| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: Seeweb (Italian, founded 1998) is wholly owned by DHH (Dominion Hosting Holding S.p.A.), Milan-based and listed on Euronext Growth Milan, controlled by Italian founders/management/investors; entity entirely within the EU -> SOV-1.1 opt4. (src: https://www.seeweb.it/en/company/about-us) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | DHH is a listed Italian small-cap controlled by Italian founders (Baldassarra/Sica) and Italian PE (Alkemia); a non-EU takeover is conceivable for a publicly traded company but not currently signalled -> unlikely (opt4). |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | Seeweb controls its own product roadmap as an autonomous EU-owned company; EU actors (the company and its EU customers) have full influence -> opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Funding comes from DHH (Italian listed entity) and Italian shareholders/PE (Alkemia Capital Partners); no evidence of non-EU capital -> entirely EU-based funding (opt5). |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All Italian data centres (Milan, Sesto San Giovanni, Frosinone), staff and operations are in Italy/EU; economic contribution fully within the EU (opt5). (src: https://www.seeweb.it/en/data-center/our-data-centers) |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Founding/board member of Consorzio Italia Cloud (Italian national cloud for PNRR/PA) and ACN-qualified; active participant in strategic national/EU cloud projects, no confirmed Gaia-X/IPCEI-CIS lead role (opt3). (src: https://www.seeweb.it/en/company/european-cloud) |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Explicitly aligns with EU sovereignty/industrial goals (European cloud positioning, AI Act, renewable energy, Consorzio Italia Cloud governance) with measured achievement and dedicated governance, not a flagship multi-billion-euro programme (opt3). |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: EU-owned operator of its own datacentres and EU-maintained software stack with no non-EU hyperscaler dependency (only residual foreign chips as hardware); vertically integrated EU provider with continuity -> Full autonomy & continuity (opt5). (src: https://www.seeweb.it/en/data-center/our-data-centers) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Seeweb states it operates exclusively European infrastructure under the exclusive jurisdiction of the EU; as an Italian company with Italian DCs it is governed exclusively by EU/Italian law -> opt3. (src: https://www.seeweb.it/en/company/european-cloud) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity: pure-Italian entity with no non-EU parent and an ACN QI2/QC2 sovereign qualification for critical Italian PA data (same high-assurance national-cloud basis as the Aruba anchor's QC3, treated as SecNumCloud-equivalent per key (c)); the scoped sovereign offer is unreachable by non-EU law -> Verified legal immunity (opt5). (src: https://www.acn.gov.it/portale/en/w/ia-3298) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent (no non-EU parent or US/CN presence); not subject to CLOUD Act/FISA/PRC compelled access; requests from non-EU authorities are unenforceable/rejected -> opt5. |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | Offer built on EU-controlled infrastructure/software with no non-EU vendor able to impose export controls against EU MSs or international orgs; inferred from full EU ownership and operations -> opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Seeweb/DHH IP (control plane, managed services, open-source contributions like Cheshire Cat) is developed in-house in the EU; integrates third-party open-source and foreign hardware IP -> mostly within the EU (opt4). |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | IP holder is Seeweb/DHH, an Italian entity; its own IP is held fully under EU law (foreign hardware-vendor IP is separate) -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | As IaaS/PaaS, Seeweb offers customer-managed encryption typical of the segment, but absent published HYOK/confidential-computing guarantees the provider technically retains access; customer primary control but provider can read data (opt4). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | Under the ACN QI2/QC2 sovereign offer Seeweb provides comprehensive customer-accessible activity/access logs in its EU DCs (full customer-controlled visibility, same basis as the Aruba anchor), though not documented as real-time independently auditable -> full customer-controlled visibility (opt4). (src: https://www.seeweb.it/en/company/certifications) |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | medium | Under ACN QI2/QC2 sovereign qualification plus full ISO 27001/27017/27018 controls and comprehensive logging (same basis as the Aruba anchor), deletion is technically verified with access logs -> opt4. (src: https://www.seeweb.it/en/company/certifications) |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive (scoped sovereign offer): the ACN-qualified VPC/Cloud Server offer runs in Seeweb's Italian datacentres (Milan, Frosinone, Sesto San Giovanni) with EU-only storage and processing and no third-country fallback; the broader DHH/Seeweb Swiss colocation footprint (Lugano/Zurich) is outside the scoped EU offer, mirroring the Aruba anchor basis -> exclusively EU (opt5). (src: https://www.acn.gov.it/portale/en/w/ia-3298) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI offering (Cloud/Serverless GPU, open-source Cheshire Cat) is EU-operated and supports open/auditable models hosted in the EU but relies on foreign accelerators (NVIDIA H100/H200/A100, AMD MI300X) -> EU-led AI on foreign accelerators (opt4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based IaaS/PaaS (cloud servers, Kubernetes, managed DBs) with documented data export; positions itself as a migration target from non-EU providers and offers formal migration support -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: operations run by Seeweb's own Italian teams on its own infrastructure; entire stack managed by an EU-based team -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Staff and engineering based in Italy/EU; all staff EU-based, formal national-security clearances not documented -> All EU staff (opt4). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support provided by Seeweb's Italian operation in Italian/English from the EU; all support staff in the EU without documented security clearances -> opt4. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation/knowledge maintained in-house by the EU-based team (docs.seeweb.it); EU-only primary repositories, inferred from fully EU operations -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Owns its datacentres and core operations; for non-critical foreign-supplier (hardware) dependencies it can source alternatives or internalise, ensuring continuity without immediate shutdown -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Server hardware components (servers, NVIDIA/AMD GPUs) are foreign-made, but as an ISO 27001-certified operator running its own EU DCs Seeweb provides component transparency to customers/auditors with exceptions (same basis as the Aruba anchor); provenance not EU-certified -> transparent with exceptions (opt3). (src: https://www.seeweb.it/en/company/certifications) |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Server hardware is foreign-designed/mixed-sourced but deployed, integrated and operated in Seeweb's own EU datacentres under ISO-audited supply-chain controls (EU audit rights), matching the uniform key for EU sovereign providers -> mixed sourcing, EU audit rights (opt3). (src: https://www.seeweb.it/en/data-center/our-data-centers) |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Embedded firmware (BIOS, BMC, GPU/NIC) from foreign OEMs with only partial provenance disclosure typical of any EU operator using commodity hardware (opt2). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | NOT foreign_core: core/essential platform software (control plane, managed services) is built and maintained by Seeweb's EU teams and leverages open source; not licensed Google/MS tech -> core maintained by EU teams (opt3, seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Software build and release controlled and executed by Seeweb's EU-based engineering teams; EU control and EU execution (opt4). |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | own_stack: foreign chips/GPUs are documented, substitutable non-critical-at-platform-level inputs (Seeweb owns its DCs and the EU-maintained core), matching the uniform key for EU sovereign providers -> few non-EU non-critical, documented (opt4). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | medium | Running its own EU DCs under ISO 27001 / CISPE supplier governance, most suppliers are auditable beyond just the critical few (same basis as the Aruba anchor) -> most suppliers auditable (opt4). (src: https://www.seeweb.it/en/company/certifications) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces (standard cloud APIs, Kubernetes, S3-compatible storage) enabling portability -> opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | low | Open standards (Kubernetes, OpenStack-style APIs, S3, standard DB engines) adopted as policy across most core services -> opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Open-source-oriented (Green Web Foundation, open-source AI Cheshire Cat, open-source-based managed services), but the underlying platform is not fully open-sourced under independent governance; not foreign_core -> open source, centralised governance (opt3, seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public documentation and architectural insight via docs and product pages -> some public insight (opt3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/GPU compute is EU-hosted but runs on a fully foreign stack (NVIDIA/AMD accelerators and software) -> EU-hosted, foreign stack (opt2, seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds full ISO 27001/27017/27018 suite + CSA STAR + Italian ACN QI2/QC2 sovereign qualification for critical PA data; per key, high-assurance national-cloud certification (ENS-High / ACN-grade) maps to EAL3 (opt4), same basis as the Aruba anchor's QC3 -> opt4. (src: https://www.seeweb.it/en/company/certifications) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Holds ISO 27001:2022, 27017, 27018, 22301, 20000-1, CISPE code, CSA STAR L1, ACN-qualified (QI2/QC2), states GDPR/AI Act compliance; partial compliance to most EU regulations, no explicit DORA/NIS2 attestation published (opt4). (src: https://www.seeweb.it/en/company/certifications) |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident handling run by Seeweb's EU/Italian teams (ISO 22301/27001, ACN qualification); entire lifecycle by EU teams, formal ENISA/CSIRT real-time sharing not documented -> opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers have direct access to monitoring/logs via the panel with logs stored in EU datacentres; tamper-proof immutable logging not explicitly documented -> full direct access, logs stored in EU (opt4). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Incident disclosure GDPR/NIS2-aligned with ISO 22301 business-continuity and monitored SLAs (same basis as the Aruba anchor); real-time CSIRT integration not explicitly evidenced -> partial compliance, monitored flow, SLAs (opt4). (src: https://www.seeweb.it/en/company/certifications) |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Manages its own maintenance with customer notice/testing windows typical of an EU operator controlling its stack -> moderate autonomy (opt3). |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: the ACN-qualified sovereign offer for critical Italian PA data implies tender-grade full audit rights for the contracting authority and independent EU bodies (same basis as the Aruba anchor) -> full independent audit (opt5). (src: https://www.acn.gov.it/portale/en/w/ia-3298) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern efficient datacentres with ISO 14001 and DNSH compliance; no public PUE figure, conservatively PUE<1.5 with sustainability roadmap rather than a verified sub-1.2 value -> opt3. |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | ISO 14001 and DNSH compliance imply a documented hardware lifecycle/recycling program, though not an EU-certified circular-economy lifecycle -> documented program (opt3). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | low | Reports environmental performance under ISO 14001 with a detailed DNSH/certified-renewable methodology (same basis as the Aruba anchor) rather than a bare annual report -> detailed EU methodology (opt4). (src: https://www.seeweb.it/en/company/certifications) |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Runs all servers on certified renewable energy in EU datacentres and is a Green Web Foundation Gold Partner -> only green EU energy supplies (opt5). (src: https://www.seeweb.it/en/company/certifications) |