| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: Rapid.Space is operated by VIFIB SARL, a wholly owned subsidiary of Nexedi SA, both French companies incorporated in France (Lille/Hauts-de-France); no controlling non-EU parent (the China zone is a separate sister company with no capital relation) -> entity control entirely within the EU -> opt4 (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Founder-run French group (Nexedi/VIFIB), self-funded Free Software publisher with no disclosed non-EU capital and a strong sovereignty/ethos posture; takeover/transfer to a non-EU sovereign entity appears very unlikely -> opt5. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | EU-controlled with own R&D: Nexedi/VIFIB build and govern the entire stack (SlapOS, re6st, Caucase, ERP5) and set the roadmap internally with no foreign-vendor constraint -> full EU-actor influence -> opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Self-funded/bootstrapped French Free Software publisher with no disclosed non-EU venture capital; funding is effectively entirely EU-based -> opt5. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | R&D, leadership and most operations are in France/EU, but Nexedi operates internationally with engineers and subsidiaries also in Russia, Asia and South America (and a China cloud), so economic contribution is majority-EU rather than fully -> opt4 (src: https://www.nexedi.com/NXD-Presentation.Status.Roadmap?portal_skin=Slide). |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Active participant in EU open-source/sovereignty ecosystem (Open Compute Project member, SimpleRAN, major EU Free Software publisher) but no documented anchor role in Gaia-X/IPCEI-CIS megaprojects -> active participant -> opt3 (src: https://www.rapid.space/about/). |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Explicit, well-articulated digital-sovereignty strategy (100% open source + open hardware + zero-knowledge architecture, published handbook) with dedicated governance, but measured-achievement scale rather than a national-flagship 'bold ambition + dedicated means' -> opt3 (src: https://handbook.rapid.space/rapidspace-Blog.Digital.Sovereignty). |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: 100% open-source platform (SlapOS, re6st, Caucase) on Open Compute hardware whose designs and procedures are fully published, deployable on own/third-party/on-premise infra; no non-EU vendor whose withdrawal halts service (only residual foreign-fabbed chips), with documented ability to internalise/source alternatives -> full autonomy & continuity -> opt5 (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | French SARL operating its EU offer under French/EU law; the EU service has no non-EU jurisdictional nexus (the China service is a legally separate sister company) -> exclusively EU law -> opt3 (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation (independent per-country companies, zero-knowledge architecture explicitly designed to contain foreign-government interference) but immunity is NOT certified (no SecNumCloud 3.2 / EUCS-High) -> legal structures shielding from foreign law -> opt4 (seal 2); this is the legal-axis ceiling, same pattern as Alwaysdata (src: https://handbook.rapid.space/rapidspace-Blog.Digital.Sovereignty). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: pure-FR entity with no US/CN nexus for the EU offer, not subject to US CLOUD Act/FISA/PRC compelled access; zero-knowledge design and per-country isolation mean foreign requests have no compellable target and would be rejected -> requests always rejected -> opt5 (src: https://handbook.rapid.space/rapidspace-Blog.Digital.Sovereignty). |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | low | Pure-FR provider serving EU with a fully open-source/open-hardware stack subject to no foreign export-control regime; the EU offer is shielded from restrictions toward EU Member States -> opt4 (seal 3), consistent with Alwaysdata. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP (SlapOS, re6st, Caucase, ERP5, Wendelin) developed in-house in France by Nexedi atop permissive open source; IP origin mostly within the EU -> opt4. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Nexedi/VIFIB's own software IP is held by the French companies under French/EU law and released as Free Software; no controlling non-EU IP holder -> fully under EU law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | medium | Zero-knowledge architecture with per-user PKI (Caucase) so credentials/keys are held by the user/their server, not a central provider database; customer holds primary key control though the provider operating the VM can technically read in-use data -> customer primary control -> opt4 (seal 3) (src: https://handbook.rapid.space/rapidspace-Blog.Digital.Sovereignty). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | Radical-transparency model with fully published architecture/procedures and customer-controllable logging via the open stack gives full customer-controlled visibility of data flows, though not positioned as real-time independent oversight -> opt4 (seal 3). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows platform policy on the open stack; no published cryptographic proof-of-erasure or independent verification and no high-assurance certification mandating logged technical verification, so internal validation per policy -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | EU offer hosts in France/Germany/Sweden/Netherlands (all EU/EEA) so EU-by-default, but the same product line is also offered outside the EU (China via the sister company) and there is no SecNumCloud-grade contractual no-third-country-fallback guarantee, so it is EU-by-default with controlled exceptions rather than contractually EU-exclusive -> opt4 (seal 1). More conservative than the SecNumCloud peers' opt5 because no binding eu_exclusive commitment is published (src: https://www.rapid.space/products/). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | The only in-scope AI offer (Big Data Hub) runs open-source EU-developed tooling (Wendelin, wendelin.core, Python data stack) with optional on-premise NVIDIA GPU acceleration -> EU-led AI on foreign accelerators -> opt4 (seal 3) (src: https://www.rapid.space/products/ai/). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 5. Already deployed on sovereign infrastructure | 167/167 | SEAL-4 | high | Fully open, reversible and replicable: published source code, hardware designs and operating procedures let customers redeploy on own/OCP hardware, third-party clouds or on-premise; standards-based, no lock-in -> already deployable on sovereign infrastructure -> opt5 (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | Operations led from France on an EU-controlled open stack, but Nexedi's ~35 engineers are mainly in France yet also in other EU countries, Russia, Asia and South America, so the operating team is predominantly-but-not-exclusively EU-based -> ops predominantly EU-based -> opt4 (seal 3) (src: https://www.nexedi.com/NXD-Presentation.Status.Roadmap?portal_skin=Slide). |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | Engineering staff are mainly in France/EU but a meaningful share sit outside the EU (Russia, Asia, South America); majority-EU with non-EU staff/escalation rather than all-EU -> opt3 (src: https://www.nexedi.com/NXD-Presentation.Status.Roadmap?portal_skin=Slide). |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | Support is delivered by the same globally-distributed Nexedi team (mainly EU but also non-EU locations), so majority-in-EU with non-EU escalation rather than all-EU support staff -> opt3. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation (the public Handbook, code, procedures) is openly published worldwide and produced by a globally-distributed team; EU-primary with effective non-EU exposure/fallback rather than EU-only repositories -> opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Suppliers are colocation facilities and commodity OCP hardware vendors; because the stack is fully open and the company owns/controls its software and OCP hardware designs, it can source alternative facilities/suppliers or internalise functions -> ability to source alternatives or internalise -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Open Compute hardware with publicly documented designs (e.g. MiTAC OCP Tioga Pass, Edgecore networking, recertified OCP via ITRenew) gives transparent component sourcing, with foreign silicon as the exception -> transparent with exceptions -> opt3 (seal 3) (src: https://www.mitac.com/en-global/news_room/detail/MiTAC_OCP_TiogaPass_Nexedi_Edgecore). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Servers follow open OCP designs but are manufactured by foreign/global OCP vendors (MiTAC, ITRenew); open designs plus EU audit/transparency give mixed sourcing with EU audit rights rather than EU-built -> opt3 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | CPU/GPU microcode, BIOS and NIC firmware on the commodity OCP hardware are foreign and proprietary with only partial disclosure despite the open hardware designs -> partial disclosure -> opt2 (seal 4). |
| SOV-5.4 | Origin of software | 5. Exclusively designed/maintained by EU teams | 143/143 | SEAL-4 | high | NOT foreign_core: the entire platform is exclusively open-source software designed and maintained by the EU team (SlapOS, re6st, Caucase, ERP5, Wendelin); no licensed Google/MS/AWS core -> exclusively designed/maintained by EU teams -> opt5 (seal 4) (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software is developed and released by Nexedi's EU-controlled engineering organisation on open infrastructure; EU control & execution, without an evidenced formal EU policy-gate regime -> opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | Critical services (own open-source software + EU colocation) carry no non-EU vendor dependency; the remaining non-EU dependency is residual non-critical commodity hardware/chips, documented via the open hardware designs -> few non-EU non-critical, documented -> opt4 (seal 3). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Radical transparency means hardware designs, software source and operating procedures are all public and the open OCP supply chain is documented, making most suppliers auditable end-to-end -> most suppliers auditable -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Open-by-default with full portability: open APIs/procedures, OS-neutral, standards-based, source and hardware designs published so the whole service can be replicated or migrated -> opt5 (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| SOV-6.2 | Open standards compliance | 5. Policy for all core services | 200/200 | SEAL-4 | medium | Open standards across the stack as a matter of explicit policy: Open Compute hardware, open networking (re6st/IPv6), open PKI (Caucase), standard protocols for all core services -> policy for all core services -> opt5 (src: https://www.rapid.space/about/). |
