| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 3. Mostly within the EU | 83/125 | SEAL-3 | high | foreign_parent: Operating entity Contabo GmbH is German (Munich), but since June 2022 the majority shareholder is US PE firm KKR (Oakley Capital/management minority). Ultimate control sits outside the EU -> 'mostly within the EU' (opt3), not entirely. (src: https://www.oakleycapital.com/news-and-insights/oakley-capital-agrees-sale-of-contabo-and-follow-on-investment) |
| SOV-1.2 | Change of control risk | 2. Likely takeover/transfer to non-EU sovereign entity | 31/125 | SEAL-4 | high | Contabo is a PE portfolio company; KKR acquired it in 2022 as a financial sponsor whose exit path is a further sale/transfer. Change-of-control to a non-EU acquirer is likely (opt2). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap is set by the company and its US PE owners; customers have only voice-of-the-customer feedback channels, with no EU governance body controlling the roadmap (opt2). |
| SOV-1.4 | Financial independence from non-EU capital | 2. Mostly relying on non-EU funding | 31/125 | SEAL-4 | high | Majority-owned and capitalised by US fund KKR; funding relies mostly on non-EU capital with EU/UK minority and management stakes (opt2). |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | Headquarters and main engineering offices (Munich, Cologne, Nuremberg, Prague) plus original German data centres mean a majority of jobs/economic activity are in the EU (opt4). [all-SEAL-4 factor, kept] |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of Contabo participating in EU strategic programs (Gaia-X, IPCEI-CIS); it positions itself as a commercial low-cost global host (opt1). [all-SEAL-4 factor, kept] |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | Contabo markets on price/performance globally with no published action plan or governance aligned with EU digital-sovereignty industrial strategy (opt1). [all-SEAL-4 factor, kept] |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | No own_stack: IaaS on its own German DCs but on commodity non-EU silicon under a US owner; service could continue temporarily per contract if a relationship were cut, but full autonomy is not demonstrated (opt3, seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Contracts are with Contabo GmbH under German law, but the US controlling parent (KKR) and non-EU data-centre footprint create mixed EU/non-EU jurisdictional exposure rather than exclusively EU law (opt2). (src: https://hrnxt.com/news/investment/acquisition/kkr-to-acquire-majority-stake-in-global-cloud-infrastructure-and-hosting-provider-contabo/49691/2022/06/08/) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | No immunity: the German entity offers GDPR contractual protections, but its US controlling shareholder (KKR) exposes the group to US extraterritorial pressure; mitigation clauses exist but exposure remains, with no SecNumCloud-style immunity (opt2). (src: https://hrnxt.com/news/investment/acquisition/kkr-to-acquire-majority-stake-in-global-cloud-infrastructure-and-hosting-provider-contabo/49691/2022/06/08/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent (US KKR) -> the group is within reach of US CLOUD Act/FISA compelled access for data held by group entities, with no published guarantee of refusal; compelled access without notification in specific cases (opt2, seal 1). (src: https://hrnxt.com/news/investment/acquisition/kkr-to-acquire-majority-stake-in-global-cloud-infrastructure-and-hosting-provider-contabo/49691/2022/06/08/) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | Contabo serves ~150 countries; non-EU revenue is large but the German entity is not itself a US sanctions instrument toward EU MSs. Scored conservatively at the >50%-EU threshold given uncertainty (opt3). |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Core operational IP is a standard hosting/virtualisation (KVM) stack maintained by German teams, but hardware, CPU and hypervisor-adjacent IP originates outside the EU; mixed origin (opt3). [all-SEAL-4 factor, kept] |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | Software IP is a mix of in-house/open-source under EU control and third-party components under non-EU law, with the US parent influencing the group; mixed law with some EU (opt3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | medium | Standard low-cost VPS/dedicated servers do not offer customer-exclusive key management; encryption is primarily provider/OS-managed and the provider retains infrastructure access (opt2). |
| SOV-3.2 | Transparent data flows & access logs | 2. Basic incomplete logs | 50/200 | SEAL-1 | low | Contabo provides a control panel and basic logging, but no comprehensive real-time customer-controlled data-access logs or independent auditability of provider access (opt2). |
| SOV-3.3 | Secure deletion & proof of erasure | 2. Manual confirmation only | 50/200 | SEAL-1 | low | Deletion on cancellation is per policy with at most manual confirmation; no published cryptographic proof or independent verification of irreversible erasure (opt2). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | No eu_exclusive: customers may opt into an EU region, but Contabo runs a global network of ~23 DCs across Europe, the US and Asia under a US owner. Global default product with significant third-country reliance, not EU-exclusive (opt2, seal 0). (src: https://hrnxt.com/news/investment/acquisition/kkr-to-acquire-majority-stake-in-global-cloud-infrastructure-and-hosting-provider-contabo/49691/2022/06/08/) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | low | Contabo offers GPU/AI compute on NVIDIA accelerators with licensed/foreign AI software rather than EU-origin models; mostly non-EU with chip dependency (opt2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard IaaS with documented data export, snapshots/images, SSH/standard OS access and APIs; portability via standard documented methods (opt3, seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | medium | No eu_ops: operations rely on globally distributed remote teams and a US owner; some ops are EU-sourced (German DCs/offices) but the team is not predominantly EU-confined (opt2). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Contabo's teams work remotely worldwide alongside EU offices; the skill base is mixed with a meaningful non-EU share rather than majority-EU (opt2). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Support is global 24/7 with teams worldwide; a meaningful share sits outside the EU, so support is mixed rather than majority-EU (opt2). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation and knowledge management serve a global customer base and distributed teams; EU-only handling is not enforced (opt2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Reliant on non-EU hardware vendors and a US owner; if a critical supplier relationship were cut, service would degrade/stop with delay rather than continue autonomously (opt2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Contabo runs commodity enterprise hardware but does not publish a detailed bill of materials/provenance; only partial disclosure (opt2). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers use foreign-designed and foreign-manufactured silicon (Intel/AMD CPUs, NVIDIA GPUs); manufacturing is foreign with only partial disclosure (opt2). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs, GPUs, NICs and BMCs comes from non-EU vendors; at most partial disclosure of embedded-code provenance (opt2). [all-SEAL-4 factor, kept] |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | low | Not foreign_core: the hypervisor/management core is KVM and open-source operated by Contabo's German/EU teams (not licensed Google/MS); core/essential parts maintained by EU teams (opt3, seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 3. Non-EU control, EU execution | 72/143 | SEAL-3 | low | Contabo's own management/control-panel software is built and operated by its German/EU teams (EU execution) but under a US-owned corporate group rather than independent EU control; EU execution under non-EU control (opt3). |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | low | Critical supply (CPUs, GPUs, network silicon) depends on non-EU vendors with limited documentation; mostly non-EU dependency in the critical hardware path (opt2). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers/processes are auditable under ISO 27001, but Contabo does not publish comprehensive supply-chain auditability covering critical hardware suppliers (opt2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Contabo exposes a documented public API and standard OS/SSH access with broadly compatible tooling, but the control plane is proprietary; partial openness (opt3). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Core services use open/standard interfaces (standard Linux/Windows images, S3-compatible object storage, standard networking) for many services but without a comprehensive open-standards policy across all (opt3). |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | Contabo's control-panel/service software is proprietary and vendor-controlled; while it runs open-source components like KVM, its own service software is source-available/closed rather than openly governed (opt2, seal 2). |
| SOV-6.4 | Service architecture transparency | 2. Insight accessible during audits | 50/200 | SEAL-2 | low | Architecture details are disclosed mainly through documentation/certification audits rather than rich public insight or customer co-creation (opt2). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope EU HPC stack: any HPC/GPU compute is EU-hosted on a foreign (NVIDIA/foreign CPU) stack rather than imported black-box with no controls; EU-hosted, foreign stack (opt2, seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | No Common Criteria EAL or SecNumCloud/EUCS/C5 certification is published for the Contabo platform; security is evidenced via ISO 27001 (German DCs certified) only. Per the key, ISO 27001-only maps to opt2 'EAL1' (seal 1), consistent with the other ISO-only cluster members. |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | Contabo offers Art. 28 GDPR DPAs and ISO 27001 certification (moderate compliance), but no comprehensive independently audited NIS2/DORA conformity is published (opt3). [all-SEAL-4 factor, kept] |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | With a globally distributed team and 24/7 global operations, security operations/incident handling are hybrid EU/non-EU rather than EU-exclusive (opt2). |
| SOV-7.4 | Control over security monitoring/logging | 2. Customers receive periodic reports | 36/143 | SEAL-1 | low | Customers get basic monitoring via the control panel and periodic information; no full customer-controlled, EU-stored, tamper-proof security logging (opt2). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | As a German entity Contabo is subject to GDPR/NIS2-aligned breach-notification obligations (moderate disclosure); no published real-time CSIRT sharing (opt3). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | As operator of its own data centres on commodity hardware, Contabo schedules and applies maintenance/patching with notice to customers; moderate maintenance autonomy (opt3, seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: independent audit access is limited to certification bodies (ISO 27001) rather than full audit by the contracting authority or any independent EU body (opt2, seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 2. PUE < 3 | 63/250 | SEAL-1 | medium | Contabo targets PUE 1.3 only by 2030 and cites unspecified 'excellent' ratios via free-air/groundwater cooling; no verified current PUE below 1.5 is published (opt2). (src: https://contabo.com/en-us/sustainability/) |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | Contabo references energy-efficient hardware choices but publishes no documented hardware reuse/recycling/circular-economy program; basic circular practices at most (opt2, seal 0). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Contabo completed its first GHG inventory in 2023 and commits to repeating it annually with SBTi-aligned targets; an annual report exists but is not yet EU-audited (opt3). |
| SOV-8.4 | Energy supplies | 2. Only EU energy supplies | 63/250 | SEAL-4 | medium | Contabo states 100% of procured energy is certified green, but data centres span non-EU regions (US, Asia, UK, Australia), so energy is not exclusively EU-sourced; scored conservatively (opt2). [all-SEAL-4 factor] (src: https://contabo.com/en-us/sustainability/) |