| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (Cloudflare, Inc., Delaware/San Francisco, NYSE: NET) -> entity controlling the service is entirely outside the EU -> SOV-1.1 opt1. (src: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001477333&type=10-K) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Already a US-controlled public company; transfer to a non-EU sovereign entity is not a meaningful future risk because control already sits outside the EU. A takeover moving it to EU control is very unlikely. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap set centrally in the US; no EU governance body, only 'voice of the customer' channels (no immunity/EU control) -> SOV-1.3 opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funded via US venture capital (Venrock and others) and US public equity markets; almost entirely non-EU capital. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Cloudflare has EU offices (e.g., Lisbon, Munich, London) and network presence, but the large majority of R&D, revenue booking and employment is outside the EU; only some EU economic contribution. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No clear participation in EU strategic programs such as Gaia-X or IPCEI-CIS as a core member; it is a US commercial vendor. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No evidence of an action plan or dedicated governance aligned with EU industrial sovereignty strategies; alignment is incidental via compliance offerings. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | Not own_stack (service runs on Cloudflare's US-controlled global network), but a standard PaaS with documented data-export/API access and contractual terms under which dependent services could continue temporarily after a cut-off rather than shutting down immediately -> SOV-1.8 opt3 (seal 2), consistent with US commodity-IaaS/CDN peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | foreign_parent: primary jurisdiction is US law; EU subsidiaries and GDPR contracts add an EU layer, making it mixed EU/non-EU rather than exclusively EU -> SOV-2.1 opt2. |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | No immunity (US parent): fully exposed to US extraterritorial laws (CLOUD Act, FISA 702); contractual mitigation clauses and SCCs exist but residual exposure remains -> SOV-2.2 opt2. |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent (US CLOUD Act/FISA): US authorities can compel access; policy is to notify and push back, but under gag orders access can be compelled without notification -> SOV-2.3 opt2 (seal 1, caps overall SEAL at 1). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | As a US entity Cloudflare is subject to US export controls/OFAC sanctions that can restrict service to certain persons or organizations, though not to EU Member States generally -> SOV-2.4 opt2. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core IP (network software, Workers runtime, products) is developed and held in the US, entirely outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP is held by Cloudflare, Inc. under US (single-country, non-EU) law -> SOV-2.6 opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | medium | Keyless SSL/Geo Key Manager let customers control TLS key location, but for most stored data and proxied traffic Cloudflare holds keys and can read data -> shared with provider override -> SOV-3.1 opt3. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | medium | Logs/analytics (Logpush, audit logs) exist but are vendor-controlled and not independently real-time auditable across the global network -> SOV-3.2 opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows internal retention policy with contractual commitments, but no independently verifiable cryptographic proof of irreversible erasure -> SOV-3.3 opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | No eu_exclusive sovereign offer; global default product, but the Data Localization Suite makes EU regions selectable (EU-by-default with tightly controlled exceptions) while third-country fallback exists -> SOV-3.4 opt4 (seal 1). (src: https://www.cloudflare.com/data-localization/) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | medium | Workers AI relies on NVIDIA GPUs (foreign chips) and largely licensed/open models (e.g., Llama); not EU-origin, clear chip dependency -> SOV-3.5 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | high | Standard, documented data export and API access exist with broad open-format support; reliance on proprietary features (Workers, WAF rules) limits portability beyond standard export -> SOV-4.1 opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | medium | No eu_ops: critical operation of the global network, control plane and core engineering is delivered by predominantly US-based teams; EU cannot run the stack independently -> SOV-4.2 opt1. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Cloudflare has EU staff (Lisbon, London, Munich) but its engineering/SRE skill base is global with the majority outside the EU -> SOV-4.3 opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Support is global follow-the-sun with EU presence but the majority of support capacity sits outside the EU -> SOV-4.4 opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Extensive public documentation exists globally; EU-residency of knowledge repositories is optional/not enforced, with global exposure -> SOV-4.5 opt2. