| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (US HQ San Antonio, TX, Apollo-controlled) -> entity control entirely outside the EU -> SOV-1.1 opt1. (src: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001810019&type=10-K) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Already a US-controlled entity majority-owned by US PE firm Apollo; transfer to a non-EU sovereign entity is moot/very unlikely as it is already non-EU controlled. Kept at existing all-SEAL-4 choice. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap set by US corporate leadership; EU customers influence only via voice-of-customer/support channels, no EU governance body -> SOV-1.3 opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Majority owned by US private equity (Apollo Global Management); funding almost entirely non-EU. Kept at existing all-SEAL-4 choice. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Has EU data centers and some EU staff but bulk of revenue, R&D and employment is in US/India; only some EU economic contribution. Kept at existing all-SEAL-4 choice. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of participation in EU strategic programs (Gaia-X, IPCEI-CIS). Kept at existing all-SEAL-4 choice. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No public evidence of an action plan aligned with EU industrial/digital sovereignty strategies. Kept at existing all-SEAL-4 choice. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | Not own_stack (managed/multicloud on non-EU hyperscalers and a US parent), but a managed service with documented data-export/migration tooling and contractual terms under which the service could continue temporarily after a cut-off rather than shutting down immediately -> SOV-1.8 opt3 (seal 2), consistent with US commodity-IaaS peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | EU customers served via EU entities under EU law, but US parent/US jurisdiction also apply; jurisdiction is mixed EU/non-EU -> SOV-2.1 opt2. |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | No certified immunity; US-headquartered group with foreign_parent remains exposed to US extraterritorial law despite contractual/GDPR clauses -> SOV-2.2 opt2. |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent (US CLOUD Act/FISA): US authorities can compel data access without customer notification in specific cases -> SOV-2.3 opt2 (seal 1, gates SEAL to 1). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | US export-control/OFAC can restrict service to specific sanctioned EU citizens/orgs, but no EU Member State is under restriction and EU revenue is not a >50% majority -> SOV-2.4 opt2. |
| SOV-2.5 | Origin of IP | 2. Mostly outside the EU | 42/167 | SEAL-4 | medium | Core IP (management platform, tooling) is largely US-originated with some open-source heritage; mostly outside the EU. Kept at existing all-SEAL-4 choice. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | Rackspace IP held by the US parent under US law, single non-EU country -> SOV-2.6 opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Managed-cloud model: customer-managed keys possible but as managed operator Rackspace retains override/operational access -> shared keys, SOV-3.1 opt3. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Logging/access reporting via platform but largely vendor-controlled, not real-time independently auditable -> SOV-3.2 opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion handled per internal policy with confirmation; no independently verified irreversible-erasure proof -> SOV-3.3 opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | No eu_exclusive sovereign offer, but Rackspace operates EU data centres (Frankfurt FRA, Amsterdam) designed to keep customer data within the EU under German/EU data-protection law: EU-by-default with tightly controlled exceptions rather than a contractual no-third-country guarantee -> SOV-3.4 opt4 (seal 1). (src: https://www.rackspace.com/lp/germany-data-center) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | medium | AI offerings (FAIR/AI Anywhere) built on US/foreign LLMs and foreign GPU accelerators; mostly non-EU with chip dependency -> SOV-3.5 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Multicloud/OpenStack heritage provides standard documented data export/portability methods -> SOV-4.1 opt3. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | medium | No eu_ops: critical operations delivered by global teams concentrated in the US and India; the EU cannot operate the stack independently -> SOV-4.2 opt1, consistent with US commodity-IaaS peers. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Engineering/ops talent is a global workforce concentrated in US/India, majority outside the EU -> SOV-4.3 opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | 24x7 Fanatical Support delivered from a mix of locations including large India centers; majority outside the EU -> SOV-4.4 opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge repositories are global with no enforced EU-only residency -> SOV-4.5 opt2 (EU optional, not enforced). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Heavy reliance on US hyperscaler subcontractors (AWS/Azure/GCP); a cut-off would stop service with only a reaction delay -> SOV-4.6 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware components foreign-sourced (US/Asia) with at best partial provenance disclosure -> SOV-5.1 opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Server/network hardware of foreign origin (US/Asian ODMs), partial disclosure, not EU-built -> SOV-5.2 opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code from foreign hardware vendors with only partial provenance disclosure. Kept at existing all-SEAL-4 choice. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | foreign_core: sovereign offer built on US-licensed VMware plus US-originated management software; partial disclosure via OpenStack/OSS but maintenance largely non-EU -> SOV-5.4 opt2 (seal 2 ceiling). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | low | Software build/release controlled and executed by US-based engineering org, outside the EU -> SOV-5.5 opt1. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Critical services depend on non-EU vendors (US parent plus AWS/Azure/GCP hyperscalers); mostly non-EU and largely undocumented for EU customers -> SOV-5.6 opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers/certifications auditable (SOC/ISO) but full supply chain not transparently auditable -> SOV-5.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based and broadly compatible: OpenStack/multicloud APIs, S3-compatible storage and Kubernetes alongside proprietary management tooling -> SOV-6.1 opt4, consistent with US commodity-IaaS peers. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Partial adoption of open standards in core services (OpenStack, Kubernetes, standard cloud APIs) -> SOV-6.2 opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: commercial sovereign platform built on US-licensed VMware with centralised US-controlled governance; OSS heritage but core is source-available/vendor-controlled -> SOV-6.3 opt2 (seal 2 ceiling). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public architectural insight via OpenStack/docs and reference materials -> SOV-6.4 opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | HPC/GPU capacity is offered in/through EU regions but runs on imported foreign (US/NVIDIA) accelerators and stack: EU-hosted on a foreign stack rather than imported black-box with no EU footprint -> SOV-6.5 opt2 (seal 3), consistent with US commodity-IaaS peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | low | No SecNumCloud/EUCS-High/Common Criteria EAL, but holds ISO 27001 plus SOC 2/SOC 3 Type II (and PCI-DSS, HIPAA alignment); per the key's cert map ISO 27001 + SOC 2 -> EAL2-equivalent -> SOV-7.1 opt3 (seal 2). (src: https://www.rackspace.com/compliance/soc) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Strong compliance program (ISO 27001, SOC 2/3, GDPR, HIPAA, PCI-DSS) -> partial compliance to most. Kept at existing all-SEAL-4 choice. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security ops/incident response run by global teams; hybrid EU/non-EU SOC at best -> SOV-7.3 opt2. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring/logging via portal but provider retains substantial control; logs not guaranteed EU-resident immutable -> SOV-7.4 opt3 (basic monitoring portal). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure GDPR/NIS2-aligned (moderate compliance) -> SOV-7.5 opt3. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Managed service provides moderate maintenance autonomy with notice and testing windows -> SOV-7.6 opt3. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No tender-grade audit_rights: audit access limited to certification reports (SOC/ISO) under NDA, not full independent audit by any entity -> SOV-7.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern data centers; plausibly PUE < 1.5 with efficiency roadmap, no EU-verified low PUE published -> SOV-8.1 opt3. |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented sustainability/hardware-lifecycle program but not an EU-certified circular lifecycle -> SOV-8.2 opt3. (src: https://www.rackspace.com/about/corporate-sustainability) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Publishes annual ESG/sustainability reporting without EU-specific audited methodology -> SOV-8.3 opt3 (annual report). (src: https://www.rackspace.com/about/corporate-sustainability) |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Operates globally; energy supply is a mix of EU and non-EU sources. Kept at existing all-SEAL-4 choice. |