| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: Clever Cloud SAS is incorporated and headquartered in Nantes, France, with wholly European capital and no US subsidiary; legal entity control entirely within the EU -> opt4 (src: https://clever.cloud/solutions/compliance/). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Bootstrapped/self-funded with European-only capital and founder control; sovereign positioning makes a non-EU takeover very unlikely. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | Independent EU-controlled SME: EU actors (French founders/owners and customers) have full influence over the roadmap, set internally with no foreign-vendor constraints -> opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Bootstrapped/self-financed, capital wholly owned by Europeans; no non-EU venture funding. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, employment, R&D and revenue concentrated in France/EU; economic contribution essentially fully in the EU. |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Selected provider under the EC Cloud III sovereign-cloud framework (with Post Telecom/OVHcloud) and active in the EU sovereign-cloud ecosystem; active participant but not the sole pillar of a megaproject -> opt3. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Clear sovereignty strategy with concrete commitments (EU-only sovereign offer, SecNumCloud pursuit, open-source program): measured achievement and dedicated governance -> opt3. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: EU-maintained core software (Sozu, control plane, orchestration) on own infra + EU-sovereign IaaS partners (OVH, Scaleway, Outscale, Cloud Temple); no non-EU vendor whose withdrawal halts service (only residual foreign chips) -> full autonomy & continuity opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | French company, EU head office, no US subsidiary; contracts and operations exclusively under EU (French) law -> opt3 (src: https://clever.cloud/solutions/compliance/). |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity: pure-FR entity with no non-EU parent/nexus, plus the scoped sovereign offer runs on Cloud Temple SecNumCloud-qualified infrastructure; provider explicitly guarantees immunity to extra-European laws -> verified legal immunity opt5 (src: https://www.cloud-temple.com/en/press-releases/combining-paas-and-very-high-security-clever-cloud-solutions-available-in-the-secnumcloud-environment-from-cloud-temple/). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | immunity, no foreign_parent: not subject to US CLOUD Act/FISA, no US nexus and no lawful basis to comply; commits to reject foreign-authority access requests -> requests always rejected opt5 (src: https://clever.cloud/solutions/compliance/). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | EU-based provider not subject to non-EU export-control regimes; sovereign offer shielded from restrictions toward EU Member States and international organisations -> opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform software (Rust-based Sozu reverse proxy, Biscuit, orchestration/control plane) developed in-house in France; IP mostly within the EU though built on global open-source components -> opt4. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Self-developed IP held by the French company under EU law; the proprietary stack is fully under EU jurisdiction -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Scoped SecNumCloud sovereign offer provides customer-managed/BYOK encryption keys with customer primary control; provider can still read data operationally -> opt4 (seal 3). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | SecNumCloud-grade offer gives full customer-controlled visibility of access logs and data flows (audit-mandated), though not necessarily real-time -> opt4 (seal 3). |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | SecNumCloud/HDS processes provide deletion technically verified with access logs (logged, traceable erasure) rather than policy-only -> opt4 (seal 3). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive (scoped sovereign offer): data stored and processed exclusively in EU/France across its own and EU-sovereign partner regions, HDS confirms no health data leaves the EEA, no third-country fallback in the sovereign offer -> opt5 (src: https://www.cloud-temple.com/en/press-releases/combining-paas-and-very-high-security-clever-cloud-solutions-available-in-the-secnumcloud-environment-from-cloud-temple/). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Scoped sovereign offer (Cloud Temple SecNumCloud PaaS zone) has no in-scope AI service - Clever AI is a separate general-platform feature outside the sovereign offer, so no foreign-AI dependency -> opt4 per key judgment-call #2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based PaaS with documented data export, git-based deployment and open APIs; formal migration assistance available -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack operated by the France-based team in Nantes with no offshore operations dependency -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering and operations staff are EU-based (Nantes); no documented security clearances -> all EU staff opt4. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support delivered by the France-based team (French/English); all support staff in the EU, no documented clearance requirement -> opt4. