| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-0 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | Northflank Ltd is incorporated and headquartered in London, UK, a third country outside the EU/EEA; no EU legal entity controls the company (src: https://northflank.com/security). |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | medium | VC-backed (~$25M, mostly US investors) startup with no controlling EU shareholder; acquisition by a non-EU acquirer is a realistic outcome typical of a growth-stage cloud startup. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap is set by the UK company; customers can influence only through standard public/customer feedback channels, with no EU governance body. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funding is almost entirely non-EU venture capital (Bain Capital Ventures, Vertex Ventures US, Kindred, Uncorrelated, Pebblebed, Tapestry VC); no significant EU capital identified. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | low | Small UK-based company; some EU customers and EU-region usage but employment, IP and economic value are concentrated in the UK and globally, not the EU. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of participation in Gaia-X, IPCEI-CIS or other EU strategic programs; markets itself globally as a developer PaaS. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No published action plan or evidence of alignment with EU industrial/digital-sovereignty strategies. |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | medium | No own_stack: managed control plane and worker clusters depend on Google Cloud/Azure (non-EU hyperscalers); a cut-off would stop the managed service, with delay for customers to react via BYOC -> SOV-1.8 opt2 (seal 0). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | Primary jurisdiction is UK law (a non-EU third country); the company is not governed exclusively by EU law (src: https://northflank.com/legal/terms-of-service). |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | No immunity (UK entity, US-VC funded, no SecNumCloud/EUCS-High, no trustee structure); exposed to UK IPA + US-UK CLOUD Act and US CLOUD Act via Google/Azure; contractual/GDPR clauses mitigate but exposure remains -> SOV-2.2 opt2 (seal 1) (src: https://northflank.com/security). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent (UK entity + US-UK CLOUD Act Data Access Agreement; underlying Google/Azure subject to US CLOUD Act) -> authorities can compel access in specific cases without notification; no refusal mechanism -> SOV-2.3 opt2 (seal 1). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | consistency (cluster norm 2.4=opt2): subject to UK/US export-control regimes; no EU-MS shielding and no >50% EU revenue dominance -> opt2 (seal 1). |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Northflank's platform IP is developed by the UK company; origin of IP is entirely outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | The IP holder (Northflank Ltd) sits under UK law, a single non-EU country. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | medium | Encryption at rest uses provider/Google Cloud-managed keys; external secret management is only in beta and there is no customer-exclusive HYOK/BYOK that prevents the provider reading data. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Activity and audit logs exist but are vendor-controlled and not described as independently auditable in real time. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | consistency (cluster norm 3.3=opt3): deletion on resource teardown follows documented internal policy with no published cryptographic proof-of-erasure or independent verification -> opt3 (internal validation per policy, seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | medium | Not eu_exclusive: default managed control plane (GCP London/Amsterdam) and worker clusters run on US hyperscalers; EU achievable only via BYOC opt-in, not the scoped default offer, with significant third-country reliance -> SOV-3.4 opt2 (seal 0) (src: https://northflank.com/features/bring-your-own-cloud). |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | low | AI/GPU workloads run on foreign accelerators via partners (e.g. CoreWeave) and major clouds; no EU-origin models or chips, licensed/foreign AI stack with chip dependency. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standards-based (containers/Kubernetes, OCI images, git) with documented export and the ability to run via BYOC on the customer's own Kubernetes, giving good portability though not pre-deployed on EU sovereign infra. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | low | consistency (non-EU cluster norm 4.2=opt1): core engineering and operations are run by a UK/global (non-EU) team and the platform depends on US-controlled cloud infrastructure; no EU-only operational path -> opt1 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Small UK-headquartered team with globally distributed/remote engineers; skills are mixed and majority sit outside the EU. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Support is provided globally (chat/email) from the UK and distributed staff, with the majority outside the EU. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation is public and global; EU-only handling of knowledge/documentation is not enforced. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | medium | Critical subcontractors are US hyperscalers (Google, Azure); loss of these would stop the managed service, with delay for customers to react/migrate via BYOC. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 1. No disclosure | 0/143 | SEAL-1 | medium | As a PaaS on third-party clouds, Northflank owns no hardware and provides no disclosure of physical component provenance. |
