| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | no eu_entity (Civo Limited, company 09568551, UK-incorporated, Stevenage, third country) -> SOV-1.1 opt2 'mostly outside EU' (seal 1); a Frankfurt region keeps some EU footprint but does not move legal control into the EU. (src: https://find-and-update.company-information.service.gov.uk/company/09568551) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | low | Founder-led private company; only a 9.4% minority stake held by UK plc THG; no imminent transfer to a non-EU sovereign entity, though small firms remain acquirable. Kept at existing choice (all-seal-4 factor). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | no immunity/eu governance; no formal governance body with EU-actor participation, roadmap influence limited to customer/community channels -> SOV-1.3 opt2 (seal 2). |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | low | Privately held UK company; capital is UK/non-EU (THG round plus founders), treated as a balanced/uncertain mix at best from an EU perspective. Kept at existing choice (all-seal-4 factor). |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | UK-headquartered with a single Frankfurt EU region; bulk of value, staff and footprint (UK, US, India) sit outside the EU, so EU economic contribution is only 'some'. Kept at existing choice (all-seal-4 factor). |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No participation in EU strategic programs (Gaia-X / IPCEI-CIS); the sovereignty narrative is UK-focused. Kept at existing choice (all-seal-4 factor). |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | Marketing centres on UK digital sovereignty, not EU industrial strategy; no published action plan aligning with EU chips/data/cloud strategies. Kept at existing choice (all-seal-4 factor). |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | no own_stack (EU-sovereign): self-operated cloud-native platform (own Civo Stack on K3s/Talos) on leased/colocated DCs; could source alternatives or internalise key functions, but real non-EU hardware/colocation dependency means not full autonomy -> SOV-1.8 opt4 'ability to source alternatives or internalise' (seal 2). (src: https://www.civo.com/uk-sovereign-cloud) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | UK (third-country) jurisdiction; contracts governed by UK law, not EU/EEA member-state law -> SOV-2.1 opt1 'non-EU only' (seal 1), even though UK is GDPR-adequate. (src: https://find-and-update.company-information.service.gov.uk/company/09568551) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | medium | no immunity: UK entity exposed to UK extraterritorial powers (Investigatory Powers Act), no SecNumCloud/EUCS-High, outside EU legal protection; only standard mitigation clauses -> SOV-2.2 opt2 (seal 1). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | medium | no immunity: as a UK entity it is subject to non-EU compelled access under the UK Investigatory Powers Act (technical-capability/notice powers can compel access without notification in specific cases); cannot commit to always-reject -> SOV-2.3 opt2 (seal 1). Normalised across the UK cluster (all subject to UK IPA). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | no eu_exclusive: as a non-EU (UK) provider the offer is not shielded from non-EU export controls affecting EU citizens/orgs; no EU-MS-specific restriction identified -> SOV-2.4 opt2 (seal 1). |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Core IP built heavily on open-source cloud-native software (K3s, Talos, Kubefirst/Konstruct) of mixed origin; Civo's own developments are UK-based -> origin mixed within/outside EU. Kept at existing choice (all-seal-4 factor). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | Proprietary IP held by the UK company under UK (non-EU) law; underlying OSS projects governed by non-EU foundations -> SOV-2.6 opt1 'non-EU law, single country' (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | no HYOK: encryption at rest is primarily provider-managed with no documented customer-exclusive/HYOK option; provider retains effective key access -> SOV-3.1 opt2 (seal 1). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Audit/activity logs exist via platform/API but are vendor-controlled and not real-time independently auditable -> SOV-3.2 opt3 (seal 2). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Standard cloud deletion per policy with internal validation; no cryptographic proof-of-erasure or independent verification -> SOV-3.3 opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | medium | no eu_exclusive: a Frankfurt EU region exists as an opt-in, but the default footprint spans UK, US and India third countries with no EU-exclusivity guarantee -> partly EU, significant third-country reliance, SOV-3.4 opt2 (seal 0), per key anchor 'no EU-exclusivity guarantee -> SEAL-0'. (src: https://www.civo.com/blog/new-region-frankfurt) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | medium | In-scope AI/GPU offering (Civo + Deep Green) uses auditable/open cloud-native tooling but relies on foreign NVIDIA accelerators and is not EU-origin AI -> SOV-3.5 opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | high | Built on open standards (CNCF-conformant Kubernetes, standard APIs, Terraform) with documented data export/migration methods -> SOV-4.1 opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | medium | no eu_ops: core engineering and operations are UK/global (non-EU) teams; EU presence is essentially a single region -> critical ops delivered from outside the EU, SOV-4.2 opt1 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | no eu_ops: engineering/staff are UK-centric with global hiring; majority of skilled staff sit outside EU/EEA -> SOV-4.3 opt2 (seal 1). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | no eu_ops: support delivered from the UK and globally (community/Slack, ticketing); majority of support capability is outside the EU -> SOV-4.4 opt2 (seal 2). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge bases are public/global (UK-hosted) with no enforced EU-only repository -> SOV-4.5 opt2 'EU optional, not enforced' (seal 2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Relies on colocation/DC partners (Deep Green, Carbon-Z) and upstream vendors; under contract service could continue temporarily, but key suppliers are non-EU (UK) -> SOV-4.6 opt3 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware component origin (servers, GPUs) only partially disclosed; no EU-certified provenance -> SOV-5.1 opt2 (seal 1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Server/GPU hardware is foreign origin (global OEMs / NVIDIA) with at most partial disclosure; not EU-built -> SOV-5.2 opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS/BMC and GPU firmware come from foreign OEMs with partial disclosure; no EU-certified embedded-code provenance. Kept at existing choice (all-seal-4 factor). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | no foreign_core: software stack is open-source cloud-native with core/essential parts (Civo Stack, Kubefirst/Konstruct, integrations) maintained by the provider's own (UK) team -> SOV-5.4 opt3 'core/essential parts maintained' (seal 3). Non-EU team but not licensed Google/MS tech. |
| SOV-5.5 | Software build/release jurisdiction | 2. EU control, non-EU execution | 36/143 | SEAL-1 | low | Build/release controlled by the UK company with global OSS dependencies; control sits outside the EU and there are no EU policy gates -> SOV-5.5 opt2 (seal 1). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Critical dependencies include foreign hardware vendors and colocation partners, some documented -> few non-EU in critical services, SOV-5.6 opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers/partners disclosed (Deep Green, Carbon-Z) but no comprehensive auditable supply-chain transparency -> SOV-5.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Open-by-default: CNCF-conformant Kubernetes, standard APIs, Terraform provider and open tooling give strong interoperability/portability -> SOV-6.1 opt5 (seal 4). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | high | Core services built on open standards (Kubernetes, CNCF projects, standard cloud APIs) as deliberate policy for most core services -> SOV-6.2 opt4 (seal 3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | high | no foreign_core: heavily open-source (K3s, Talos integration, Kubefirst/Konstruct, Civo Stack) but company/key-project governance is centralised/non-EU -> SOV-6.3 opt3 'open source, centralised governance' (seal 3). |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Large public corpus of architecture insight (Civo Academy, blogs, OSS repos, docs) -> SOV-6.4 opt4 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | In-scope GPU/HPC capacity (Civo + Deep Green) is UK/EU-hosted but runs a foreign hardware/accelerator stack (NVIDIA), not EU-designed -> SOV-6.5 opt2 'EU-hosted, foreign stack' (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | medium | no EAL/SecNumCloud/EUCS: security evidenced via ISO 27001 / SOC 2 / Cyber Essentials only, no Common Criteria EAL and no SecNumCloud/C5+ENS bundle -> SOV-7.1 opt1 'none' (seal 1). (src: https://www.civo.com/uk-sovereign-cloud) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Holds ISO 27001, SOC 2 Type II and claims UK GDPR/DPA compliance; as a UK provider this is partial compliance with the EU GDPR/NIS2/DORA regime. Kept at existing choice (all-seal-4 factor). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | no eu_ops: security operations and incident response run by UK/global teams, hybrid EU/non-EU posture, no dedicated EU SOC -> SOV-7.3 opt2 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring/logging via the platform portal/API, but full direct access with EU-resident immutable logs is not guaranteed -> SOV-7.4 opt3 'basic monitoring portal' (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Incident disclosure follows UK GDPR/NIS-aligned practices and ISO 27001 processes; moderate compliance rather than real-time EU CSIRT sharing -> SOV-7.5 opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Managed cloud-native platform: customers control their own workloads/clusters with notice and testing for platform maintenance -> moderate maintenance autonomy, SOV-7.6 opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | no audit_rights: auditability is via certifications (ISO 27001, SOC 2) and reports; no contractual full audit access for the contracting authority/independent EU bodies -> SOV-7.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 2. PUE < 3 | 63/250 | SEAL-1 | low | Strong sustainability messaging (Deep Green heat reuse, 100% renewable LON2) but no published verified provider-wide PUE figure for the in-scope footprint -> conservatively SOV-8.1 opt2 'PUE < 3' (seal 1). (src: https://www.civo.com/carbon-neutral-gpu) |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | No detailed published hardware reuse/recycling program; basic circular practices implied via colocation partners but not a formal documented scheme -> SOV-8.2 opt2 (seal 0). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Sustainability claims published (renewable energy, heat reuse) but no detailed annual EU-methodology environmental impact report -> SOV-8.3 opt2 'basic reporting' (seal 1). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | UK regions (notably LON2 via Deep Green/Carbon-Z) run on 100% renewable energy, but the overall footprint spans UK/US/India -> mix of EU and non-EU supplies. Kept at existing choice (all-seal-4 factor). (src: https://www.civo.com/carbon-neutral-gpu) |