| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | Mittwald CM Service GmbH & Co. KG is a German company registered in Espelkamp (Amtsgericht Bad Oeynhausen HRA 6640), entirely within the EU with no non-EU parent. (src: https://www.mittwald.de/darum-mittwald/technologie) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Family-owned ~80-year-old Mittelstand business controlled by founder/CEO Robert Meyer via Robert Meyer Verwaltungs GmbH; no external/non-EU investors, takeover very unlikely. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | As an owner-controlled EU company that builds its own platform (mStudio), roadmap is fully controlled by EU actors and responsive to its EU agency customer base. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Privately held German family business financed from its own operations; no evidence of any non-EU capital. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All staff, data center, and operations are in Germany; the entire economic footprint is within the EU. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Member of the eco Association and active in the German hosting ecosystem, but no clear evidence of participation in EU strategic programs like Gaia-X or IPCEI-CIS; limited participation assumed. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets DSGVO-compliant German hosting and data sovereignty as a value proposition, indicating an action plan aligned with EU digital sovereignty, but no formal governance for industrial-strategy alignment is evidenced. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: vertically integrated EU provider (own German DC, in-house mStudio on open-source Kubernetes/Linux/OpenEBS) with continuity depending on no non-EU vendor (only residual foreign chips) -> SOV-1.8 opt5 'Full autonomy and continuity'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | A wholly German GmbH & Co. KG with German data centers operates exclusively under EU (German) law; no non-EU jurisdiction applies. (src: https://www.mittwald.de/darum-mittwald/technologie) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation (pure-DE, no non-EU parent/nexus) but immunity NOT certified (ISO 27001 only, no SecNumCloud/EUCS-High) -> SOV-2.2 opt4 'Legal structures shielding' (seal 2). (src: https://www.mittwald.de/blog/mittwald/safety-first-gepruefte-informationssicherheit-bei-mittwald) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: pure-DE entity not subject to US CLOUD Act/FISA/PRC law, commits to reject extraterritorial requests -> SOV-2.3 opt5 'Requests always rejected' (seal 4). (src: https://www.mittwald.de/darum-mittwald/technologie) |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | medium | Pure-EU provider with no non-EU export-control exposure; the offer is shielded from restrictions toward EU Member States -> SOV-2.4 opt4 (seal 3). |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | The mStudio platform IP (microservices, API clients, CLI, Terraform provider) is developed in-house in Germany; built on open-source foundations but the proprietary platform IP is mostly EU-origin. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Mittwald's own platform IP is held by the German company under German/EU law; underlying open-source components carry permissive licenses but the proprietary IP is fully under EU law. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | As a managed hosting/PaaS provider, encryption is primarily provider-managed; no evidence of customer-held exclusive key management (BYOK/HYOK), so the provider can technically access data. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | mStudio provides logging and monitoring with AI-based anomaly detection, but logs are largely vendor-controlled and not described as real-time independently auditable customer oversight. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001 implies documented deletion procedures validated internally per policy, but no independently verified cryptographic proof-of-erasure is published. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: data stored AND processed only in Mittwald's German DC (Espelkamp) with no third-country fallback -> SOV-3.4 opt5 'Exclusively EU' (seal 4). (src: https://www.mittwald.de/darum-mittwald/technologie) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | high | EU-led AI on foreign accelerators: open-weight models served exclusively in the German DC on foreign GPUs -> SOV-3.5 opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based platform (Docker/Kubernetes, OpenAI-compatible API, Terraform, CLI) with documented export methods and migration support for agencies moving in/out. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | The entire stack is operated by Mittwald's in-house team in Espelkamp, Germany, with 24/7 on-site technical staff; no non-EU operational dependency for running the service. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | high | All staff are based at the single German site in Espelkamp; an EU-only workforce, though no formal security clearances are advertised. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | high | Support is provided by the German team in Espelkamp (German/English); all support staff in the EU, no advertised security clearances. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | medium | Documentation (developer portal, blog) is produced and hosted by the German company; primary repositories are EU-based with no non-EU dependency required. