| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | Nine Internet Solutions AG is incorporated and headquartered in Zurich, Switzerland with no EU/EEA legal entity; Switzerland is a third country, so entity control sits mostly outside the EU -> opt2 (seal 1). Normalised from opt1 to opt2 for consistency with the other Swiss-incorporated peers (both are seal 1). (src: https://www.nine.ch/en/about) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Founder-led (Thomas Hug, 100% owner), privately held, independent ~40-person company with no known external/non-EU investors; a takeover/transfer to a non-EU sovereign entity is unlikely though not formally precluded. (src: https://www.nine.ch/en/about) |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | As a small founder-led firm there are no formal EU-actor governance bodies over the roadmap; customers influence direction mainly through standard customer/support channels -> opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Bootstrapped founder-owned Swiss company with no disclosed external funding; capital is non-EU (Swiss) but entirely independent of non-EU hyperscaler/state capital. Scored as not relying on non-EU (foreign-state) funding. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Economic activity (jobs, taxes, data centres) is concentrated in Switzerland, a third country; only limited EU economic contribution via EU customers. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | high | No evidence of participation in EU strategic programs (Gaia-X, IPCEI-CIS); a Swiss provider outside EU frameworks. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No evidence of alignment with EU industrial strategies; positioning is Swiss-sovereignty oriented, not EU industrial-policy aligned. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | own_stack only partial: runs its own managed open-source-based stack on owned/colocated Swiss data centres so it could source alternatives or internalise key functions, but it has a real non-EU operational dependency (NVIDIA GPUs/chips) and the stack itself is non-EU, so not full EU autonomy -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Primary jurisdiction is Swiss law (FADP), a third country; GDPR applies contractually for EU customers, giving mixed EU/non-EU legal footing -> opt2 (seal 1). Normalised from opt1 to opt2 for consistency with the rest of the Swiss cluster (both are seal 1). (src: https://www.nine.ch/en/about) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | No foreign_parent (pure Swiss entity, no US/EU parent, all data in Switzerland) so structurally shielded from US CLOUD Act, but governed by non-EU Swiss law without certified EU immunity (no SecNumCloud/EUCS-High) -> legal structures shielding, opt4 (seal 2). Consistent with the pure-Swiss peers Infomaniak and Safe-Swiss. (src: https://www.nine.ch/en/about) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: not subject to US CLOUD Act/FISA/PRC law; as a wholly Swiss company with Swiss-only hosting it can refuse foreign-authority requests (which proceed only via Swiss mutual assistance, not direct compelled access) -> requests always rejected, opt5 (seal 4). Consistent with the identical pure-Swiss-no-foreign-parent peers Infomaniak and Safe-Swiss. (src: https://www.nine.ch/en/about) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | No export-control restrictions toward EU Member States evident; sizeable EU revenue share, but the offer is not specifically shielded from restrictions -> opt3. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Core platform IP (Deploio, NKE, nctl) is developed in-house in Switzerland (non-EU) and built on open-source software with mixed EU/non-EU origins; overall a mix within/outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | IP is held by the Swiss company under Swiss (single non-EU country) law -> opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Managed service model with customer-controllable encryption; customers can hold primary key control but as a managed provider Nine typically retains technical ability to read data (no documented hold-your-own-key with provider blindness) -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Logging/monitoring available to customers but largely vendor-managed and not real-time independently auditable -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001 processes imply policy-based deletion validation, but no published cryptographic proof of irreversible erasure -> opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | No eu_exclusive: data resides exclusively in two Swiss data centres (Zurich), no EU/EEA region offered; Switzerland is a third country so from the EU/EEA residency standpoint this is partly-EU with significant third-country reliance -> opt2 (seal 0). This is the binding SEAL-0 gate, shared with the other Swiss-only-hosting peers Infomaniak and Safe-Swiss. (src: https://nine.ch/en/infrastructure/) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | medium | GPU servers run open-source ML stacks (PyTorch, TensorFlow, CUDA) on Swiss infrastructure but depend on foreign NVIDIA chips; auditable/open AI tooling with foreign accelerators -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Open-standards Kubernetes/containers and open APIs (public nctl CLI) provide standard documented export/portability with a stated no-lock-in posture -> opt3. |
