| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-0 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-0 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (Netlify, Inc., San Francisco, US): controlling legal entity is entirely outside the EU -> SOV-1.1 opt1 (src: https://www.netlify.com/security/). |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | medium | Private US VC-backed firm (a16z, Bessemer, Kleiner Perkins, BOND); takeover/transfer to a non-EU sovereign entity (acquisition or IPO) is a realistic medium-term scenario, hence somewhat likely (kept at existing choice; all-seal-4 factor). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap set centrally by the US company; EU customers influence only via voice-of-the-customer channels, no EU governance body -> SOV-1.3 opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funding almost entirely US venture capital (a16z, Bessemer, Kleiner Perkins, Menlo, BOND, Bloomberg Beta, EQT Ventures); no meaningful EU capital base (all-seal-4 factor). |
| SOV-1.5 | EU economic contribution | 1. Minimal | 0/125 | SEAL-4 | medium | US-centric: most economic activity, headcount and value capture in the US; EU contribution minimal (all-seal-4 factor). |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | high | No clear participation in EU strategic programs (Gaia-X, IPCEI-CIS) (all-seal-4 factor). |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No evidence of an action plan aligning Netlify with EU industrial/digital-sovereignty strategies (all-seal-4 factor). |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | medium | No own_stack: PaaS on non-EU hyperscalers (AWS/GCP/Rackspace) under US parent control; if supply were cut off the managed service would stop, with only a delay for customers to migrate -> SOV-1.8 opt2 (seal 0). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | US provider/contracting entity; service governed primarily by US (non-EU) law -> SOV-2.1 opt1 (src: https://www.netlify.com/legal/terms-of-use/). |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | consistency (cluster norm 2.2=opt2): US company exposed to US extraterritorial law (CLOUD Act, FISA 702); GDPR DPA/SCC mitigation clauses exist but residual exposure remains -> opt2 (seal 1) (src: https://www.netlify.com/legal/dpa/). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent (US CLOUD Act / FISA): authorities can compel data access; gag provisions can bar customer notification in specific national-security cases -> SOV-2.3 opt2 (caps SEAL at 1). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | US-controlled provider subject to US export-control regimes (EAR/OFAC) that can restrict service to certain persons/jurisdictions; no EU-MS-level restriction identified -> SOV-2.4 opt2 (seal 1). |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core platform IP (build system, edge, CLI, acquired Gatsby/Stackbit) developed and owned in the US, entirely outside the EU (all-seal-4 factor). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP held by Netlify, Inc. under US law in a single non-EU country -> SOV-2.6 opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | medium | Netlify manages encryption at rest/in transit; keys are primarily provider-controlled, no customer HYOK/BYOK preventing provider access -> SOV-3.1 opt2. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | medium | Enterprise audit logs exist but are vendor-controlled and not independently real-time auditable by the customer -> SOV-3.2 opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion per internal policy/DPA commitments on managed and underlying cloud storage; no independent cryptographic proof of irreversible erasure -> SOV-3.3 opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | medium | No eu_exclusive: backing store/CDN default to US (San Francisco); an opt-in EU (Amsterdam) region exists in the same global product but significant third-country (US) reliance and SCC cross-border transfers remain -> SOV-3.4 opt2 (seal 0) (src: https://docs.netlify.com/manage/security/overview/). |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | AI offering (Agent Runners) wraps US-origin licensed models/agents (Claude Code, Gemini CLI, OpenAI Codex) on US cloud, with chip/model dependency outside the EU -> SOV-3.5 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Git-based/static-site architecture with documented data export, standard build artifacts and CLI; portability of content is good though platform features (edge functions, forms) are provider-specific -> SOV-4.1 opt3. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | No eu_ops: critical platform operations run by US engineering/SRE teams on US-controlled infrastructure; no EU-only operational path -> SOV-4.2 opt1. |
| SOV-4.3 | Skill availability in the EU | 1. Global team, mainly non-EU | 0/167 | SEAL-1 | medium | Engineering/operations talent is a global, predominantly US-based team; EU staffing is a minority -> SOV-4.3 opt1. |
| SOV-4.4 | Support channels | 1. Global, majority outside EU | 0/167 | SEAL-1 | medium | Support delivered globally with the majority of the team and escalation paths outside the EU -> SOV-4.4 opt1. |
| SOV-4.5 | Documentation & knowledge transfer | 1. Global/non-EU exposure | 0/167 | SEAL-0 | low | Documentation/knowledge repositories are global and US-hosted with no EU-residency enforcement -> SOV-4.5 opt1 (seal 0). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | medium | Service depends on non-EU subprocessors/cloud (AWS, GCP, Rackspace); loss would stop the service with only a delay for customer reaction -> SOV-4.6 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 1. No disclosure | 0/143 | SEAL-1 | medium | Runs on third-party hyperscaler hardware; nothing disclosed about physical component provenance -> SOV-5.1 opt1. |