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Owning its data center and using standard/open-source software, Mittwald could source alternatives or internalise functions if a subcontractor failed, though hardware suppliers are non-EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Server hardware is sourced from global (non-EU) OEMs/component makers; Mittwald describes 'modern hardware' but provides only partial disclosure of physical component origin. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers/CPUs are manufactured by foreign vendors (e.g., Intel/AMD, global ODMs); foreign manufacturing origin with limited disclosure. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs, NICs, and drives comes from non-EU vendors and is not fully disclosed; only partial provenance visibility typical of commodity hardware. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | The mStudio platform software is designed and maintained in-house by the German team and built on open-source (Kubernetes, OpenEBS, Linux); the large majority of the operated software stack is EU-maintained or open. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software for the platform is developed and released by Mittwald's German engineering team, so build/release is under EU control and EU execution. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Critical services run on Mittwald's own German infrastructure, but a few non-EU dependencies remain in critical layers (hardware OEMs, GPU accelerators for AI); documented but present. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Through ISO 27001 audit scope, critical suppliers are subject to review, but full end-to-end supply-chain auditability across all hardware suppliers is not demonstrated. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | high | Platform exposes standards-based interfaces: Docker/Kubernetes, OpenAI-compatible API, REST API, CLI, and a Terraform provider, enabling broad compatibility and portability. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Core services adopt open standards (OCI containers, Kubernetes, OpenAI-compatible API, HTTP/REST, Terraform) as a deliberate policy across most of the platform. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Mittwald maintains many open-source repositories (API clients, CLI, Terraform provider, deployer recipes) and contributes upstream to OpenEBS, but the core mStudio platform itself is proprietary with centralised governance. |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Publishes detailed public architecture insights (Cloud Plattform Insights blog series), a developer portal, and open-source clients, providing a large corpus of public insight into the service architecture. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope HPC/supercomputing offering; per key, absence of HPC is not penalised as imported black-box -> SOV-6.5 opt2 'EU-hosted, foreign stack' (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | high | Holds ISO 27001 only (TUV Rheinland; no SecNumCloud/EUCS-High/C5/Common Criteria EAL); key maps ISO 27001-only -> SOV-7.1 opt2 'EAL1' (seal 1). This caps the overall SEAL. (src: https://www.mittwald.de/blog/mittwald/safety-first-gepruefte-informationssicherheit-bei-mittwald) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | ISO 27001 certified and markets full GDPR compliance with German hosting; NIS2/DORA-relevant practices likely but not all independently audited across every framework, so partial compliance to most. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling are run by the in-house German team with on-site 24/7 monitoring and AI anomaly detection; full lifecycle handled by EU teams, no advertised ENISA/CSIRT integration. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get monitoring/logging access through mStudio with logs stored in the German data center; not described as immutable tamper-proof, so full direct access with EU-stored logs. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | As a German provider it follows GDPR (and increasingly NIS2) breach-notification obligations; moderate, regulation-aligned disclosure with no evidence of real-time CSIRT sharing. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | medium | As operator of its own platform and data center, Mittwald has moderate-to-high maintenance autonomy, scheduling and testing updates itself with appropriate change control. |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | No certified full audit_rights (only ISO 27001 cert-body audits + DPA rights, not full independent audit by any entity) -> SOV-7.7 opt3 (seal 1). Contributes to the SEAL cap. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Operates a modern energy-efficient German data center with waste-heat recovery and a sustainability roadmap, consistent with PUE < 1.5 plus improvement plan, though no published PUE figure was found. (src: https://www.mittwald.de/darum-mittwald/technologie) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Reuses server waste heat to heat offices (~32,000 kWh/year saved) and operates efficiency programs, indicating a documented circular/efficiency program; no EU-certified lifecycle claim found. |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Communicates climate-neutral operations and energy practices but no detailed annual environmental impact report following an EU methodology was found; basic reporting. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | medium | Own German data center runs on 100% CO2-neutral electricity with partial on-site solar generation in North Rhine-Westphalia; only green EU energy supplies. (src: https://www.mittwald.de/darum-mittwald/technologie) |