| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (French SAS, HQ Strasbourg, no non-EU parent) -> entity control entirely within EU -> opt4 (src: https://scalingo.com/qualification-secnumcloud). |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Independent French firm with French/EU investors (BPI, Caisse d'Epargne, BNP Paribas); no non-EU parent, but a small VC-funded company cannot fully exclude a future takeover -> opt4. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | EU-controlled with own R&D: Scalingo builds and controls its own orchestrator and roadmap as an independent French firm -> full EU-actor influence -> opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Funding rounds entirely from French/EU sources (Side Angels, BPI France, Caisse d'Epargne, BNP Paribas); funding entirely EU-based -> opt5. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, employment, taxation and value creation entirely in France/EU -> opt5. |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | low | Active participant in the French sovereign-cloud ecosystem (SecNumCloud partners) but no documented role in flagship programs (Gaia-X, IPCEI-CIS) -> opt3. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Measured achievement and dedicated governance: explicit sovereignty positioning with a dedicated SecNumCloud-qualification effort and French sovereign infrastructure choice -> opt3. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: EU-maintained orchestrator on EU-sovereign IaaS (its sovereign region runs on 3DS Outscale SecNumCloud osc-secnum-fr1); like the anchor Clever Cloud, no non-EU vendor whose withdrawal halts service, only residual foreign chips, with ability to source alternatives/internalise -> full autonomy & continuity opt5 (src: https://scalingo.com/blog/new-osc-fr1-region). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | French SAS contracting exclusively under French/EU law with all data and infra in France -> exclusively EU law -> opt3 (src: https://doc.scalingo.com/security/overview/compliance). |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity: pure-FR entity with no non-EU parent/nexus, and the scoped sovereign offer runs on 3DS Outscale SecNumCloud-qualified IaaS (same pattern as the anchor Clever Cloud on Cloud Temple), so non-EU law is genuinely unenforceable -> verified legal immunity opt5 (src: https://scalingo.com/qualification-secnumcloud). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: pure-French entity with no US/CN nexus, not subject to CLOUD Act/FISA/PRC compelled access; sovereign-cloud positioning indicates non-EU requests refused -> opt5 (src: https://scalingo.com/qualification-secnumcloud). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | EU-based provider not subject to non-EU export-control regimes; the French sovereign offer is shielded from restrictions toward EU Member States and international organisations (consistent with the anchor Clever Cloud) -> opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core orchestrator developed in France by the Scalingo team; IP mostly within the EU atop third-party open-source components of varied origin -> opt4. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Scalingo's own software IP held by the French company under EU law -> fully under EU law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Scoped SecNumCloud sovereign offer (on 3DS Outscale) provides customer-managed/BYOK encryption keys with customer primary control, consistent with the anchor Clever Cloud; provider can still read data operationally -> opt4 (seal 3). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | SecNumCloud-grade sovereign offer (on 3DS Outscale) gives full customer-controlled visibility of access logs and data flows (audit-mandated), consistent with the anchor Clever Cloud, though not necessarily real-time -> opt4 (seal 3). |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | SecNumCloud/HDS processes (via the Outscale SecNumCloud region) give deletion technically verified with access logs rather than policy-only, consistent with the anchor Clever Cloud -> opt4 (seal 3) (src: https://scalingo.com/blog/scalingo-iso27001-hds-certifications-next-secnumcloud). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: all datacenters in France/EU, stated no data transfer outside EU, no third-country fallback -> opt5 (src: https://scalingo.com/datacenters). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope native AI service (only AI-friendly open-source vector DBs); no foreign-AI dependency -> opt4 (seal 3) per key. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 5. Already deployed on sovereign infrastructure | 167/167 | SEAL-4 | high | Heroku-compatible open PaaS already deployed on sovereign French infrastructure with documented export and Git-based deployment -> opt5. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack operated by Scalingo's French team on French IaaS -> fully EU-based team -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Small French company, engineering/ops staff in France (all-EU staff), no documented security-clearance program -> opt4. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Human support delivered by the French team, EU-based, no documented security clearances -> opt4. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation and engineering knowledge produced and held by the EU team; primary repositories EU-only, consistent with the anchor Clever Cloud -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Primary subcontractor is French IaaS 3DS Outscale (Dassault); contractual continuity and ability to source alternatives/internalise key functions -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Hardware sourced through EU-sovereign IaaS partner 3DS Outscale (SecNumCloud), whose component provenance is transparent under audit with exceptions for foreign silicon, consistent with the anchor Clever Cloud -> opt3 (seal 3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Underlying hardware is foreign-designed but operated through EU-sovereign partner 3DS Outscale under SecNumCloud audit rights (mixed sourcing, EU audit rights), consistent with the anchor Clever Cloud -> opt3 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode (BIOS, NICs, drives) foreign and proprietary with partial disclosure -> opt2 (seal 4). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: core orchestrator and platform software designed/maintained by the French team atop open-source; large majority EU-maintained -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software developed and released by the French team under EU control and execution; no documented formal EU policy gates -> opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | Critical services (own software + EU-sovereign Outscale SecNumCloud IaaS) carry no non-EU vendor dependency; remaining non-EU dependency is residual non-critical hardware/chips, documented, consistent with the anchor Clever Cloud -> opt4 (seal 3). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Under the SecNumCloud audit regime (via 3DS Outscale) plus ISO 27001, most suppliers are auditable end-to-end, consistent with the anchor Clever Cloud -> opt4 (seal 3) (src: https://scalingo.com/qualification-secnumcloud). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Heroku-compatible buildpack/Git-based open PaaS with standard APIs and documented export; open-by-default with portability -> opt5. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Built around open standards (HTTP, Git, buildpacks, standard DB protocols, S3-compatible storage) across most core services -> opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | low | Heavily built on open-source and supports open runtimes/DBs, but the core orchestrator is proprietary and vendor-governed -> open source, centralised governance -> opt3 (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Substantial public documentation/blogs on architecture and sovereignty model -> some public insight -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope HPC service -> EU-hosted, no own HPC stack -> opt2 (seal 3) per key (no in-scope HPC). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Scoped sovereign offer runs on 3DS Outscale SecNumCloud-qualified IaaS (osc-secnum-fr1), exactly the anchor Clever Cloud pattern; SecNumCloud 3.2 maps to EAL3 per the key -> opt4 (seal 3) (src: https://scalingo.com/qualification-secnumcloud). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | ISO 27001 and HDS certified, EU-resident data, GDPR-aligned; partial compliance to most EU regimes, no full NIS2/DORA independent attestation -> opt4 (src: https://doc.scalingo.com/security/overview/compliance). |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident handling run by the French team in the EU with EU threat intel; no documented ENISA/CSIRT sharing -> entire lifecycle by EU teams -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get full direct access to application logs/monitoring with data stored in the EU under the SecNumCloud region, consistent with the anchor Clever Cloud; tamper-proof immutability not specifically documented -> opt4 (seal 3). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | low | Incident disclosure under NIS2/DORA with monitored notification flow and SLAs, consistent with the anchor Clever Cloud; not full real-time CSIRT sharing -> opt4 (seal 3). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | Managed PaaS auto-patches OS/databases/stacks and the EU team deploys maintenance independently -> high maintenance autonomy -> opt4. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: the scoped SecNumCloud-grade sovereign offer (on 3DS Outscale, same basis as the anchor Clever Cloud on Cloud Temple) implies full audit rights for the contracting authority and independent EU bodies -> full independent audit opt5 (src: https://scalingo.com/qualification-secnumcloud). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Runs on 3DS Outscale's modern French datacenters targeting efficient PUE around/below 1.5 with roadmaps; Scalingo publishes no own PUE -> opt3 (seal 4) (src: https://scalingo.com/datacenters). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Hardware lifecycle managed by IaaS partner 3DS Outscale with documented hardware-reuse/recycling practices -> documented program -> opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | low | Environmental reporting follows EU methodology via the 3DS Outscale SecNumCloud datacenters plus Scalingo's own ISO-framework reporting, consistent with the anchor Clever Cloud -> detailed EU methodology opt4 (seal 3). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Powered via French/EU grid (largely low-carbon) through Outscale datacenters; treated as mix of EU supplies without a verified fully-green dedicated guarantee -> opt3. |