| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | no eu_entity (Krystal Hosting Ltd incorporated in England and Wales, company 07571790, HQ London; UK is a third country outside EU/EEA), but a real EU footprint via the Amsterdam (NL) Katapult region keeps some presence in the EU -> SOV-1.1 opt2 'mostly outside the EU' (seal 1). Aligned with the other EU-footprint cluster member (Civo). (src: https://find-and-update.company-information.service.gov.uk/company/07571790) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Privately held, founder-owned (Simon Blackler majority shareholder) independent UK company, the UK's largest independently owned host; takeover/transfer to a non-EU sovereign entity is very unlikely -> opt5 (all-SEAL-4 factor, existing choice kept). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | Roadmap set internally by the private UK company; EU customers have only standard 'voice of the customer' feedback channels, no governance bodies with EU-actor participation -> opt2 (seal 2). |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | medium | Self-funded/bootstrapped UK company with no EU capital base; almost entirely non-EU (UK) funding -> opt1 (all-SEAL-4 factor, existing choice kept). |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Some EU economic contribution via the Amsterdam (NL) data centre and EU customers, but the bulk of operations, employment and revenue are UK/non-EU -> opt2 (all-SEAL-4 factor, existing choice kept). |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | high | No participation in EU strategic programs (Gaia-X, IPCEI-CIS); a UK B Corp web/cloud host with no EU sovereignty program involvement -> opt1 (all-SEAL-4 factor, existing choice kept). |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No evidence of alignment with EU industrial strategies; aligns with B Corp/sustainability goals, not EU digital-sovereignty industrial policy -> opt1 (all-SEAL-4 factor, existing choice kept). |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | No own_stack in EU-sovereign sense: Katapult is in-house-operated on commodity hardware Krystal controls (UK), could source alternatives or internalise key functions, but core silicon/storage vendors are non-EU and the operator is non-EU -> opt4 'Ability to source alternatives or internalise' (seal 2), not opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | no eu_entity: primary jurisdiction is UK law (England and Wales) per Katapult/Krystal terms; non-EU only despite GDPR adequacy -> SOV-2.1 opt1 (seal 1). (src: https://find-and-update.company-information.service.gov.uk/company/07571790) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | medium | No immunity: UK entity with standard GDPR/DPA contractual clauses but remains exposed to UK extraterritorial law (Investigatory Powers Act 2016, technical capability notices, UK-US data access); mitigation clauses do not remove exposure -> opt2 (seal 1). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | no immunity (UK provider subject to UK Investigatory Powers Act 2016) -> authorities can compel data access without customer notification in specific cases; no policy of always refusing -> SOV-2.3 opt2 (seal 1). This is the legal SEAL-1 cap. Normalised across the UK cluster (all subject to UK IPA). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | no eu_exclusive: as a non-EU (UK) provider the offer is not specifically shielded from non-EU export controls affecting EU citizens/orgs, and UK-majority revenue is not >50% in the EU; no EU-MS-specific restriction identified -> SOV-2.4 opt2 (seal 1). Normalised with the UK cluster. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Katapult platform software is developed in-house (UK) but the IP stack mixes in-house code with open-source and third-party vendor IP (VAST, StorPool, AMD, Nvidia); mixed within/outside the EU -> opt3 (all-SEAL-4 factor). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | Core platform IP held by Krystal Hosting Ltd under UK (non-EU) law, a single non-EU country -> opt1 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | Standard IaaS/hosting model with provider-managed infrastructure encryption; no published customer-held/HYOK key management, primarily provider-controlled though not exclusively -> opt2 (seal 1). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Logging/audit trails exist (ISO 27001:2022 controls) but are vendor-controlled with no published real-time, independently auditable customer access to data-flow logs -> opt3 (seal 2). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001-aligned data handling implies internal deletion validation per policy, but no cryptographic proof-of-erasure or independently verified irreversible deletion -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | No eu_exclusive: Katapult regions are UK, US (Phoenix/NY) and Amsterdam (NL), controlled by a UK entity; data is partly EU with significant third-country (UK/US) reliance and no EU-exclusivity guarantee -> SOV-3.4 opt2 'Partly EU, significant third-country reliance' (seal 0). This sets the overall SEAL-0. (src: https://krystal.io/technology) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | low | In-scope GPU/AI: Krystal offers Nvidia GPUs on its KVM-based platform with auditable/open tooling but no EU-origin AI models or sovereign AI stack; mixed/open AI on foreign chips -> SOV-3.5 opt3 (seal 2). Aligned with the GPU-on-open-tooling cluster member (Civo). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard documented data export and VPS/image portability on a KVM-based platform with standard APIs; no proprietary-format lock-in -> opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | medium | No eu_ops: critical operations delivered by Krystal's UK (non-EU) teams; only the Amsterdam footprint is partially within the EU, so EU-sourced operations are limited -> opt2 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Engineering/operations staff predominantly UK-based (non-EU); majority of skilled staff sit outside the EU -> opt2 (seal 1). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | Support is UK-centric (24/7 in-house UK support); mixed with the majority outside the EU from an EU-sovereignty standpoint -> opt2 (seal 2). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge base is publicly available and not EU-restricted; primary repositories are UK/global, so EU handling is optional and not enforced -> opt2 (seal 2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Subcontractors/suppliers (data-centre operators Iron Mountain/Netwise, StorPool, VAST) are contracted; service could continue temporarily per contractual agreement, though several critical suppliers are non-EU -> opt3 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Hardware vendors publicly named (AMD, Nvidia, Mellanox, Juniper, VAST, StorPool) giving partial provenance disclosure, but no EU-certified component provenance -> opt2 (seal 1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | high | Compute/storage/networking hardware is foreign-origin (AMD/Nvidia US silicon, Juniper/Mellanox US networking, VAST US) with partial disclosure; not built by EU teams -> opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code from foreign hardware vendors (AMD, Nvidia, Juniper, Mellanox) with partial disclosure and no EU-certified firmware provenance -> opt2 (all-SEAL-4 factor, existing choice kept). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | No foreign_core: Katapult control-plane is developed and maintained in-house by Krystal's (UK) team on open-source (KVM); core/essential platform parts are team-maintained, integrating third-party non-EU storage/networking software -> opt3 'Core/essential parts maintained by EU teams' (seal 3). Not capped by foreign_core. |
| SOV-5.5 | Software build/release jurisdiction | 2. EU control, non-EU execution | 36/143 | SEAL-1 | low | Software build/release controlled by Krystal (UK) and executed on UK infrastructure; from an EU lens this is non-EU control with non-EU (UK) execution and no EU policy gates -> opt2 (seal 1). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | Several non-EU vendors sit in critical services (US AMD/Nvidia silicon, US VAST storage, US Juniper/Mellanox networking), documented; few non-EU critical dependencies -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers and data-centre partners are named and covered by ISO 27001:2022 supply-chain controls, giving auditability of critical suppliers, but not full end-to-end transparency -> opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Katapult exposes standard APIs and runs KVM-based VMs with standard OS images: standards-based and broadly compatible interfaces -> opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Uses open standards (KVM, standard networking/storage protocols, standard VM images) across core services, but no published policy mandating open standards for all services -> opt3 (seal 2). |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Katapult control plane is proprietary/in-house, built on open-source foundations (KVM/Linux) but not published as open source; source-available/closed governance -> opt2 (seal 2). No foreign_core but still vendor-controlled. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Krystal publishes technology details, knowledge base, status/changelog and blog posts giving some public architecture insight, but not deep contributable transparency -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | GPU/HPC capability uses imported Nvidia accelerators hosted in Krystal's data centres; EU-/UK-hosted on a foreign (US) hardware/software stack -> opt2 'EU-hosted, foreign stack' (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | No SecNumCloud/EUCS/C5/EAL and no SOC 2; holds ISO 27001:2022 + Cyber Essentials (Plus) + PCI DSS. Per the key the EAL2 (opt3) bar requires ISO 27001 + SOC 2, so an ISO-27001-centred cert set without SOC 2 maps to ISO-27001-only -> SOV-7.1 opt2 'EAL1' (seal 1). Normalised with the equivalently-certified cluster member (iomart). (src: https://krystal.io/technology) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Strong GDPR alignment plus ISO 27001:2022 and Cyber Essentials, but no fully independently audited NIS2/DORA compliance; partial compliance to most -> opt4 (all-SEAL-4 factor). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations and incident handling run by Krystal's UK teams; from an EU sovereignty view a hybrid EU/non-EU posture given the Amsterdam footprint -> opt2 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a control/monitoring portal and standard logs, but no published guarantee of full direct log access with logs stored in the EU -> opt3 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure is GDPR/UK-DPA aligned (ISO 27001:2022 incident management); moderate, regulation-aligned disclosure but not real-time EU CSIRT sharing -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | As operator of its own Katapult platform Krystal has moderate maintenance autonomy (scheduled maintenance with notice/testing), though dependent on third-party hardware/firmware vendor cycles -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: ISO 27001:2022 gives independent third-party audit of the ISMS, but customers have only limited independent audit access to the underlying platform -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 5. PUE < 1.2, EU verified | 250/250 | SEAL-4 | high | New London data centre (Netwise East) designed for world-leading PUE (~1.05) and all data centres achieve PUE of at least 1.2, with verified figures -> opt5 'PUE < 1.2' (seal 4). (src: https://krystalhosting.com/green) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | As a B Corp with sustainability commitments there is a documented circular/responsible hardware program, but no EU-certified lifecycle published -> opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | B Corp certification (score 81.8) and 1% For The Planet membership imply annual impact reporting, but not a detailed EU-methodology or EU-audited environmental report -> opt3 (seal 2). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | medium | All data centres run on 100% renewable electricity (Ecotricity, wind/solar/sea); green energy supplies -> opt5 (all-SEAL-4 factor, existing choice kept). (src: https://krystalhosting.com/green) |