| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-2 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-2 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (Spanish company HQ Madrid, founder David Amorin, no controlling non-EU parent) -> SOV-1.1 opt4: legal entity entirely within the EU. (src: https://jotelulu.com/en-gb/about-jotelulu/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Private VC-backed scale-up with mostly EU investors (Bankinter, Kibo, Adara) and a minority US fund (G2A); a future non-EU takeover is unlikely but not negligible -> opt4. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | low | EU-controlled provider with own R&D; partner/voice-of-customer channels give EU actors some influence over the roadmap, but no formal governance body is published -> opt3 (governance bodies with EU-actor participation, generous read). |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Majority of the ~12.7M raised comes from EU investors (Bankinter, Kibo, Adara, South Capital) with a minority from US fund G2A; majority EU funding -> opt4. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Spanish company, EU staff, EU data centres and EU SME/reseller customer base; economic contribution essentially fully in the EU -> opt5. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | CISPE member but no evidence of Gaia-X / IPCEI-CIS participation; limited participation in EU strategic programs -> opt2. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets itself as a European sovereign cloud with an action plan aligned to EU strategy, but no measured achievements or dedicated governance disclosed -> opt2 (existing action plan). |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | No own_stack: uses EU colocation (Equinix, Digital Realty, Data4) and commodity foreign hardware/hypervisor, so not full autonomy; as an EU operator of its own platform it could source alternatives or internalise key functions rather than face immediate shutdown -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Spanish entity operating EU-only infrastructure under EU/Spanish/French law; contract under EU member-state law only -> opt3 (exclusively EU law). (src: https://jotelulu.com/en-gb/about-jotelulu/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | immunity is structural-only: EU-incorporated, EU-operated, no controlling non-EU parent shields from foreign law, but no SecNumCloud 3.2 / EUCS-High certified immunity -> opt4 'Legal structures shielding' (seal 2 ceiling), consistent with the Spanish-provider basis. (src: https://jotelulu.com/en-gb/about-jotelulu/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: wholly EU entity with no US/non-EU parent, not subject to the CLOUD Act/FISA/PRC law; can reject non-EU authority requests and respond only to lawful EU process -> opt5. |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | EU provider with revenues overwhelmingly within the EU (>50% EU revenue); no part of the offer is specifically certification-shielded from export controls -> opt3. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Orchestration/platform software is in-house Spanish IP (EU), but the stack relies on foreign-origin hardware, hypervisor/OS and some non-EU components; mixed within/outside EU -> opt3. |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | Jotelulu's own IP is held under EU (Spanish) law; some third-party/open-source components carry non-EU licences -> opt4 (EU law with exceptions). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Provides AES-256 encryption but as a managed IaaS/PaaS the provider retains operational key management; no documented HYOK, so shared with provider override -> opt3. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Provides protected logs and traceability via the control panel, but logging is vendor-controlled and not real-time independently auditable -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | ENS-High plus ISO 27001/HDS mandate verified media-sanitisation controls with access logging, so deletion is technically verified with logs (uniform sovereign-operator basis, consistent with the cluster) -> opt4. (src: https://jotelulu.com/blog/ens-alto-infraestructura-cloud/) |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive (scoped EU offer): operates EU-only data centres (Madrid, Paris, Portugal); CISPE Code of Conduct permits EU-only storage AND processing with no third-country fallback for the scoped offer -> opt5. (src: https://jotelulu.com/en-gb/about-jotelulu/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope EU AI service offered; no foreign-AI dependency to penalise -> opt4 (seal 3) per key SOV-3.5 'no in-scope AI service'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Offers documented data export plus a formal Migrations product and standard IaaS interfaces enabling migration -> opt4 (formal migration services). |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: small Spanish company operating its own stack; the entire stack is managed by a fully EU-based team with no non-EU operating teams -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering/technical staff based in the EU (Spain, France, Portugal); no evidence of security-cleared staffing for opt5 -> opt4 (all EU staff). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support delivered to EU partners from Spain/France in local languages; EU-based staff without documented security clearances -> opt4 (all support in EU). |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation/knowledge base produced in-house in the EU; EU-primary with possible non-EU fallback, no explicit EU-only guarantee -> opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Relies on EU colocation and hardware suppliers; with contractual agreements service could continue temporarily, though some critical suppliers (hardware, network) are non-EU -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Physical components are foreign-made, but as an ISO 27001 / ENS-High certified operator Jotelulu provides component transparency to customers/auditors with exceptions (uniform sovereign-operator basis, consistent with the cluster) -> transparent with exceptions (opt3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Server/storage hardware (Intel/AMD/NVIDIA OEMs) is foreign-manufactured but integrated and operated under ISO 27001 / ENS-High audited supply-chain controls (EU audit rights), matching the uniform key for EU sovereign providers -> mixed sourcing, EU audit rights (opt3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS/microcode in commodity hardware is foreign with only partial published provenance -> opt2. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | Not foreign_core: core orchestration/platform is developed and maintained by Jotelulu's EU team, layered on open-source hypervisor/OS (not licensed Google/MS core); core essential parts maintained by EU teams -> opt3. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Software build and release controlled and executed by the EU-based engineering team in Spain; EU control and execution, no evidence of formal EU policy gates -> opt4. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Depends on a few non-EU vendors in critical services (chip/hardware vendors, commodity hypervisor), documented to a degree but a single point of dependency -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | ISO 27001 and data-centre certifications give audit rights over critical suppliers/data centres, but the full supply chain is not fully auditable -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | low | Provides APIs and standard storage/compute (S3-compatible) with some openness, but not open-by-default; mixed partial openness -> opt3. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Uses common protocols (S3-compatible object storage, standard remote desktop/storage) indicating partial core adoption of open standards, no formal all-services policy -> opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Jotelulu's platform is proprietary and vendor-controlled but layered on open-source hypervisor/OS components (source not openly available), consistent with the other Spanish providers' proprietary-with-OSS-underpinnings posture -> opt2 (source available for review/strict rights, seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Publishes some architecture/security insight (blog, certification docs, security whitepapers) giving some public insight -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope EU HPC service; no imported black-box HPC dependency in the offer -> opt2 (EU-hosted/no in-scope HPC, seal 3) per key SOV-6.5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds ISO 27001 + HDS (health-data hosting) + ENS Alto (High) infrastructure certification (confirmed for the Spanish PA framework); per key, ENS-High is a high-assurance national cloud certification mapping to EAL3 (opt4), consistent with the other ENS-High Spanish providers -> opt4 (EAL3, seal 3). (src: https://jotelulu.com/blog/ens-alto-infraestructura-cloud/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-compliant, CISPE Code of Conduct (CNIL-approved), ISO 27001, HDS and ENS certified; partial compliance to most EU regulations, NIS2/DORA not independently attested for all -> opt4. (src: https://jotelulu.com/en-gb/blog/new-certification-hds/) |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | EU company running security operations and incident response with EU teams in EU data centres; no ENISA/CSIRT information-sharing integration evidenced for opt5 -> opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Provides direct access to protected logs and traceability via the control panel with EU-hosted logging in its EU DCs (ENS-High mandates security-log access/traceability); immutable tamper-proof logging not explicitly documented -> full direct access, logs stored in EU (opt4), consistent with the cluster. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | GDPR/NIS2-aligned incident disclosure expected from a certified EU provider; moderate compliance, no published real-time CSIRT sharing -> opt3. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operator of its own platform with moderate maintenance autonomy (notice and testing windows); dependence on third-party vendor patches for zero-days remains -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | low | audit_rights: the ENS-High sovereign offer for Spanish public administration implies tender-grade full audit rights for the contracting authority and independent EU bodies (uniform basis with the cluster's ENS-High/ACN-qualified members) -> full independent audit (opt5). (src: https://jotelulu.com/blog/ens-alto-infraestructura-cloud/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern certified EU data centres (ISO 50001 energy management) imply PUE under ~1.5 with an efficiency roadmap, no specific lower published figure -> opt3 (PUE<1.5 + roadmap). (src: https://jotelulu.com/en-gb/about-jotelulu/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Operates in data centres with documented circular/efficiency programs; a documented hardware reuse program is plausible but not evidenced as EU-certified lifecycle -> opt3. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Performs an annual carbon-footprint audit and offsets it (ClimateTrade), i.e. an annual environmental report, not EU-audited to a formal methodology -> opt3. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | States 100% of data-centre energy from renewable sources (wind, hydro, solar) within EU facilities; only green EU energy supplies -> opt5. (src: https://jotelulu.com/en-gb/about-jotelulu/) |