights via the certified data centre, but built on foreign chip and board designs. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs, GPUs, NICs and BMCs comes from foreign vendors with only partial provenance disclosure. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | NOT foreign_core (no licensed Google/MS/AWS core): platform is open-source OpenStack/Ceph/Kubernetes integrated and maintained by centron's EU teams -> SOV-5.4 opt4 'Large majority maintained by EU teams' (seal 3, not capped at 2). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Platform integration, build and release are under EU control and execution from Germany. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | A few non-EU dependencies are critical (chip vendors Intel/AMD/NVIDIA with no EU substitute) within an otherwise EU-controlled and documented stack. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers are auditable through the ISO 27001/BSI IT-Grundschutz data-centre scope -> SOV-5.7 opt3 'Critical suppliers auditable' (seal 2); full transparency (chip vendors) is not demonstrated. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces: OpenStack APIs, S3-compatible object storage, Kubernetes and container/VM portability. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Core services are built on open standards (OpenStack, S3 API, Kubernetes, KVM, standard Linux images) as a deliberate policy across most core offerings. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | The platform is based on open-source components (OpenStack, Ceph, Kubernetes) with upstream community governance, but centron's own integration/control layer is centrally governed and not itself published. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public architecture insight is provided via product documentation and the open-source base stack, though centron's specific integration remains largely internal. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | GPU/HPC offering is EU-hosted in German data centres but runs an entirely foreign accelerator stack (NVIDIA). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | medium | Certs held: ISO 27001 on the basis of BSI IT-Grundschutz + Trusted Cloud (no C5, SecNumCloud or EUCS). Per the cert->EAL map this ISO 27001 + structured national-baseline (IT-Grundschutz) ISMS maps to ~EAL2 -> SOV-7.1 opt3 (seal 2). (src: https://www.centron.de/en/iso-27001-certification/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-compliant with DPAs, ISO/IEC 27001 and BSI IT-Grundschutz certified data centre (BSI-IGZ-0555-2023) plus Trusted Cloud (IaaS); broad compliance to most EU regimes though full independently-audited DORA/NIS2 coverage is not documented. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident response are handled by centron's own German teams; no documented ENISA/CSIRT real-time sharing membership. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get access to their own monitoring/logs with infrastructure logs stored in EU data centres; no claim of immutable tamper-proof customer logging. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | low | As a GDPR processor and certified DC operator it follows monitored breach-disclosure flows with SLAs; not documented as full real-time CSIRT sharing. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | low | centron controls its own maintenance on its self-operated OpenStack stack and can deploy patches independently without third-party vendor scheduling. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | NO tender-grade audit_rights: assurance is only via the provider's own ISO 27001 / BSI IT-Grundschutz certification bodies, not a full independent audit by any entity -> SOV-7.7 opt2 (seal-1 ceiling). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 5. PUE < 1.2, EU verified | 250/250 | SEAL-4 | high | Reported PUE of 1.08 for the Hallstadt data centre, comfortably below 1.2, achieved via direct free cooling (~95% compressor-free outside-air operation) in a German EU-located certified facility. (src: https://www.centron.de/en/datacenter-en/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | ISO 14001-certified environmental management with documented efficiency/hardware practices, amounting to a documented program rather than an EU-certified circular lifecycle. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Publishes sustainability/efficiency figures (e.g. PUE 1.08, cooling-energy reductions) at roughly annual level under ISO 14001, not an independently EU-audited methodology. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | The data centre is operated entirely on 100% renewable (green) electricity sourced in Germany/EU. (src: https://www.centron.de/en/datacenter-en/) |