| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: Greenhost B.V. incorporated/HQ in Amsterdam (Science Park 400), since Dec 2024 owned by The Sharing Group (Dutch steward-owned). Entity entirely within the EU -> opt4. (src: https://greenhost.net/contact/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Owned by a Dutch steward-owned group explicitly building a European cloud alternative; non-EU takeover unlikely though not legally entrenched -> opt4. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | eu_entity: small EU-owned provider building its own open-source platform in-house; EU actors fully control the roadmap -> opt4 (4). |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Funded by Dutch steward-owned The Sharing Group; no evidence of non-EU capital -> effectively entirely EU-based funding -> opt5. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, staff, Amsterdam DC and parent group all in NL; economic contribution fully in the EU -> opt5. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | No documented Gaia-X / IPCEI-CIS participation; involvement in EU strategic programs limited -> opt2. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | medium | Positions as a European alternative with a sustainability/privacy action plan, but no measured governance/dedicated means -> existing action plan, opt2. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: owns/operates its own hardware on open-source stacks (Xen, Ceph) and can internalise/source alternatives; foreign chips are residual hardware only -> Full autonomy & continuity, opt5 (key SOV-1.8 own_stack lever). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Wholly Dutch company, NL-based operations -> subject exclusively to EU (Dutch) law -> opt3 (4). (src: https://greenhost.net/legal/privacy-policy/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | immunity is structural-not-certified: pure-EU entity with no non-EU parent shields it from foreign law, but no SecNumCloud/EUCS-High verifying immunity -> opt4 'Legal structures shielding' (seal 2), not opt5. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | immunity / no foreign_parent: no non-EU parent or nexus, strong digital-rights posture; foreign authorities have no compelled-access pathway and provider would reject/challenge -> opt5 (4). (src: https://greenhost.net/legal/privacy-policy/) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | EU provider with revenues overwhelmingly in the EU; no offer specifically shielded from export controls documented -> rests on >50% EU revenue threshold, opt3. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Platform software and in-house apps developed by the NL team on open-source foundations; IP mostly within the EU (upstream OSS international) -> opt4. |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | IP Greenhost holds is under EU (Dutch) law; some upstream open-source IP carries non-EU licensing exceptions -> EU law with exceptions, opt4 (4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Optional encryption offered and privacy central, but on managed IaaS the provider retains admin access and can technically read data; no customer-exclusive HYOK so control is shared with provider override -> opt3 (shared). Normalised to the common OpenStack/managed-IaaS key-control posture across the pure-EU Benelux providers. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Control panel and standard logging exist, but no real-time independently auditable access logs; logs vendor-controlled -> opt3 (2). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Standard hosting deletion follows internal policy/teardown but no technically verified or independently audited proof of erasure -> internal validation per policy, opt3 (seal 1). Normalised to the other pure-EU Benelux providers (all policy-only deletion, same seal). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | high | NOT eu_exclusive (genuine differentiator vs the EU-exclusive cluster peers): Amsterdam DC is primary, but Greenhost's own 2021-2024 sustainability report documents East-Asia and (now-decommissioned 2025) Miami facilities with no contractual no-third-country-fallback guarantee -> EU by default with tightly controlled exceptions, opt4 (seal 1). (src: https://greenhost.net/sustainable/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope first-party AI service -> no foreign-AI dependency; key SOV-3.5 'no in-scope AI service' -> opt4 (3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Built on open standards/open-source (Xen, Ceph, standard images); standard documented export/migration paths exist, no formal managed migration service -> opt3 (4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops: entire stack operated by Greenhost's own NL-based team; no foreign operational dependency -> opt5 (4). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Staff based in NL; no documented security-clearance program -> all EU staff, opt4 (3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support provided by the Dutch team in the EU; no non-EU outsourcing, no formal clearance program -> all support in EU, opt4 (3). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation/knowledge maintained in-house in the EU; no non-EU repositories indicated -> EU-only primary repositories, opt4 (4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | own_stack: runs own hardware on open-source software; on loss of a subcontractor it can source alternatives/internalise, though some hardware suppliers non-EU -> opt4 (3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Uses Intel Xeon CPUs and SSD/Ceph storage of foreign origin; component provenance only partially disclosed -> opt2 (1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Server hardware (Intel Xeon, SSDs) manufactured outside the EU with only partial origin disclosure -> opt2 (1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs, drives and NICs is foreign/proprietary with only partial disclosure -> opt2 (4). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | NOT foreign_core: platform is open-source (Xen, Ceph, HAProxy, GitLab) with in-house custom apps by the EU team; large majority of software stack EU-maintained or open/auditable -> opt4 (3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | In-house software developed and released by the NL team (GitLab); build/release under EU control & execution, no documented formal policy gates -> opt4 (3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Foreign vendors for critical hardware (CPUs, drives) but open-source stack reduces lock-in; few non-EU in critical services, documented -> opt3 (2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Operates own infrastructure with a known DC partner; critical suppliers identifiable/auditable but no full audited supply chain -> opt3 (2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Built on open-source components and standard interfaces (standard VMs, disk images, S3-compatible/Ceph); standards-based and broadly compatible -> opt4 (3). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Open standards across most core services (open-source virtualization, storage, networking); consistent though not formally certified for all -> opt4 (3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | NOT foreign_core: relies on and contributes to open-source and builds open-source apps in-house, but deployment governance centralised in the provider -> open source, centralised governance, opt3 (3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public insight into architecture/open-source choices via blog/docs, not a large public corpus or customer co-development -> opt3 (3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope HPC offering -> EU-hosted/no-in-scope-HPC mapping, opt2 (3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | medium | No company-level certification: Greenhost holds no SecNumCloud/EUCS/C5/ENS/ISO 27001/SOC2/Common Criteria for its own platform (only its colocation DC, Iron Mountain AMS-1, is ISO-27001 certified) -> EAL0/none, opt1 (seal 1). Genuine differentiator vs cluster peers that hold their own ISO 27001. This caps the overall SEAL at 1. (src: https://greenhost.net/sustainable/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | Dutch provider adhering to GDPR with strong privacy stance, but no documented independent NIS2/DORA audits -> moderate compliance, opt3 (4). |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | eu_ops: security/incident handling in-house by the EU-based team with no non-EU escalation; ENISA threat-intel sharing not documented -> entire lifecycle EU teams, opt4 (3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get monitoring/control-panel access and logs held in the EU DC; no documented immutable tamper-proof guarantee -> full access, logs in EU, opt4 (3). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | EU provider following GDPR/NIS2-aligned breach-notification; no documented SLA-monitored or real-time CSIRT sharing -> moderate, opt3 (2). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | own_stack: operates its own open-source stack on owned hardware and deploys patches/maintenance independently -> high maintenance autonomy, opt4 (4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | NOT audit_rights: open-source basis aids inspection but no documented full independent third-party audit right for any entity (no SecNumCloud/sovereign-offer terms implying it) -> limited independent access, opt2 (seal 1). Caps SEAL at 1. (src: https://greenhost.net/sustainable/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 5. PUE < 1.2, EU verified | 250/250 | SEAL-4 | high | Published sustainability report states the Amsterdam DC (Iron Mountain AMS-1) operates at PUE 1.2 with EU operation -> PUE < 1.2 EU verified, opt5 (4). (src: https://greenhost.net/sustainable/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | medium | Documented circular practices (three-Rs, certified recycling partners, donating decommissioned servers); documented program but not formally EU-certified lifecycle -> opt3 (3). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | high | Publishes a detailed sustainability report (2021-2024) with energy/PUE data while acknowledging gaps -> annual report tier, opt3 (2). (src: https://greenhost.net/sustainable/) |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Amsterdam operations run on 100% Dutch wind energy -> only green EU energy supplies, opt5 (4). (src: https://greenhost.net/sustainable/) |