| SOV-5.2 | Manufacturing location | 1. Fully foreign, black box | 0/143 | SEAL-1 | medium | Underlying hardware is manufactured/operated by foreign hyperscalers; effectively a foreign black box from Northflank's perspective. |
| SOV-5.3 | Embedded code/firmware provenance | 1. No disclosure | 0/143 | SEAL-4 | medium | No disclosure of firmware/embedded-code provenance for the underlying hyperscaler hardware. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | Core orchestration software is maintained in-house but by a non-EU (UK/global) team, built on open-source components; not EU-maintained core, so foreign origin with partial disclosure -> SOV-5.4 opt2 (seal 2). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | low | Software build and release are controlled and executed by the UK/non-EU company, with no EU control or EU policy gates. |
| SOV-5.6 | Single point of dependency | 1. Only non-EU vendors/facilities | 0/143 | SEAL-1 | medium | consistency (pure-PaaS-on-hyperscaler cluster norm 5.6=opt1): total single-point dependency on non-EU vendors (Google Cloud, Azure) for the managed control plane and clusters, with no EU vendor on the critical path -> opt1 (only non-EU vendors/facilities, seal 1). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some supplier information is available (named clouds, SOC 2 report on request) but the full supply chain is not broadly auditable by customers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Built on standards (Kubernetes, OCI containers, git, REST API/CLI) and broadly compatible across clouds via BYOC, enabling portability though the management plane itself is proprietary. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Core services adopt open standards (containers, Kubernetes, OCI, standard databases) across most of the platform. |
| SOV-6.3 | Open source availability | 1. Fully closed-source, vendor-controlled | 0/200 | SEAL-2 | medium | The Northflank platform itself is proprietary and vendor-controlled, even though it is built on open-source components. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public insight via documentation, security page and blog on architecture, but no deep open contribution model for customers. |
| SOV-6.5 | HPC sovereignty | 1. Imported black-box HPC | 0/200 | SEAL-0 | low | No EU HPC sovereignty; any HPC/GPU is imported black-box capacity from foreign clouds/CoreWeave. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | high | certs: SOC 2 Type 2 only (no ISO 27001/SecNumCloud/EUCS/Common Criteria EAL); per key SOC 2 without ISO 27001 maps to opt2 (EAL1-equiv, seal 1) (src: https://northflank.com/security). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | States GDPR (UK GDPR) compliance and offers DPAs, but no independent ISO 27001/NIS2/DORA certification is published; moderate, partially evidenced compliance. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations and incident response are run by the small UK/global team using cloud-provider tooling; hybrid EU/non-EU at best, not an EU-dedicated SOC. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring dashboards, logs and metrics through the portal, but logging is largely provider-controlled and not guaranteed EU-resident/immutable for the customer. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Incident disclosure aligned with GDPR/breach-notification expectations; moderate compliance, no evidence of real-time CSIRT sharing. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Customers control deployment timing of their own workloads with notice/testing, but platform-level maintenance is scheduled by Northflank/the underlying cloud. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | No audit_rights: independent assurance limited to a SOC 2 report on request; no full independent audit by the contracting authority or EU bodies -> SOV-7.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | consistency (hyperscaler-PaaS cluster norm 8.1=opt3): runs on GCP/Azure data centres reporting PUE <1.5 with efficiency roadmaps which Northflank inherits; same profile as Vercel/Render -> opt3 (PUE<1.5 + roadmap) (src: https://www.google.com/about/datacenters/efficiency/). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | consistency (hyperscaler-PaaS cluster norm 8.2=opt3): hardware reuse/recycling handled by the underlying hyperscalers' documented circular-economy programs which Northflank inherits -> opt3 (documented program) (src: https://www.google.com/about/datacenters/efficiency/). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | consistency (cluster norm 8.3=opt2): Northflank publishes no detailed own environmental report but inherits basic hyperscaler sustainability disclosures -> opt2 (basic reporting, seal 1). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Energy depends on the underlying hyperscalers' grids across EU and non-EU regions; a mix of EU and non-EU energy supplies with no Northflank-specific green sourcing guarantee (src: https://www.google.com/about/datacenters/cleanenergy/). |