| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: French SAS in Courbevoie, 100% French-owned (Caisse des Depots/Banque des Territoires, Docaposte/La Poste, Dassault Systemes, Bouygues Telecom); legal control entirely within the EU -> opt4 (src: https://www.3ds.com/newsroom/press-releases/docaposte-dassault-systemes-bouygues-telecom-and-banque-des-territoires-sign-alliance-offer-reference-solution-trusted-cloud-services). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Majority public/state ownership via Caisse des Depots and strategic French industrial shareholders explicitly created for sovereignty; takeover by a non-EU sovereign entity is very unlikely. (all-SEAL-4 factor, choice retained) |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | EU-controlled venture; roadmap set by EU shareholders/board with own R&D -> full influence of EU actors -> opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | EUR 50M capital raised entirely from French/EU investors (Caisse des Depots, Docaposte, Dassault Systemes, Bouygues Telecom); funding entirely EU-based. (all-SEAL-4 factor, choice retained) |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, HQ, jobs and value creation fully in France; positioned as a 100% French sovereign cloud. (all-SEAL-4 factor, choice retained) |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | medium | Flagship French sovereign-cloud initiative backed by the state (Caisse des Depots), aligned with national digital-sovereignty strategy; strong participation. (all-SEAL-4 factor, choice retained) |
| SOV-1.7 | Alignment with EU industrial strategies | 4. Bold ambition and dedicated means | 125/125 | SEAL-4 | medium | Explicit sovereignty doctrine (portability, reversibility, open source, SecNumCloud target) with dedicated capital; bold ambition with dedicated means. (all-SEAL-4 factor, choice retained) |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: open-source-first platform (K8s/OpenShift/PostgreSQL) on EU-sovereign Outscale (SecNumCloud) IaaS, documented portability/reversibility; continuity depends on no non-EU vendor (only residual commodity chips) -> opt5 full autonomy & continuity. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | French legal entity, contract exclusively under French/EU law -> opt3 (seal 4). |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity: NumSpot's foundational layer encapsulates 3DS Outscale's ANSSI SecNumCloud 3.2-qualified IaaS (key rule c: SecNumCloud 3.2 -> immunity), a pure-FR stack with no non-EU nexus -> non-EU laws unenforceable, verified legal immunity, opt5; consistent with the cluster's SecNumCloud-grade IaaS members (src: https://www.3ds.com/newsroom/press-releases/outscale-first-cloud-qualified-secnumcloud-32). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent able to compel access; pure-FR entity (data on Outscale SecNumCloud 3.2) with no US/CN nexus, positioned '100% immunised against extraterritorial laws', would reject CLOUD Act/FISA requests -> opt5 requests always rejected (seal 4) (src: https://www.3ds.com/newsroom/press-releases/outscale-first-cloud-qualified-secnumcloud-32). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | French-owned offer with no non-EU export-control entanglement; serviceable to EU member states and international orgs without foreign restrictions -> opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP (NumSpot software, IAM, PaaS layer) developed in France on Outscale French IaaS; mostly EU-origin IP, some upstream OSS/chip IP foreign -> opt4. (all-SEAL-4 factor, choice retained) |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | NumSpot and Outscale IP held by French companies under French/EU law; IP holder jurisdiction fully EU -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | SecNumCloud-grade environment with Managed Secret Manager and customer key management; customer primary control but provider/IaaS operator can technically read absent confirmed HYOK/confidential computing -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | SecNumCloud/ISO 27001 controls require comprehensive access logging with customer-controlled visibility; full real-time independent auditability not specifically documented -> opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | Runs on SecNumCloud-grade Outscale IaaS (3DS-Outscale itself scores opt4) whose framework mandates verified secure deletion with logging; deletion technically verified with access logs -> opt4 (seal 3). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive: data hosted in French SecNumCloud-qualified Outscale data centres around Paris, sovereign region, no third-country fallback -> opt5 (src: https://numspot.com/2025/01/21/numspot-franchit-avec-succes-le-premier-jalon-de-la-qualification-secnumcloud-pour-sa-plateforme-de-services-cloud/). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Managed AI Platform around Mistral AI (EU-origin models) plus open source in the sovereign region; EU-led AI on foreign GPU accelerators -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 5. Already deployed on sovereign infrastructure | 167/167 | SEAL-4 | high | Portability and reversibility are core to NumSpot's sovereignty doctrine, open standards and modular portable architecture; already deployed on sovereign (SecNumCloud Outscale) infrastructure -> opt5. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack (NumSpot platform + Outscale IaaS) operated by French/EU teams, no non-EU operational dependency -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering/ops teams in France/EU; all-EU staffing consistent with SecNumCloud, but formal security clearances across all staff not documented -> opt4 (all EU staff, seal 3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support delivered by France-based teams; all support staff in the EU, no documented clearance requirement on all support personnel -> opt4 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | French sovereign provider keeps documentation/knowledge in France/EU; EU-only primary repositories, strict end-to-end EU-only not explicitly confirmed -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Key subcontractor (Outscale) is a French EU subsidiary and architecture is portable; able to source alternatives or internalise functions, commodity hardware residual -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Inherits Outscale hardware; standard x86 servers in certified data centres give transparent provenance with exceptions, no full EU-certified provenance disclosure -> opt3 (seal 3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Inherits Outscale's SecNumCloud-audited hardware (3DS-Outscale scores opt3); mixed sourcing of commodity servers with EU audit rights under the sovereign offer -> opt3 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code in commodity servers and network gear from foreign vendors with limited provenance disclosure -> opt2. (all-SEAL-4 factor, choice retained) |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: platform is 'open source first' (K8s/OpenShift/PostgreSQL), NOT licensed Google/MS/AWS core; large majority maintained by French/EU teams with foreign upstream OSS -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Software developed and released by French/EU teams under EU control and execution; explicit EU policy gates beyond standard practice not documented -> opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | low | Runs on 3DS Outscale's SecNumCloud 3.2 IaaS (own TINA orchestrator); control plane EU-based and only non-EU dependency is residual commodity hardware/GPUs, documented and non-critical to continuity -> few non-EU non-critical, documented, opt4 (seal 3), consistent with the cluster's SecNumCloud-grade IaaS members (src: https://www.3ds.com/newsroom/press-releases/outscale-first-cloud-qualified-secnumcloud-32). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | SecNumCloud 3.2 supply-chain auditability inherited from the Outscale IaaS plus NumSpot ISO 27001 supplier management extend audit obligations to most suppliers, not only the critical few -> most suppliers auditable, opt4 (seal 3) (src: https://en.outscale.com/our-certifications/). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Open-standards-based PaaS (Kubernetes, S3-compatible storage, standard databases) with portability emphasised; standards-based and broadly compatible -> opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Adopts open standards (Kubernetes, S3 API, open database engines) across most core services as part of its portability doctrine -> opt4 (seal 3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | No foreign_core: genuinely 'open source first' platform (K8s/OpenShift/PostgreSQL), open source with currently centralised (vendor) governance -> opt3 (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Commits to transparency, auditability and reversibility with some public insight into architecture; not yet a large public corpus or customer-contributable model -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any HPC/GPU compute is EU-hosted in French data centres on a foreign accelerator stack -> opt2 EU-hosted foreign stack (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | NumSpot's foundational layer runs on 3DS Outscale's ANSSI SecNumCloud 3.2 IaaS and holds ISO 27001 + HDS in its own right; per the key SecNumCloud-grade assurance maps to EAL3 -> opt4 EAL3 (seal 3), consistent with the cluster's SecNumCloud-grade IaaS members (src: https://numspot.com/certification/hds-hebergeur-de-donnees-de-sante/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | medium | Built for GDPR/NIS2/DORA-regulated public, financial and health customers, with HDS and ISO 27001/27017/27018 (via Outscale) and SecNumCloud in progress; fully compliant and independently audited -> opt5. (all-SEAL-4 factor, choice retained) |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Sovereign French provider with EU-based security operations and incident handling; entire lifecycle by EU teams, explicit ENISA/CSIRT sharing not documented -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | SecNumCloud-aligned environment gives customers direct access to monitoring/logs stored in France/EU; tamper-proof immutable logging not specifically documented -> opt4 (seal 3). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | low | NIS2/GDPR-bound French provider follows monitored incident-disclosure flows with SLAs; full real-time CSIRT sharing not explicitly confirmed -> opt4 (seal 3). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | low | Operates its own platform on EU infrastructure and can deploy patches/maintenance independently; high maintenance autonomy -> opt4 (seal 4). |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | low | audit_rights: SecNumCloud qualification process subjects platform to independent ANSSI-accredited audit and the sovereign offer supports customer/regulator auditability -> opt5 (seal 4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Hosted in modern Tier III French data centres (Outscale) with managed efficiency; PUE below 1.5 with improvement roadmap a reasonable inference, no published figure -> opt3 (seal 4). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Outscale holds LUCIE/ISO 26000 CSR labelling implying a documented circular/recycling program for hardware lifecycle -> opt3 documented program (seal 3). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | low | Hosted on 3DS Outscale infrastructure backed by Dassault Systemes CSRD-grade group reporting and Outscale's detailed environmental methodology/carbon-footprint service -> detailed EU methodology, opt4 (seal 3), consistent with 3DS Outscale (src: https://en.outscale.com/our-certifications/). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | French data centres draw on the French/EU grid (largely low-carbon nuclear/renewable) but no confirmed exclusively-EU or fully-green guaranteed sourcing; treated as a mix -> opt3. (all-SEAL-4 factor, choice retained) |