| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | Not eu_entity: 100% Swiss-owned AG (majority EveryWare AG), HQ Zurich. Switzerland is a third country, not EU/EEA, so legal entity control sits outside the EU -> opt2 'mostly outside the EU' (seal 1; uniform across the Swiss cluster). (src: https://safeswisscloud.com/en/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Privately owned Swiss company held by Swiss IT firm EveryWare AG; no signals of imminent takeover by a non-EU sovereign entity, but as a small private firm a transfer is not impossible -> 'unlikely' (seal 4 on all options). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | Small independent provider with customer-facing channels but no published EU governance bodies; roadmap influence is voice-of-customer rather than formal EU-actor governance -> opt2 (seal 2). |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | low | Funding is Swiss (EveryWare AG), neither EU nor non-EU hyperscaler capital; Swiss capital is non-EU, treated as a balanced/mixed position absent evidence of substantial EU funding (seal 4 on all options). |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | low | Operations and economic footprint concentrated in Switzerland (non-EU) with only some EU-facing customer activity; EU economic contribution is limited (seal 4 on all options). |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of participation in EU strategic programs (Gaia-X, IPCEI-CIS); positioning is Swiss sovereignty, not EU strategic projects (seal 4 on all options). |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets as a VMware/hyperscaler alternative aligned with European sovereignty themes (cites CISPE), an action-plan-level alignment but without measured governance or dedicated EU industrial means (seal 4 on all options). |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | medium | own_stack partial: vertically integrated Swiss stack (own data centres, OpenStack/open tech, Swiss ops) could source alternatives or internalise key functions if cut off; full autonomy not demonstrated given foreign hardware/chips, and the operator itself is non-EU -> opt4 'source alternatives' (seal 2), not opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Bound primarily by Swiss law (SR 235.1, a third country) with GDPR applying contractually for EU customers; mixed EU/non-EU jurisdiction, not exclusively EU law -> opt2 (seal 1; uniform across the Swiss cluster). (src: https://safeswisscloud.com/en/swiss-secure-compliant/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | Swiss incorporation + Swiss-only data location materially shield from US CLOUD Act, but no certified immunity (no SecNumCloud/EUCS-High) and Swiss law is itself non-EU -> 'legal structures shielding from foreign law' opt4 (seal 2), not verified EU-law immunity. (src: https://safeswisscloud.com/en/swiss-secure-compliant/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: 100% Swiss company, no US/CN hyperscaler parent, Swiss-only hosting; explicitly states it does not fall under the CLOUD Act and would route any foreign request through Swiss MLA channels -> 'requests always rejected' opt5 (seal 4). Consistent with the identical pure-Swiss-no-foreign-parent peers Infomaniak and Nine. (src: https://safeswisscloud.com/en/swiss-secure-compliant/) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | No EU/international export restrictions target it and it derives revenue from European customers; absent EU-MS-specific shielding mechanisms, the revenue-share mid option fits -> opt3 (seal 2). |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Stack built on open-source software (OpenStack, Kubernetes, OpenShift, Ceph/S3) with global community origin plus Swiss integration; IP origin mixed within/outside the EU (seal 4 on all options). |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | Underlying open-source IP held under mixed jurisdictions (global foundations, some EU contributors); not single-country, not fully EU -> opt3 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Standard IaaS/OpenStack with provider-managed encryption and TFA; no documented customer-exclusive HYOK offering, so shared control with provider override -> opt3 (seal 2). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | ISO 27001/27017/27018 and ISAE 3000 Type 2 imply audit logging, but logs are vendor-controlled and not advertised as real-time customer-auditable -> opt3 (seal 2). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001/27018-governed deletion implies policy-based validation; no published cryptographic proof-of-erasure, so internal validation per policy without proof -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | Not eu_exclusive: all data hosted exclusively in Switzerland (Interxion/Digital Realty Glattbrugg), a third country, not EU/EEA, with no EU region offered. From an EU-sovereignty standpoint this is partly-EU/significant third-country reliance -> opt2 (seal 0). This is the SEAL-0 gate, shared with the other Swiss-only-hosting peers Infomaniak and Nine. (src: https://safeswisscloud.com/en/cloud-computing/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Offers sovereign Private AI and Swiss GPU computing with auditable/open models hosted in CH, but relies on foreign GPU accelerators -> EU/Swiss-led AI on foreign accelerators, opt4 (seal 3). Consistent with Infomaniak's equivalent curated open-model AI offering. (src: https://safeswisscloud.com/en/products/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Built on OpenStack with standard APIs and S3-compatible object storage plus positioning as a VMware-migration target, implying documented export and formal migration assistance -> opt4 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 3. Ops balanced EU/non-EU teams | 84/167 | SEAL-3 | low | Not eu_ops: operations run by a Swiss team on a Swiss stack; from an EU perspective these are non-EU teams, landing at the balanced EU/non-EU mid option -> opt3 (seal 3). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Engineering and skills are Swiss-based (non-EU from the framework's view), no evidence of EU-majority staffing; majority of skills sit outside the EU/EEA -> opt2 (seal 1). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | 24x7 support operated from Switzerland (Zurich/Basel); Swiss support is non-EU/EEA, a mixed/majority-outside-EU position -> opt2 (seal 2). