| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | Not eu_entity: Infomaniak SA is incorporated and headquartered in Geneva, Switzerland, a third country (not EU/EEA), with no EU legal entity, so entity control sits mostly outside the EU -> SOV-1.1 opt2 (seal 1; consistent with the other Swiss-incorporated peers). (src: https://www.infomaniak.com/en/support/faq/71/discover-infomaniak) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Since May 2026 majority voting rights are held by the Swiss public-interest Infomaniak Foundation with non-transferable blocking shares; no acquisition possible without Foundation approval, making takeover by a non-EU sovereign entity very unlikely. (src: https://news.infomaniak.com/en/infomaniak-foundation-sovereign-cloud/) |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap is controlled by Swiss management/Foundation; customers influence mainly via public/voice-of-customer channels, with no formal EU-actor governance body over the roadmap -> opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Privately funded by founders/employees and now a Swiss foundation, profitable and self-financed with no foreign hyperscaler/US capital; free of non-EU capital dependency in the relevant sense. |
| SOV-1.5 | EU economic contribution | 3. Balanced EU/non-EU | 63/125 | SEAL-4 | medium | Economic activity and jobs are concentrated in Switzerland (third country) with a growing European customer base; contribution to the EU economy is balanced rather than majority-in-EU. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Positions itself as a European sovereign-cloud advocate (joined CISPE) but as a Swiss entity has limited formal participation in EU strategic programs such as Gaia-X or IPCEI-CIS. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | medium | Has an explicit ethical/sovereign-cloud action plan and public advocacy aligned with EU digital-sovereignty goals, but no EU-mandated governance measuring achievement against EU industrial strategy -> opt2. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: owns and operates its Swiss data centers (designed/built by Infomaniak), OpenStack plus in-house tooling, own SRE teams and own renewable energy; continuity depends on no non-EU vendor (only residual foreign chips), with documented self-operation -> opt5 full autonomy & continuity. Genuine differentiator vs colo-tenant peers (owns DCs + own energy). (src: https://www.infomaniak.com/en/hosting/datacenter-housing) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Primary jurisdiction is Swiss law (nFADP), a third country, not EU. Services are GDPR-aligned for EU customers, giving mixed EU/non-EU legal footing rather than exclusively EU law -> opt2 (seal 1; uniform across the Swiss cluster). (src: https://www.infomaniak.com/en/trust-center) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | high | Pure-Swiss company with no US/foreign subsidiary; structurally shielded from US CLOUD Act/FISA. But not eu_entity and holds no SecNumCloud/EUCS-High, so immunity is structural-not-certified and Swiss (non-EU) law still applies -> opt4 legal structures shielding (seal 2), not opt5. (src: https://www.infomaniak.com/en/sovereign-cloud) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: 100% Swiss, Foundation-controlled, Swiss-only hosting; not subject to US CLOUD Act/FISA or PRC law. Foreign-authority requests can only proceed via Swiss mutual-assistance channels (not direct compelled access) and Infomaniak commits to contest them -> requests always rejected, opt5 (seal 4). Normalised to opt5 for consistency with the identical pure-Swiss-no-foreign-parent peers Safe-Swiss-Cloud and Nine (Swiss domestic MLA is not 'non-EU compelled access' in the CLOUD-Act sense). (src: https://www.infomaniak.com/en/sovereign-cloud) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | No export-control restrictions toward EU MSs; Switzerland not under foreign export regimes affecting EU customers and a large revenue share is European, but no formal EU-MS shielding mechanism -> opt3. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Core platform IP (in-house tools, OpenStack-based stack) is Swiss/open-source; significant building blocks are open-source and Swiss-developed, giving mixed within/outside-EU IP origin (Switzerland being a third country). |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | medium | IP is held under Swiss law (single non-EU country) with open-source components under mixed/EU-friendly licenses; treated as mixed-law with some EU exposure -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Standard provider-managed encryption with some customer key options for certain services; provider generally retains override/operational keys, so control is shared rather than exclusively customer-held -> opt3. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Provides access and activity logs to customers, but vendor-controlled and not described as real-time independently auditable across all services -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Documented deletion processes under ISO 27001/GDPR policy with internal validation, but no published independently verified cryptographic proof-of-erasure -> opt3 (policy with internal validation). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | Not eu_exclusive: data hosted exclusively in Swiss data centers (Geneva, Winterthur), no EU/EEA region offered. Per the rubric Switzerland is a third country, so this is partly-EU with significant third-country (Swiss) reliance, not exclusively EU/EEA -> opt2 (seal 0). This is the SEAL-0 gate, shared with the other Swiss-only-hosting peers Safe-Swiss-Cloud and Nine. (src: https://www.infomaniak.com/en/hosting/datacenter-housing) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Curated sovereign-AI service: open-source/auditable models served via an OpenAI-compatible API hosted in Switzerland, EU/Swiss-led, running on foreign Nvidia L4/A100/H100 accelerators -> EU-led AI on foreign accelerators, opt4 (seal 3). Normalised to match the equivalent curated open-model AI offering of Safe-Swiss-Cloud. (src: https://www.infomaniak.com/en/hosting/ai-tools) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Open-source OpenStack/Kubernetes/Jelastic stack with documented export and formal migration paths; customers can move to or combine other providers with migration assistance -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 3. Ops balanced EU/non-EU teams | 84/167 | SEAL-3 | high | Entire stack managed by Infomaniak's own SRE teams with no foreign (US/Asia) intermediary, fully self-sufficient in one country; but staff are Swiss (third-country) not EU, so from the EU-sourcing standpoint this is balanced/non-EU teams -> opt3 (seal 3). Normalised to the Swiss-in-house-ops tier shared with Safe-Swiss-Cloud and Nine. (src: https://www.infomaniak.com/en/sovereign-cloud) |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Engineering/operations talent concentrated in Switzerland with no offshore (US/Asia) escalation, but Switzerland is outside the EU/EEA, so EU skill availability is majority-outside-EU -> opt2 (seal 1). Normalised to the Swiss-only-skills tier shared with Safe-Swiss-Cloud and Nine. (src: https://www.infomaniak.com/en/sovereign-cloud) |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | Support provided in-house from Switzerland in multiple European languages with no non-EU outsourcing; majority-local support without offshore escalation, but Swiss not EU -> opt3. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation and knowledge maintained in-house in Switzerland (a third country); no enforced EU-region repositories, so EU placement is optional/not enforced -> opt2 (seal 2). Normalised to the Swiss-only-docs tier shared with Safe-Swiss-Cloud and Nine. (src: https://www.infomaniak.com/en/sovereign-cloud) |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | own_stack: minimal critical subcontractors; owns its data centers and uses open-source software, so on supplier cut-off it can source alternatives or internalise rather than face shutdown -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Publishes meaningful component choices (Swissbit SSDs, Meyer-Burger panels, named GPUs) showing transparency with exceptions, though not full EU-certified provenance for all parts -> opt3. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Servers assembled/integrated by Infomaniak with mixed sourcing including European components and Swiss build, but base silicon is of foreign design/manufacture; mixed sourcing with audit rights -> opt3. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs, GPUs and SSDs comes from foreign vendors with only partial provenance disclosure; no full firmware transparency published -> opt2. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | high | No foreign_core: software stack is open-source (OpenStack, Kubernetes) plus extensive in-house tooling (e.g. OpenStack Cluster Installer) maintained by Infomaniak's own teams; large majority maintained in-house -> opt4. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Build and release controlled and executed by Infomaniak's own teams in Switzerland; in-house control and execution, without formal external EU policy-gate certification -> opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | own_stack: few non-EU dependencies remain only in non-critical hardware (chips/GPUs); core operations rely on no single non-EU vendor or facility, documented and self-operated -> opt4. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers and own data centers auditable via ISO 27001/14001/50001 third-party audits, but no published full all-supplier auditable supply chain -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Built on standards-based open-source platforms (OpenStack, Kubernetes, S3-compatible APIs) that are broadly compatible and portable, but not entirely open-by-default across every product -> opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Adopts open standards (OpenStack APIs, S3, Kubernetes, OpenAI-compatible API) as policy for most core services -> opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | No foreign_core: core infrastructure rests on fully open-source software with substantial in-house contributions, but upstream governance is centralised/community-led rather than Infomaniak-EU-governed -> opt3 open source, centralised governance. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Provides substantial public insight into its architecture, data-center design and operations via detailed technical posts, giving meaningful public transparency -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/GPU compute is EU-region-hosted (Swiss data centers) but built on a foreign stack (Nvidia A100/H100 and their software), i.e. EU-hosted foreign HPC stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | No SecNumCloud/EUCS/C5/Common Criteria EAL; holds ISO 27001:2022 (since 2018) plus ISO 9001/14001/50001, but no SOC 2 or C5. Per key, ISO 27001 only maps to EAL1 -> opt2 (seal 1). (src: https://www.infomaniak.com/en/certifications) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Demonstrably GDPR- and nFADP-compliant with ISO 27001/9001/14001/50001, addressing most EU regulatory expectations; partial compliance across GDPR/NIS2/DORA without a single audit covering all three -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 3. Primary SOC in EU, escalations non-EU | 72/143 | SEAL-1 | medium | Security operations and incident handling run end-to-end by Infomaniak's own teams, but the SOC is located in Switzerland (outside the EU), so the EU-lifecycle tiers (opt4/opt5) do not strictly apply -> primary SOC in-region with non-EU location, opt3 (seal 1). Normalised to the Swiss-in-house-SOC tier shared with Safe-Swiss-Cloud and Nine. (src: https://www.infomaniak.com/en/trust-center) |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get direct access to monitoring and logs, but logs are stored in Swiss (non-EU) data centers, so the EU-storage tiers (opt4/opt5 'logs stored in EU') do not apply -> monitoring portal/basic access, opt3 (seal 1). Normalised to the Swiss-only-log-residency tier shared with Safe-Swiss-Cloud and Nine. (src: https://www.infomaniak.com/en/trust-center) |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure aligned with GDPR/nFADP notification obligations; moderate compliance with documented breach-notification practices -> opt3. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | Owning and operating its own stack, Infomaniak can deploy patches and maintenance independently on its own schedule without vendor dependence -> opt4 high autonomy. |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | Independent third-party audits exist for ISO security/quality/energy management systems, giving partial independent control, but no audit_rights-grade full audit by any independent EU body -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 5. PUE < 1.2, EU verified | 250/250 | SEAL-4 | high | Geneva data center (inaugurated 2025) operates at PUE 1.09, verified, well below the 1.2 threshold -> opt5. (src: https://www.infomaniak.com/en/ecology/certificates-rewards) |
| SOV-8.2 | Hardware reuse & recycling | 4. Circular economy, EU-aligned | 188/250 | SEAL-4 | high | Documented circular-economy program: upgrades/reuses servers to ~10-year lifespan and recovers 100% of waste heat to warm local buildings, aligned with EU sustainability practices -> opt4. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Publishes regular environmental/ecology reporting and certificates; annual-report-level disclosure rather than fully EU-audited environmental accounting -> opt3. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Powered entirely by renewable energy (Swiss hydro plus solar) with own/European solar panels; green energy supplies (sourced in Switzerland rather than EU grid) -> opt5. (src: https://www.infomaniak.com/en/ecology/certificates-rewards) |