| SOV-5.2 | Manufacturing location | 1. Fully foreign, black box | 0/143 | SEAL-1 | medium | Underlying servers manufactured by/for foreign hyperscalers; hardware origin is an undisclosed black box to Netlify customers -> SOV-5.2 opt1. |
| SOV-5.3 | Embedded code/firmware provenance | 1. No disclosure | 0/143 | SEAL-4 | medium | Firmware/embedded-code provenance of the underlying hardware is not disclosed (all-seal-4 factor). |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | foreign_core: core platform software developed by US teams; some parts (CLI, build tooling, Gatsby) are open/documented, giving partial disclosure of foreign-origin software -> SOV-5.4 opt2. |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build and release controlled and executed by US teams/CI outside the EU -> SOV-5.5 opt1. |
| SOV-5.6 | Single point of dependency | 1. Only non-EU vendors/facilities | 0/143 | SEAL-1 | high | Critical dependency on non-EU vendors (AWS, GCP, Rackspace) and US parent operations; effectively only non-EU facilities for the core service -> SOV-5.6 opt1. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Subprocessor list published in the Trust Center, but only some suppliers are auditable by customers; full critical-supplier audit rights not offered to standard customers -> SOV-5.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Documented REST API, CLI and Git workflow with framework adapters, but core features rely on partially proprietary, platform-specific interfaces (mixed openness) -> SOV-6.1 opt3. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Uses open web standards (HTTP, Git, standard build outputs) across part of the platform, but no formal policy mandating open standards for all core services -> SOV-6.2 opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: platform itself is closed/proprietary SaaS; Netlify open-sources/stewards tooling (CLI, Gatsby, build images) under centralized vendor governance, so source is partly available with strict rights -> SOV-6.3 opt2. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Some public insight via docs, engineering blog and open-source components, but core service architecture is not fully transparent -> SOV-6.4 opt3. |
| SOV-6.5 | HPC sovereignty | 1. Imported black-box HPC | 0/200 | SEAL-0 | low | No EU HPC; any compute-intensive/AI workloads run on imported black-box hyperscaler/GPU infrastructure -> SOV-6.5 opt1 (seal 0). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | high | certs: ISO 27001 + ISO 27018 + SOC 2 Type 2 + PCI DSS v4.0 + HIPAA (no SecNumCloud/EUCS/Common Criteria EAL); per key ISO 27001 + SOC 2 maps to opt3 (EAL2-equiv, seal 2) (src: https://www.netlify.com/security/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Documented GDPR/CCPA compliance with DPA, plus SOC 2 Type 2, ISO 27001/27018, PCI DSS v4.0 and HIPAA; partial compliance to most EU regimes (all-seal-4 factor; kept at existing choice). |
| SOV-7.3 | EU-based SOC & incident handling | 1. SOC/IR outside EU | 0/143 | SEAL-1 | medium | Security operations and incident response run by Netlify's US-based security team, outside the EU -> SOV-7.3 opt1. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | medium | consistency (cluster norm 7.4=opt3): customers get an audit-log/monitoring portal, but monitoring control and log storage are provider-managed in the US, not customer-controlled in the EU -> opt3 (basic monitoring portal, seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure aligns with GDPR/contractual breach-notification obligations; moderate (GDPR/NIS2-aligned) compliance without real-time CSIRT sharing -> SOV-7.5 opt3. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Managed platform schedules maintenance with notice; customers have moderate autonomy (stage/test deploys) but cannot independently control underlying platform maintenance -> SOV-7.6 opt3. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | No audit_rights: independent assurance limited to third-party SOC 2/ISO audits and Trust Center evidence; customers cannot perform arbitrary audits of the platform -> SOV-7.7 opt2 (caps at seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | consistency (hyperscaler-PaaS cluster norm 8.1=opt3): runs on AWS/GCP data centres reporting PUE <1.5 with efficiency roadmaps which Netlify inherits; same profile as Vercel/Render -> opt3 (PUE<1.5 + roadmap) (src: https://sustainability.aboutamazon.com/products-services/aws-cloud). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | consistency (hyperscaler-PaaS cluster norm 8.2=opt3): hardware reuse/recycling handled by the underlying hyperscalers' documented circular-economy programs which Netlify inherits -> opt3 (documented program) (src: https://sustainability.aboutamazon.com/products-services/aws-cloud). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | consistency (cluster norm 8.3=opt2): Netlify publishes no detailed own environmental report but inherits basic hyperscaler sustainability disclosures -> opt2 (basic reporting, seal 1). |
| SOV-8.4 | Energy supplies | 1. Non traceable | 0/250 | SEAL-4 | low | Energy supply inherited from third-party hyperscaler data centres, not separately traceable or reported by Netlify (all-seal-4 factor). |