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation is Swiss/English partly referencing upstream OpenStack manuals; no enforced EU-only knowledge repositories, so EU placement is optional/not enforced -> opt2 (seal 2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Owns its data centres and uses open-standard software, giving an ability to source alternatives or internalise functions if a subcontractor failed; full autonomy not proven given hardware suppliers -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | No public hardware bill-of-materials or component-provenance disclosure beyond '100% SSD'; partial disclosure of physical component origin -> opt2 (seal 1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Server hardware is foreign-manufactured (x86 OEM/chips) with no EU manufacturing claim; foreign origin with only partial disclosure -> opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | No published firmware/embedded-code provenance for the underlying hardware; standard OEM firmware implies at most partial disclosure (seal 4 on all options). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | No foreign_core: core platform is open-source (OpenStack, Kubernetes, OpenShift, S3) operated and integrated by the provider, not licensed Google/MS tech; essential parts are maintained/configured in-house, though upstream is global -> opt3 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 3. Non-EU control, EU execution | 72/143 | SEAL-3 | low | Software built/released from open-source upstreams (non-EU/global control) but deployed and operated within Switzerland; non-EU control with regional execution -> opt3 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Owns Swiss data centres but depends on a few non-EU vendors (hardware OEMs, GPU/chip suppliers) for critical components; documented but present non-EU dependency in critical services -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | ISO 27001/27017/27018 + ISAE 3000 + C5 give an audit basis covering critical suppliers/facilities, though the broader hardware/chip chain is not fully auditable -> critical suppliers auditable, opt3 (seal 2). Normalised to the same ISO-driven supplier-auditability tier as Nine and the other certified peers. (src: https://safeswisscloud.com/en/swiss-secure-compliant/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | high | Standards-based platform on OpenStack with extensive APIs, Kubernetes/OpenShift and S3-compatible storage, explicitly positioned against proprietary lock-in -> standards-based and broadly compatible, opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Uses OpenStack, Kubernetes, S3 and other open standards across its core services as a deliberate policy, covering most core services -> opt4 (seal 3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | No foreign_core: core stack is fully open-source (OpenStack/Kubernetes/OpenShift) but governance of those projects is centralised in external (non-EU) foundations rather than EU-controlled -> open source under centralised governance, opt3 (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Architecture relies on well-documented open-source components and the provider publishes platform/blog material, giving some public insight into the service architecture -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Offers Swiss-hosted GPU computing for AI but the HPC/GPU stack is foreign (NVIDIA-class accelerators); EU/Swiss-hosted on a foreign stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds ISO 27001/27017/27018 plus German BSI C5 (Cloud Computing Compliance Criteria Catalogue) per its own compliance page. Per key, BSI C5 is a high-assurance national cloud certification mapping to EAL3 -> opt4 (seal 3). Corrects the prior opt1 which ignored the held C5 (key applied uniformly with the other C5 holder, Exoscale). (src: https://safeswisscloud.com/en/swiss-secure-compliant/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Documented GDPR, Swiss DPA, FINMA, BAFIN, DORA and NIS2 alignment with annual ISO 27001 audits since 2015; broad partial-to-strong compliance to most relevant EU regulations (seal 4 on all options). |
| SOV-7.3 | EU-based SOC & incident handling | 3. Primary SOC in EU, escalations non-EU | 72/143 | SEAL-1 | low | Security operations and incident handling run from Switzerland; from the EU framework's view a non-EU primary SOC, mapped to primary-SOC-with-non-EU-escalation -> opt3 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | ISO-certified monitoring with customer reporting and a management portal, but not advertised as full direct customer access with logs guaranteed in the EU -> basic monitoring portal, opt3 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | States compliance with GDPR and NIS2 incident-disclosure obligations; moderate, GDPR/NIS2-aligned disclosure -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operates its own open-source platform, giving moderate maintenance autonomy with change-management/testing windows; not vendor-locked patch schedules -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: independent assurance exists via ISO 27001 and ISAE 3000 Type 2 audits, but full independent audit by any entity is not offered -> limited independent access, opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Hosts in modern Interxion/Digital Realty Swiss data centres that typically run efficient PUE with sustainability roadmaps; no published figure, so PUE<1.5+roadmap is the reasonable estimate -> opt3 (seal 4). Consistent with the other colo-tenant peers. (src: https://safeswisscloud.com/en/cloud-computing/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Operates in professionally managed colocation facilities with standard hardware lifecycle practices, but no detailed published circular-economy program -> documented program, opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Publishes sustainability claims (100% renewable, TUV SUD CMS 89) but no full annual environmental report with detailed methodology -> basic reporting, opt2 (seal 1). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Data centres have run on 100% renewable electricity (water and wind) for over ten years, TUV SUD CMS 89 certified in 2024; green renewable energy supplies (seal 4 on all options). (src: https://safeswisscloud.com/en/swiss-secure-compliant/) |