| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | CloudSigma AG is incorporated and controlled in Switzerland (Zurich/Zug), a third country, not EU/EEA. No EU parent; entity control sits mostly outside the EU -> opt2 (seal 1; uniform across the Swiss cluster). (src: https://www.cloudsigma.com) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | low | Small, independent, founder-led Swiss company with minimal external capital; no signs of imminent acquisition by a non-EU sovereign entity, though small firms remain acquirable. Kept at existing all-seal-4 choice. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | No formal governance bodies with EU-actor participation; roadmap influence is limited to customer/partner feedback channels typical of a small commercial IaaS provider -> opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | low | Privately held Swiss company with limited disclosed funding (small rounds plus an EU grant). Capital is Swiss/mixed rather than clearly majority EU-based. Kept at existing all-seal-4 choice. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | low | Swiss-headquartered with some EU data centers and customers, but the bulk of corporate value and the global footprint (US/APAC/ME) sit outside the EU. Kept at existing all-seal-4 choice. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | medium | Historic limited participation in EU-fostered Helix Nebula / HNSciCloud science-cloud initiatives; no Gaia-X or IPCEI-CIS membership. Kept at existing all-seal-4 choice. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | low | No published action plan or governance demonstrating alignment with EU industrial strategies; markets globally as a neutral CaaS provider. Kept at existing all-seal-4 choice. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | Self-operated KVM platform on leased/colo data centers; not own_stack (depends on non-EU colocation, e.g. Equinix, and foreign hardware). Under contract a deployment could continue temporarily -> opt3 (key 1.8). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Primary jurisdiction is Switzerland (a third country); contracts governed by Swiss law, but CloudSigma also operates EU data centers (Frankfurt, Dublin) and serves EU customers under GDPR -> mixed EU/non-EU, opt2 (seal 1). Normalised to opt2 for consistency with the rest of the Swiss cluster (mixed, both opt1/opt2 are seal 1). (src: https://www.cloudsigma.com) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | medium | No immunity: Switzerland is not EU and CloudSigma holds no SecNumCloud/EUCS-High; unlike the Swiss-only peers it also operates US/APAC/ME data centers, exposing parts of the offer to foreign law -> only mitigation clauses, exposure remains, opt2 (seal 1). Real footprint differentiator vs Swiss-only peers (opt4). (src: https://blog.cloudsigma.com/cloud-locations/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 4. Requests disputed, sometimes accepted with notification | 125/167 | SEAL-1 | low | No foreign_parent for the Swiss entity, but unlike the Swiss-only peers CloudSigma operates US/APAC/ME data centers, so US-located deployments could be compelled by US authorities under the CLOUD Act -> requests disputed, not always rejected, opt4 (seal 1). The genuine US-DC exposure is the differentiator that keeps it below the opt5 (seal 4) reached by the pure-Swiss-hosting peers. (src: https://blog.cloudsigma.com/cloud-locations/) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | No known export-control restrictions toward EU member states; a meaningful share of revenue is European, but the company is global and Swiss-based rather than EU-shielded -> opt3. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Core IP is Swiss-developed on open-source (KVM/Linux) with mixed international components; not predominantly EU-origin, but not fully foreign. Kept at existing all-seal-4 choice. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | Proprietary platform IP is held by the Swiss parent under Swiss (non-EU, single-country) law -> opt1 per key 2.6. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | Customers perform boot-level/full-disk encryption holding their own keys; CloudSigma states it has no access inside VMs or drives, so the provider cannot read encrypted customer data -> opt5 (seal 4). Genuine customer-held-key differentiator preserved (not flattened). (src: https://www.cloudsigma.com) |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | ISO 27001 / SOC 2 controls imply audit and access logging, but logs are vendor-controlled and not advertised as real-time independently auditable customer feeds -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion handled per internal ISO 27001 policy; no published independently verified proof-of-erasure; customer-held keys help but provider erasure is policy-based -> opt3 per key 3.3. |
| SOV-3.4 | Data location strictly in EU/EEA | 3. Mainly EU, some third-country use with safeguards | 100/200 | SEAL-1 | medium | Not eu_exclusive: default global footprint includes many third countries (US, APAC, ME), but CloudSigma DOES offer real EU member-state data centers (Frankfurt, Dublin) so a customer can obtain EU residency -> mainly-EU-with-safeguards, opt3 (seal 1). The presence of genuine EU-DC options keeps it above the Swiss-only peers (opt2 seal 0, no EU region at all). (src: https://blog.cloudsigma.com/cloud-locations/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | Pure IaaS with no in-scope sovereign AI service; no foreign-AI dependency in the offer -> opt4 (seal-3) per key 3.5 (no in-scope AI). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Open KVM-based VMs, standard images, documented APIs/data export plus stated migration support give formal portability away from the platform -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | low | Not eu_ops: small global team (~50 across 4 continents); operations partially sourced within the EU (Sofia tech team) but not predominantly EU-based -> opt2 per key 4.2. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Staff spread across Europe, North America and Asia; skills are mixed with no demonstrated EU majority given the global footprint -> opt2 per key 4.3. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | 24/7 global support delivered by a small internationally distributed team; not majority EU-based -> opt2 per key 4.4. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation and knowledge live in global/cloud repositories with no stated EU-only residency; EU handling is optional, not enforced -> opt2 per key 4.5. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Relies on third-party colocation (e.g. Equinix) and hardware vendors; under contractual arrangements service could continue temporarily, though supplier base is largely non-EU -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Standard x86 server hardware of foreign origin; component provenance only partially disclosed, no EU-certified supply chain -> opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers and chips manufactured abroad (US/Asia); provider does not design or build its own hardware and discloses little manufacturing detail -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS on commodity servers comes from foreign OEMs with at most partial disclosure; no EU-certified firmware provenance. Kept at existing all-seal-4 choice. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | No foreign_core: the cloud platform is built and maintained by CloudSigma's own (Swiss-led) teams on open-source KVM/Linux, not licensed Google/MS tech. Core/essential parts maintained by the provider's teams -> opt3 per key 5.4. |
| SOV-5.5 | Software build/release jurisdiction | 2. EU control, non-EU execution | 36/143 | SEAL-1 | low | Release process controlled by the Swiss company (non-EU) with engineering distributed internationally; control and execution are not EU-based -> opt2 per key 5.5. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Critical dependencies on non-EU colocation and hardware vendors exist and are documented to some extent (named facility partners) -> opt3 (few non-EU in critical services, documented). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers (named data-center/colocation partners) are identifiable, but no comprehensive auditable supply-chain transparency program -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based KVM virtualization, standard OS images and documented APIs make the platform broadly compatible and avoid heavy proprietary lock-in -> opt4. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Adopts open standards for core compute/storage (KVM, standard images, common protocols) but without a published comprehensive open-standards policy across all services -> opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Built on open-source KVM/Linux, but CloudSigma's own platform/orchestration software is proprietary and not openly published or community-governed -> opt2 per key 6.3. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public architectural insight via blog/docs and ISO 27001/SOC 2 audit access, but no deep customer-contributable transparency -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No EU-sovereign HPC offering; treated as no in-scope HPC -> opt2 (seal-3) per key 6.5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | medium | No SecNumCloud/EUCS-High/C5/Common Criteria EAL; holds ISO 27001 + ISO 27017/27018 + SOC 2 Type II. Per key, ISO 27001 + SOC 2 maps to EAL2 -> opt3 (seal 2). (Below the C5-holding peers Exoscale/Safe-Swiss at opt4.) (src: https://blog.cloudsigma.com/soc-2-customer-data-management-certified-cloud/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | ISO 27001 and SOC 2 Type II certified and GDPR-relevant as a Swiss adequate jurisdiction, showing moderate adherence; no full audited NIS2/DORA compliance. Kept at existing all-seal-4 choice. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations and incident handling run by a small globally distributed team, implying a hybrid EU/non-EU SOC rather than an EU-confined lifecycle -> opt2. |
| SOV-7.4 | Control over security monitoring/logging | 2. Customers receive periodic reports | 36/143 | SEAL-1 | low | Customers get reporting and ISO/SOC-aligned controls, but security monitoring/logging is largely provider-controlled with periodic reporting rather than full customer-owned EU-resident logs -> opt2. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Operating under ISO 27001 and serving EU customers implies GDPR/NIS2-aligned breach disclosure, but no published real-time CSIRT/ENISA sharing -> opt3 per key 7.5. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operating its own KVM platform gives moderate maintenance autonomy with versioned, auditable releases and customer notice, subject to underlying vendor patches -> opt3 per key 7.6. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: independent assurance is via ISO 27001 / SOC 2 auditors with limited scope; no full independent audit by the contracting authority or any independent EU body -> opt2 (capped seal-1 per key 7.7). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Hosts in modern Tier III Equinix colocation facilities (the same premium-facility class as Exoscale), which run efficient PUE with sustainability roadmaps; no standalone published figure, so PUE<1.5+roadmap is the consistent estimate -> opt3 (seal 4). Normalised to the colo-tenant peers (Exoscale/Safe-Swiss/Nine) using the same facility class. (src: https://blog.cloudsigma.com/cloud-locations/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | As a colocation tenant in professionally managed Equinix facilities, hardware lifecycle/recycling is covered by the operators' documented circular-economy programs (same basis credited to the other colo-tenant peers Exoscale/Safe-Swiss/Nine) -> documented program, opt3 (seal 3). Normalised for consistency: no real differentiator vs the peers using the same facility operators. (src: https://blog.cloudsigma.com/cloud-locations/) |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | No detailed environmental/sustainability report published by CloudSigma itself; at most basic reporting inherited from data-center partners -> opt2 per key 8.3. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Global footprint draws on a mix of EU and non-EU energy supplies depending on the colocation site; not exclusively EU or fully green-traceable. Kept at existing all-seal-4 choice. |