| SOV-6.3 | Open source availability | 5. Fully open-source, independent/EU governance | 200/200 | SEAL-4 | high | Fully open-source: 100% of the platform (SlapOS, re6st, Caucase, ERP5, Wendelin) is published as Free Software by Nexedi, an independent EU Free Software publisher -> fully open-source, independent/EU governance -> opt5 (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| SOV-6.4 | Service architecture transparency | 5. Customers can contribute to adapt/enhance | 200/200 | SEAL-4 | high | Radical transparency: source code, hardware designs, operating procedures, cost structure and the full Handbook are public and customers can fork/extend and contribute to the open-source platform and open hardware -> customers can contribute to adapt/enhance -> opt5 (src: https://handbook.rapid.space/NXD-Presentation.Rapid.Space.Hyper.Open.Cloud?portal_skin=Slide). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any AI/data-engineering acceleration (Big Data Hub) is EU-hosted but runs on a foreign accelerator stack (NVIDIA GPUs); no EU-designed HPC silicon -> EU-hosted, foreign stack -> opt2 (seal 3), consistent with the OVHcloud/peer treatment (src: https://www.rapid.space/products/ai/). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | medium | No high-assurance certification found (no SecNumCloud / EUCS / C5 / ENS / ISO 27001 / Common Criteria EAL) -> EAL0/none -> opt1 (seal 1). A genuine SEAL-1 floor: despite radical openness there is no certification to map to an EAL-equivalent, same treatment as Alwaysdata and per directive not inflated (src: https://www.rapid.space/about/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | low | GDPR-aware EU provider with EU hosting and a sovereignty posture, but no independently audited NIS2/DORA compliance and no published security certifications -> moderate compliance -> opt3. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | No dedicated 24/7 EU SOC is advertised; security/incident handling is performed by the small, globally-distributed Nexedi team (partly non-EU), so a hybrid EU/non-EU capability rather than a full EU SOC lifecycle -> opt2 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring/logging via the open stack and published procedures, but no immutable tamper-proof EU-stored security-logging guarantee is documented -> basic monitoring portal -> opt3 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | As an EU provider it is bound by GDPR/NIS2 breach-notification duties; disclosure is moderate and regulation-aligned without an evidenced real-time CSIRT-sharing SLA -> moderate (GDPR/NIS2-aligned) -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 5. Full autonomy (deploy independently, with checks) | 143/143 | SEAL-4 | medium | Operating a fully open-source stack on its own/OCP hardware, Rapid.Space (and its customers) have full autonomy to schedule, test and deploy patches independently with their own checks -> full autonomy -> opt5. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights of tender grade: no certification bodies and no contractual full-audit regime for the contracting authority/independent EU bodies; radical source/procedure transparency gives review access but not a bound independent audit right -> audits only via (absent) certification/limited independent access -> opt2 (seal 1). SEAL-1 floor, same as Alwaysdata. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Favours low-PUE datacenters (partner Hydro66 in Sweden cited at PUE 1.07, nuclear/hydro regions) and deploys efficient hardware, but Rapid.Space publishes no single own verified PUE across all zones, so PUE<1.5 + roadmap -> opt3 (seal 4) (src: https://www.rapid.space/features/recycled/). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | medium | Documented hardware-reuse program: deploys recertified/refurbished Open Compute servers (via ITRenew circular-economy process) to extend server lifecycles and cut CO2, a documented program rather than an EU-certified lifecycle -> documented program -> opt3 (seal 3) (src: https://www.rapid.space/features/recycled/). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Publishes CO2/efficiency rationale and PUE figures for its hardware-reuse and energy choices as part of its transparency posture, amounting to an annual/public environmental report rather than a detailed audited EU methodology -> opt3 (seal 2) (src: https://www.rapid.space/features/recycled/). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | Deliberately sites EU capacity in low-carbon grids (nuclear France, hydroelectric Sweden via Hydro66) so EU energy is sourced with a high renewable/low-carbon mix -> only EU energy supplies (high renewable) -> opt4 (src: https://www.rapid.space/features/recycled/). |