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation and engineering knowledge produced and held by the EU team; primary repositories EU-only -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Infrastructure partners are EU-sovereign providers (OVH, Scaleway, Outscale, Cloud Temple) and software is largely self-built, so alternatives can be sourced or functions internalised; residual hardware supply constraint -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Hardware sourced from documented EU-sovereign IaaS partners (OVH, Scaleway, Outscale, Cloud Temple) whose component provenance is transparent with exceptions for foreign silicon -> opt3 (seal 3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Underlying hardware is foreign-designed but operated through EU-sovereign partners under SecNumCloud audit rights (mixed sourcing, EU audit rights) -> opt3 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code in CPUs, NICs and storage is vendor-supplied with limited transparency; partial disclosure only. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | no foreign_core: platform software (orchestration, Sozu reverse proxy, control plane) designed and maintained in-house by the EU team and largely open-sourced; large majority EU-maintained -> opt4. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software controlled and built by the France-based engineering team: EU control & execution of the build/release pipeline, without documented EU-policy security gates -> opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | low | Critical services (software + EU-sovereign IaaS) carry no non-EU vendor dependency; remaining non-EU dependency is residual non-critical hardware/chips, documented -> opt4 (seal 3). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Under the SecNumCloud audit regime (via Cloud Temple) plus ISO 27001, most suppliers are auditable end-to-end -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | medium | Open-by-default: standard git/Docker deployment, open APIs and CLI, broad runtime compatibility and documented portability -> opt5. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Relies on open standards (HTTP, OCI/containers, standard language runtimes, S3-compatible storage, Redis/Valkey protocols) across most core services -> policy for most core services opt4. |
| SOV-6.3 | Open source availability | 5. Fully open-source, independent/EU governance | 200/200 | SEAL-4 | high | no foreign_core: core components (Sozu reverse proxy, Biscuit) fully open-source under EU/independent governance on GitHub, with an explicit open-source program -> opt5. |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Substantial public engineering content, open-source code and documentation provide a large corpus of insight into the architecture -> opt4. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any HPC/GPU compute is EU-hosted but runs on a foreign hardware/software accelerator stack (NVIDIA), no EU-designed HPC silicon -> EU-hosted foreign stack opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Scoped sovereign offer runs on Cloud Temple SecNumCloud-qualified infrastructure; SecNumCloud 3.2 maps to EAL3 per the key -> opt4 (seal 3) (src: https://www.cloud-temple.com/en/press-releases/combining-paas-and-very-high-security-clever-cloud-solutions-available-in-the-secnumcloud-environment-from-cloud-temple/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-compliant, ISO 27001:2022 and HDS certified, DORA support process, positioned for NIS2; partial-to-strong compliance across most EU regulations, not yet independently certified against the full set -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security incident handling run end-to-end by the EU-based team in France with EU threat intel; no documented ENISA/CSIRT formal sharing membership for the top tier -> opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get direct access to application logs and monitoring with data stored in EU; tamper-proof immutable logging not specifically documented -> full direct access, EU-stored opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | low | Incident disclosure under NIS2/DORA with monitored notification flow and SLAs; not full real-time CSIRT sharing -> opt4 (seal 3). |
| SOV-7.6 | Maintenance autonomy | 5. Full autonomy (deploy independently, with checks) | 143/143 | SEAL-4 | low | As operator of its own self-built stack, Clever Cloud has full autonomy to deploy maintenance and patches independently with its own checks -> opt5. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: the scoped SecNumCloud-grade sovereign offer (via Cloud Temple) implies full audit rights for the contracting authority and independent EU bodies -> full independent audit opt5 (src: https://www.cloud-temple.com/en/press-releases/combining-paas-and-very-high-security-clever-cloud-solutions-available-in-the-secnumcloud-environment-from-cloud-temple/). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | medium | Reports PUE below 1.3 (sub-1.2 cited for some DCs) and emphasises efficiency; not stated as independently EU-verified across all DCs, so PUE<1.3 -> opt4 (seal 4) (src: https://clever.cloud/cloud-and-green-it/). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | medium | Documented practice of running servers to end of useful life to extend hardware lifespan: a documented program rather than a certified circular-economy lifecycle -> opt3 (src: https://clever.cloud/cloud-and-green-it/). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | low | Publishes detailed energy-efficiency/green-IT figures (PUE, low-carbon sourcing) following an EU methodology, short of full third-party audit -> detailed EU methodology opt4 (seal 3) (src: https://clever.cloud/cloud-and-green-it/). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | Infrastructure in France/EU on a highly low-carbon (nuclear/renewable) grid plus carbon-neutral partner DCs: only EU energy supplies, high renewable share -> opt4 (src: https://clever.cloud/cloud-and-green-it/). |