| SOV-4.2 | Ability to operate without foreign dependencies | 3. Ops balanced EU/non-EU teams | 84/167 | SEAL-3 | medium | Operations run by Nine's own Swiss team, fully self-sufficient in one country with no foreign (US/Asia) intermediary; from the EU-sourcing standpoint Swiss staff are non-EU, so balanced EU/non-EU -> opt3 (seal 3). Normalised to the Swiss-in-house-ops tier shared with Infomaniak and Safe-Swiss. (src: https://www.nine.ch/en/about) |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Engineering/skills are concentrated in Switzerland (non-EU); the team is predominantly outside the EU/EEA -> opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | Support is provided from Switzerland (non-EU); from an EU perspective support staff are majority outside the EU -> opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation is primarily Swiss (non-EU) with public docs/GitHub; EU-only repositories are not enforced -> opt2. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Owns/colocates its own Swiss infrastructure and runs open-source software, giving ability to source alternatives or internalise functions if a subcontractor/supplier were lost (subject to hardware constraints) -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Standard x86/GPU server hardware of foreign (US/Asian) origin with limited public disclosure of component provenance -> opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers and GPUs are manufactured abroad (foreign origin) with only partial disclosure; no EU/Swiss hardware manufacturing -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS/GPU microcode is foreign (vendor-supplied) with little provenance disclosure. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | Not foreign_core: platform software (Deploio, NKE, nctl) is developed and maintained in-house by Nine's own team on open-source components rather than licensed Google/MS tech, so core/essential parts are provider-maintained (not a foreign black box) -> opt3. |
| SOV-5.5 | Software build/release jurisdiction | 3. Non-EU control, EU execution | 72/143 | SEAL-3 | low | Software build/release is controlled and executed by the Swiss (non-EU) provider in-house; not a foreign black box, scored conservatively as EU-execution-equivalent under non-EU control -> opt3. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Few non-EU dependencies in critical services (NVIDIA GPUs, foreign hardware/firmware, optional Google Kubernetes Engine), documented and limited -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | ISO 27001 implies critical suppliers (e.g. colocation data centres) are auditable, but full supply-chain auditability is not published -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Built on standards-based Kubernetes/containers with open APIs and a public CLI; broadly compatible/interoperable with explicit no-lock-in messaging -> opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Core services adopt open standards (Kubernetes, OCI containers, standard databases) as a policy across most of the platform -> opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Not foreign_core: stack is built on open-source software and nctl is published on GitHub, but the managed platform (Deploio/NKE) governance is centralised within Nine -> open source with centralised governance, opt3. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public architecture/documentation insight is available (docs, blogs, public CLI) beyond audit-only access -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | GPU/HPC capacity is Swiss-hosted but runs a fully foreign stack (NVIDIA GPUs, CUDA); EU/Swiss-hosted with foreign stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | No SecNumCloud/EUCS/C5/ENS or Common Criteria EAL; security is covered by ISO 27001 (+ISO 9001) only, which the key maps to opt2 (EAL1-equivalent, seal 1). Consistent with Infomaniak (also ISO-only). (src: https://www.nine.ch/en/about) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | ISO 27001/9001 certified and FINMA-compliant with Swiss FADP (GDPR-adequate) and GDPR where applicable; partial compliance to most EU regulations though, as a Swiss firm, not formally within NIS2/DORA scope. |
| SOV-7.3 | EU-based SOC & incident handling | 3. Primary SOC in EU, escalations non-EU | 72/143 | SEAL-1 | low | Security operations/incident handling are run end-to-end in-house from Switzerland; the SOC is located outside the EU, so the EU-lifecycle tiers (opt4/opt5) do not apply -> primary SOC in-region with non-EU location, opt3 (seal 1). Normalised to the Swiss-in-house-SOC tier shared with Infomaniak and Safe-Swiss (same profile, previously scored inconsistently at opt1). (src: https://www.nine.ch/en/about) |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get direct access to monitoring/logging, but logs are stored in Swiss (non-EU) data centres and not documented as immutable EU-located logs, so the EU-storage tiers do not apply -> opt3 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure follows ISO 27001 and FADP/GDPR-aligned breach-notification practices (moderate, GDPR/NIS2-aligned) -> opt3. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | As operator of its own open-source-based managed platform, Nine has moderate maintenance autonomy with notice/testing windows, constrained mainly by upstream/zero-day fixes -> opt3. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights at SecNumCloud grade: independent audit access is limited to certification audits (ISO 27001) plus contractual customer audit rights; no full independent audit by any entity -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern carrier-neutral Zurich data centres with cold-aisle containment imply efficient PUE (<1.5) plus sustainability roadmap; no EU-verified figure (Switzerland not EU) so higher EU-verified tiers do not apply -> opt3. Consistent with the other colo-tenant peers. (src: https://nine.ch/en/infrastructure/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Carbon-neutral operations and myclimate certification indicate a documented sustainability program including hardware lifecycle, though not detailed as full circular-economy/EU-certified -> opt3. |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Basic environmental reporting via carbon-neutral/myclimate claims; no detailed audited annual environmental report published -> opt2. |
| SOV-8.4 | Energy supplies | 2. Only EU energy supplies | 63/250 | SEAL-4 | high | Both data centres run on 100% renewable electricity, but supplies are Swiss (non-EU) - so only non-EU green energy; scored as not EU energy supplies. Renewable but outside EU. (src: https://nine.ch/en/infrastructure/) |