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Uses non-EU subcontractors/colocation; on disruption the service would stop with delay, with limited ability to internalise within the EU -> SOV-4.6 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Cloudflare publishes detailed server generation specs (AMD EPYC, Ampere Altra) but full component provenance is only partially disclosed and not EU-certified -> SOV-5.1 opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Servers are built by foreign ODMs (e.g., Quanta, Taiwan) to Cloudflare specs; foreign-origin manufacturing with partial public disclosure of design -> SOV-5.2 opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code comes from foreign chip and ODM vendors (AMD, Ampere, NIC vendors); only partial disclosure, no EU-certified provenance. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | Core software (network stack, Workers runtime workerd) is US-developed; some components open-sourced for review but it is foreign-origin with partial disclosure, not EU-maintained -> SOV-5.4 opt2 (seal 2). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build and release are controlled and executed by Cloudflare in the US; non-EU control and execution with no EU policy gates -> SOV-5.5 opt1. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Critical services depend on non-EU vendors (US/Taiwan chips, ODMs, US control plane) and dependency mapping is mostly undocumented to customers; mostly non-EU dependency -> SOV-5.6 opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers are disclosed via certifications and sub-processor lists, but the full supply chain is not broadly auditable by customers; only some suppliers auditable -> SOV-5.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Cloudflare exposes standards-based, well-documented APIs and supports broad protocol standards (HTTP, DNS, TLS, BGP, WebAssembly), making it standards-based and broadly compatible -> SOV-6.1 opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Cloudflare actively builds on and contributes to open standards (IETF: TLS 1.3, QUIC/HTTP3, ECH, Privacy Pass) for most core network services as a matter of policy -> SOV-6.2 opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Cloudflare open-sources many significant components (workerd, quiche, BoringTun, CIRCL, gokeyless) under centralised company governance, but the platform itself is not fully open-source -> SOV-6.3 opt3 (open, centralised governance). |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Cloudflare publishes an unusually large corpus of public technical insight (detailed blog posts, research, RFCs), though customers cannot modify the core service -> SOV-6.4 opt4. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any HPC/GPU compute (Workers AI inference) runs across Cloudflare's PoPs, including EU locations, on imported NVIDIA accelerators: EU-hosted on a foreign stack rather than imported black-box with no EU footprint -> SOV-6.5 opt2 (seal 3), consistent with US commodity-IaaS/CDN peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Beyond ISO 27001 + SOC 2, Cloudflare holds the German BSI C5 attestation, a high-assurance national cloud-security certification; per the key's cert map (SecNumCloud 3.2 / BSI C5 / EUCS-Substantial / ENS-High -> EAL3) this maps to EAL3 -> SOV-7.1 opt4 (seal 3). This is a genuine differentiator vs the rest of the cluster, which hold only ISO 27001 + SOC 2. (src: https://www.cloudflare.com/trust-hub/compliance-resources/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Cloudflare demonstrates GDPR compliance (ISO 27701, EU Cloud Code of Conduct, EU-US DPF) and supports NIS2/DORA needs, achieving partial compliance to most EU regulations though not a single fully independently audited 'all-regimes' attestation. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | No eu_ops: SOC and incident response operate globally on a follow-the-sun model spanning US and EU; hybrid EU/non-EU -> SOV-7.3 opt2. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring via dashboard, audit logs and Logpush (a monitoring portal), but Cloudflare retains primary control of platform-level security logging -> SOV-7.4 opt3. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure is moderate and GDPR/NIS2-aligned with public post-incident reporting, but not full real-time CSIRT integration -> SOV-7.5 opt3. |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | low | Cloudflare controls maintenance and update scheduling of its global network; customers have limited autonomy over when changes are applied -> SOV-7.6 opt2. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | No audit_rights: independent auditing is limited to third-party certification audits (ISO/SOC2/C5); customers and arbitrary entities cannot perform full independent audits -> SOV-7.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Cloudflare runs in leased colocation facilities (typically PUE well under 1.5) and reports strong per-watt efficiency gains and an efficiency roadmap -> SOV-8.1 opt3. (src: https://www.cloudflare.com/impact/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Cloudflare runs a documented hardware-sustainability program (use hardware as long as possible, responsible recycling at decommission, plus a customer hardware-decommission/disposal program) -> SOV-8.2 opt3 (documented program), consistent with US commodity-IaaS/CDN peers. (src: https://www.cloudflare.com/impact/) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Cloudflare publishes an annual Impact Report with Scope 1/2/3 emissions, but it follows global (not EU-specific audited) methodology -> SOV-8.3 opt3. (src: https://www.cloudflare.com/impact/) |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | Cloudflare matches 100% of its global network electricity with renewables, but supplies are sourced globally (via RECs), so it is a mix of EU and non-EU energy supplies rather than EU-only. (src: https://www.cloudflare.com/impact/) |