| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-0 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | Pulsant Ltd is a UK-incorporated company (Maidenhead HQ) operating exclusively in the UK, a third country (not EU/EEA), with no EU/EEA data footprint; its EU-based PE owner Antin is a financial sponsor, not the operating legal entity, so legal-entity control is entirely outside the EU -> SOV-1.1 opt1 (seal 1). Normalised with the UK-only cluster members. (src: https://www.pulsant.com/data-sovereignty) |
| SOV-1.2 | Change of control risk | 2. Likely takeover/transfer to non-EU sovereign entity | 31/125 | SEAL-4 | medium | Owned by private-equity firm Antin Infrastructure Partners since 2021; PE ownership implies a planned exit/sale within a typical hold period, making a future transfer (potentially to a non-EU sovereign entity) reasonably likely. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | No formal governance body with EU-actor participation; roadmap influence is limited to customer/partner feedback channels typical of a commercial UK IaaS/colocation provider. |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | medium | Backed by Antin, a Paris-based EU infrastructure fund, but Antin's flagship funds pool global (incl. non-EU) institutional LP capital, so funding is a mixed EU/non-EU blend rather than clearly majority-EU. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | high | Economic activity (data centres, jobs, customers) is concentrated in the UK, a third country; only its PE owner is EU-domiciled, so direct EU economic contribution is limited. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of participation in EU strategic programs such as Gaia-X or IPCEI-CIS; as a UK-focused provider it engages with UK frameworks (G-Cloud) instead. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No published action plan or governance demonstrating alignment with EU industrial strategies; its strategic positioning is explicitly UK sovereign cloud, not EU. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | Self-operated UK data-centre estate on VMware; under contract customer workloads could continue temporarily, but the platform depends on foreign hardware and VMware/Broadcom software supply chains. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | No eu_entity: primary jurisdiction is the UK (third country); contracts governed by UK law, not EU law -> SOV-2.1 opt1 'non-EU only' (seal 1), even though UK is GDPR-adequate. (src: https://www.pulsant.com/data-sovereignty) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | medium | no immunity: UK entity (not an EU subsidiary), itself subject to UK lawful-access law (Investigatory Powers Act); no SecNumCloud/EUCS-High; mitigation/contractual clauses only, exposure remains -> SOV-2.2 opt2 (seal 1). Normalised with the UK cluster (none is an EU subsidiary, so opt3 does not apply). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | medium | no immunity: the UK entity is subject to non-EU (UK) compelled access under the Investigatory Powers Act (compelled access without notification in specific cases); cannot commit to always reject -> SOV-2.3 opt2 (seal 1). Normalised across the UK cluster (all subject to UK IPA). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | No restrictions toward EU member states, but as a UK provider its revenue is overwhelmingly UK (not >50% EU) and it relies on US-origin software (VMware/Broadcom) that could face export-control leverage. |
| SOV-2.5 | Origin of IP | 2. Mostly outside the EU | 42/167 | SEAL-4 | medium | Core service IP is the US-origin VMware stack plus UK-developed orchestration/networking; the bulk of the underlying platform IP originates outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | The critical platform IP (VMware vSphere/vCloud) is held under US (non-EU, single-country) law by Broadcom; Pulsant's own IP is held under UK law, but the load-bearing software IP holder is non-EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Encryption and access controls come as standard, but as a managed VMware IaaS/colocation provider the typical model gives shared key control with provider override rather than exclusive customer-held keys. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | ISO 27001-certified controls imply access logging and audit, but logs are vendor-controlled and not advertised as real-time, independently auditable customer feeds. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion is handled per ISO 27001 internal policy; no published independently verified proof-of-erasure mechanism. |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | No eu_exclusive flag: data is contractually pinned to the UK (a third country), with zero EU/EEA residency. The offer is wholly third-country with contractual safeguards but no EU-exclusivity guarantee -> SOV-3.4 opt2 (seal 0), per key sanity anchor 'no EU-exclusivity guarantee -> SEAL-0'. (src: https://www.pulsant.com/data-sovereignty) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope AI service: Pulsant is an IaaS/colocation provider with no sovereign-AI offering, so there is no foreign-AI/black-box model dependency to penalise -> key judgment-call #2 maps 'no in-scope AI service' to opt4 (seal 3). Normalised with the no-AI cluster members (Brightbox, Fasthosts). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Built on standard VMware/vCloud with standard images and documented export; Pulsant also offers formal migration services, giving good portability away from the platform. |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | high | Operations are run by UK-based teams (a third country), not EU-based; from the EU framework's perspective critical ops are delivered outside the EU, with only partial EU sourcing if any. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | high | Engineering and operational staff are UK-based; relative to the EU these skills sit outside the EU/EEA (majority non-EU). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | high | 24/7/365 live service desks are staffed at UK locations; support is UK-based and therefore majority outside the EU/EEA. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation and knowledge live in the UK/vendor systems; EU-only residency of documentation is not enforced, so it is at best optional rather than EU-confined. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Relies on non-EU suppliers (VMware/Broadcom, hardware OEMs); under contractual arrangements service could continue temporarily, but the critical software supplier base is non-EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Standard x86 server hardware of foreign origin; component provenance is only partially disclosed with no EU-certified supply chain. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers and chips are manufactured abroad (US/Asia); Pulsant does not design or build its own hardware and discloses little manufacturing detail. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS on commodity servers comes from foreign OEMs with at most partial disclosure; no EU-certified firmware provenance. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | foreign_core: core cloud platform is the proprietary US-origin VMware stack (Broadcom), foreign-origin software with partial disclosure wrapped by UK orchestration -> SOV-5.4 opt2 (seal 2 ceiling). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | The load-bearing platform software (VMware) is built and released under non-EU (US) control and execution; Pulsant does not control that build/release pipeline. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Heavy single-vendor dependency on VMware/Broadcom (non-EU) for the core virtualization platform, plus non-EU hardware vendors; mostly non-EU and not fully documented as substitutable. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers are identifiable (VMware, hardware OEMs) but there is no comprehensive auditable supply-chain transparency program. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based VMware/vCloud virtualization with documented APIs and standard images makes the platform broadly compatible, though VMware brings some proprietary lock-in. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Adopts open/standard formats for core compute and storage but without a published comprehensive open-standards policy across all services. |
| SOV-6.3 | Open source availability | 1. Fully closed-source, vendor-controlled | 0/200 | SEAL-2 | medium | foreign_core: core platform is the closed-source, vendor-controlled VMware stack; no open-source/community-governed platform -> SOV-6.3 opt1 (seal 2 ceiling). |
| SOV-6.4 | Service architecture transparency | 2. Insight accessible during audits | 50/200 | SEAL-2 | low | Architectural insight is available mainly under audit/ISO 27001 scope and NDA; limited deep public transparency into the service architecture. |
| SOV-6.5 | HPC sovereignty | 1. Imported black-box HPC | 0/200 | SEAL-0 | low | No EU-sovereign HPC offering; any high-performance compute would use imported foreign black-box hardware. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | medium | Certs held: ISO 27001, PCI DSS, Cyber Essentials only - no SecNumCloud/EUCS-High/C5+ENS/EAL. Below the ISO+SOC2+C5 (EAL2) threshold -> SOV-7.1 opt1 (seal 1). (src: https://www.pulsant.com/data-sovereignty) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | ISO 27001, PCI DSS, Cyber Essentials and UK GDPR alignment show moderate compliance, but as a UK provider there is no evidence of full audited EU NIS2/DORA compliance. |
| SOV-7.3 | EU-based SOC & incident handling | 3. Primary SOC in EU, escalations non-EU | 72/143 | SEAL-1 | low | Security operations and incident handling are run from UK locations; relative to the EU this is a primary non-EU SOC, but it does map to a single-jurisdiction operations model rather than an EU-confined ENISA-integrated lifecycle. |
| SOV-7.4 | Control over security monitoring/logging | 2. Customers receive periodic reports | 36/143 | SEAL-1 | low | Customers receive monitoring reports and portal access, but security logging is largely provider-controlled and stored in the UK rather than offering full customer-owned EU-resident logs. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Operating under ISO 27001 and UK GDPR implies GDPR/NIS2-aligned breach disclosure, but no published real-time EU CSIRT/ENISA sharing commitments. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operating its own managed estate gives moderate maintenance autonomy with notice and testing, though core VMware patching ultimately depends on the vendor's schedule. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights flag: independent assurance only via ISO 27001/PCI DSS auditors with defined scope; no tender-grade full audit by the contracting authority or any EU body -> SOV-7.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | medium | Pulsant operates ISO 50001-certified facilities and publicly targets an overall PUE of 1.3 by 2030 (on track to surpass its 1.53 target) with a documented roadmap, but does not yet publish a verified figure below 1.3; consistent with PUE under 1.5 plus roadmap -> SOV-8.1 opt3 (seal 4). (src: https://www.pulsant.com/environment-social-and-governance) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | As a data-centre owner with ISO 14001 environmental management, it has documented circular/hardware-lifecycle practices, but no evidence of an EU-certified circular-economy lifecycle. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Publishes corporate governance/sustainability reporting (ISO 14001), consistent with an annual environmental report, but not a detailed EU-methodology or EU-audited report. |
| SOV-8.4 | Energy supplies | 2. Only EU energy supplies | 63/250 | SEAL-4 | high | Pulsant states its data centres are powered by 100% renewable energy; supplies are UK-sourced (a third country) rather than EU, so this maps to traceable non-EU/single-region renewable supply. (src: https://www.pulsant.com/environment-social-and-governance) |