| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-3 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | Elastx AB is a Swedish company incorporated in Stockholm, majority-owned (53%) by Swedish investment firm Sobro; states no ownership ties outside Sweden. Entirely within the EU. (src: https://elastx.se/en/overview) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Privately held by Swedish owner Sobro (Swedish unlisted-company investor); no indication of imminent non-EU takeover, but as a small (~20 staff) private firm a future sale is not impossible, so 'unlikely' rather than 'very unlikely'. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | low | eu_entity (pure-SE, EU-controlled roadmap with own internal R&D on OpenStack) -> SOV-1.3 opt3; EU governance with some external (upstream) influence, no foreign-set roadmap. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Funding comes from Swedish owner Sobro and the Swedish business; no evidence of non-EU capital, so effectively entirely EU-based funding. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All operations, data centers, and staff are in Sweden; economic contribution is fully within the EU. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Active in the OpenInfra/OpenStack community but no evidence of participation in EU strategic programs such as Gaia-X or IPCEI-CIS; limited participation at best. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets full Swedish digital sovereignty and uses pure open source, indicating an action plan aligned with EU digital-autonomy goals, but no measured governance evidence published. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack (owns/operates all infra, all-Swedish staff, pure open-source OpenStack/Kubernetes; only residual non-EU chips) + documented continuity -> SOV-1.8 opt5 Full autonomy & continuity. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | A wholly Swedish-incorporated company operating only in Sweden; subject exclusively to Swedish/EU law. (src: https://elastx.se/en/security) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity (pure-SE entity, no non-EU parent/subsidiary/operational nexus a foreign authority could compel) -> SOV-2.2 opt5 verified legal immunity. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent + immunity (pure-SE, not subject to CLOUD Act/FISA/PRC law) -> SOV-2.3 opt5 requests always rejected. (src: https://elastx.se/en/security) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | No non-EU technology under export-control gating its offer; a fully Swedish open-source stack is shielded from foreign export restrictions toward EU Member States and international orgs. (src: https://elastx.se/en/security) |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Core platform IP is open-source OpenStack (globally developed, much from outside the EU) integrated and operated by Elastx in Sweden; mixed within/outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | Open-source software is governed under mixed licenses/foundations (OpenInfra is US-based) while Elastx's own integrations fall under EU law; mixed law with some EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | medium | Offers encryption at rest with an HSM cluster and OpenStack Barbican for customer-managed secrets; customers can control keys, but as operator Elastx retains technical ability to access data. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Logging/monitoring is available on the platform and vendor-operated; no evidence of independently auditable real-time customer oversight. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Storage is encrypted at rest and managed per policy, but no published proof-of-erasure or independent verification mechanism; internal validation per policy. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive (stored AND processed only in two Swedish regions/three AZs, no third-country fallback) -> SOV-3.4 opt5 exclusively EU. (src: https://elastx.se/en/security) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No managed black-box AI service: GPUs offered in IaaS/CaaS on foreign (NVIDIA) chips with an auditable open-source stack; customers run their own models, so no foreign-AI lock-in -> key judgment-call (no in-scope foreign AI dependency / EU-led AI on foreign accelerators) -> SOV-3.5 opt4 (seal 3), consistent with the OpenStack Nordic peers. (src: https://elastx.se/en/openstack) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Built on standard OpenStack/Kubernetes APIs with documented data-export methods, enabling portability; no evidence of formal turnkey migration services. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops + own_stack (entire open-source stack operated by an all-Swedish team, no foreign operational dependency) -> SOV-4.2 opt5 fully EU stack+team. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | high | eu_ops: all staff Swedish citizens with annual background checks but no formal security clearance -> per key EU staff -> SOV-4.3 opt4 (clearance would be opt5). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | high | Support is kept in Sweden with all-Swedish staff; background checks suggest vetting though not formal security clearances, so all support staff in EU. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | medium | Operations and documentation are kept in Sweden with an all-Swedish team; EU-only primary repositories are the natural arrangement, though end-to-end EU-only is not explicitly certified. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | own_stack: owns/manages all infra on open-source software, can source alternatives/internalise if a subcontractor were lost -> SOV-4.6 opt4 continuity via alternatives. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Server/hardware physical components (CPUs, storage) are foreign-sourced from global OEMs; no detailed bill-of-materials provenance published, so partial disclosure. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Hardware is manufactured outside the EU by global vendors; only partial disclosure of sourcing, foreign manufacturing origin. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code on servers and chips comes from foreign OEMs with no published provenance; partial disclosure at best. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core (core is pure unmodified open-source OpenStack/Kubernetes, not licensed Google/MS); the large majority of deployed/operated software is integrated and maintained by Elastx's EU team -> SOV-5.4 opt4 'Large majority maintained by EU teams' (seal 3), consistent with the other pure-OpenStack Nordic peers. (src: https://elastx.se/en/openstack) |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Elastx deploys and operates its own platform from Sweden with a Swedish team; build/release control and execution are EU-based, though without published formal policy gates. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Hardware OEMs and chip vendors are non-EU single points in the critical supply chain; documented as standard server hardware, so few non-EU dependencies in critical services. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical infrastructure suppliers are identifiable/auditable for ISO 27001 purposes, but full upstream supply-chain auditability is not demonstrated. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Built on pure, unmodified OpenStack and Kubernetes with open APIs; open-by-default with strong portability and no proprietary lock-in layers. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | high | Core services use open standards (OpenStack, Kubernetes, S3-compatible object storage); a clear policy of open standards across most core services. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | No foreign_core; fully open-source (OpenStack/Kubernetes) but upstream governance centralised in non-EU foundations -> SOV-6.3 opt3 open source, centralised governance. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Architecture is documented publicly and based on well-known open-source components, giving meaningful public insight into the service design. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | EU-hosted GPU capability in Sweden running a foreign (NVIDIA) stack; no EU-designed HPC -> per key EU-hosted foreign stack/no in-scope HPC maps to opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | high | Holds ISO 27001/27017/27018 only; no SecNumCloud/EUCS/C5/ENS/Common Criteria EAL -> per key ISO-only maps to opt2 (EAL1-equiv, seal 1). This caps the SEAL. (src: https://elastx.se/en/security) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Demonstrates GDPR compliance and ISO 27001/27017/27018/14001 certification (independently audited); as a Swedish CSP it falls under NIS2/DORA scope, but full audited compliance to all three is not explicitly evidenced, so partial compliance to most. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | All platforms are monitored 24x7 with all-Swedish staff and data/support kept in Sweden; the full incident lifecycle is handled by EU teams, though formal ENISA/CSIRT sharing is not documented. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Logs are stored in Swedish data centers and monitoring access is provided to customers; full direct access with EU log storage, but no claim of immutable tamper-proof logging. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | As a GDPR/NIS2-bound Swedish CSP, incident disclosure is aligned with EU breach-notification requirements; no evidence of real-time CSIRT integration. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | Owns and operates the full open-source stack with a Swedish team, giving high autonomy to deploy maintenance independently without third-party vendor scheduling. |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | No audit_rights cert (lacks SecNumCloud/EUCS-High); audits only via ISO certification bodies, no contractual full audit by contracting authority + independent EU bodies -> SOV-7.7 opt3 (seal 1). Caps the SEAL. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern Swedish data centers optimised for energy efficiency on renewable power with ISO 14001, implying PUE under ~1.5 with an efficiency roadmap, though no specific PUE figure is published. (src: https://elastx.se/en/security) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | ISO 14001 environmental management implies a documented hardware lifecycle/recycling program, but no detailed circular-economy or EU-certified lifecycle evidence published. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | ISO 14001 certification entails environmental reporting; an annual-report level of environmental disclosure is implied, but no detailed EU-methodology or audited footprint figures published. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Data centers are powered exclusively by green/renewable energy in Sweden (high-renewable grid), i.e. only green EU energy supplies. (src: https://elastx.se/en/security) |