| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: StackIT GmbH & Co. KG is wholly owned by the German Schwarz Group (Schwarz Digits), headquartered in Neckarsulm, with no non-EU parent -> opt4 (entirely within EU). (src: https://schwarz-digits.de/en/product-portfolio/cloud/stackit) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Privately held by the Schwarz family group; management has publicly ruled out an IPO to avoid foreign-investor dependencies, making a non-EU takeover very unlikely. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | Built on OpenStack/Kubernetes with active upstream contribution and DACH customer focus; EU actors can influence roadmap through community governance and customer channels -> opt3 (governance bodies with EU participation). |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Self-financed by the Schwarz Group (Lidl/Kaufland owner); EUR 11bn European investment funded internally with no non-EU capital and explicitly no IPO. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, data centers, staff and parent group are entirely EU-based (Germany/Austria), so economic contribution is fully in the EU. |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | medium | Founding supporter of Gaia-X and a flagship German sovereign-cloud effort with an EUR 11bn digital-sovereignty investment; strong participation in EU strategic programs. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Clear sovereign-cloud strategy with dedicated means (Schwarz Digits division, large DC build-out) and measured execution, aligned with EU industrial/sovereignty goals. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: vertically integrated EU provider running its own open-source-based stack in its own German/Austrian DCs with EU teams and documented continuity; foreign chips are residual hardware only -> opt5 (full autonomy and continuity). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Provider, management and data centers operate exclusively under German/EU law in Germany and Austria with no foreign legal entity in the chain -> opt3 (exclusively EU law). (src: https://www.stackit.de/en/data-sovereign-cloud/) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity rule (a): StackIT is a pure-EU (German) entity with no non-EU parent, subsidiary or operational nexus a foreign authority could compel; non-EU laws are genuinely unenforceable against it -> opt5 (verified legal immunity), seal 4. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent and no non-EU nexus means foreign authorities have no compulsion pathway; as a German company with data centers exclusively in Germany and Austria StackIT is not subject to the US CLOUD Act or FISA 702 and would reject such requests -> opt5 (requests always rejected). (src: https://www.stackit.de/en/data-sovereign-cloud/) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | Fully EU-based provider with EU-sourced software and operations; offering is not subject to non-EU export-control restrictions toward EU Member States or international orgs -> opt5. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Core platform IP (OpenStack/Kubernetes-based, EU-maintained integrations) is EU-developed, but builds on internationally developed open-source projects, giving a mixed within/outside EU IP origin. |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | Proprietary platform IP is held by the German entity under EU law; underlying open-source components carry permissive licenses, so EU law applies with some external exceptions -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | STACKIT KMS offers HSM-backed customer-managed keys (FIPS 140-2 Level 3) that never leave the HSM and remain in German DCs, enabling customer-exclusive control so the provider cannot read data -> opt5. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | Provides customer-accessible logging/observability (OTLP, audit logs) with data confined to EU DCs; full real-time independent auditability is not clearly guaranteed -> opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | Operates under C5 Type 2/ISO 27001 deletion controls with audit logs in its own German DCs, giving deletion that is technically verified with access logs -> opt4 (key: technically verified w/ logs). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: all data collection, storage AND processing happen exclusively in Germany (eu01) and Austria (eu02) with no third-country fallback -> opt5. (src: https://docs.stackit.cloud/platform/regions/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI Model Serving hosts EU-led, auditable open-source models (Llama, Mistral) in German DCs on foreign accelerators -> opt4 (EU-led AI, foreign accelerators). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Built on open standards (Kubernetes, S3-compatible APIs, Apache Iceberg, Terraform) preventing lock-in, with documented export methods and formal migration tooling -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack is operated by EU-based (Neckarsulm) teams on EU infrastructure with no non-EU operational dependency for running the service -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering and operations staff are based in Germany (Neckarsulm) serving the DACH region; no evidence of dedicated security-clearance program for choice 5 -> opt4 (all EU staff). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support is delivered by German/EU-based staff for the DACH market; no documented security-clearance requirement to reach choice 5 -> opt4 (all support staff in EU). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | medium | Documentation and knowledge resources are EU-maintained (German-led docs and teams), with primary repositories in the EU -> opt4 (EU-only primary repositories). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Open-source-based stack on EU-owned DCs means most subcontractor dependencies (e.g., hardware vendors) are replaceable; StackIT could source alternatives or internalize -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Standard x86 servers use disclosed foreign-origin components (Intel/AMD CPUs, NVIDIA GPUs); sourcing is transparent with exceptions -> opt3 (key: transparent sourcing). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Hardware is mixed-sourced from foreign OEMs/ODMs but deployed and operated in StackIT's own EU DCs under C5 audit rights -> opt3 (key: mixed sourcing, EU audit rights). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode on CPUs, GPUs and NICs is foreign-supplied (Intel/AMD/NVIDIA) with only partial provenance disclosure -> opt2 (all-seal-4 factor). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: platform is open-source (OpenStack/Kubernetes), with a large majority of the stack integrated and maintained by EU (German) teams who contribute upstream -> opt4 (large majority maintained by EU teams). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software is controlled and built by EU-based teams in Germany; EU control and EU execution of the build/release pipeline -> opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | low | Few non-EU dependencies; foreign chips/GPUs are non-critical-substitutable hardware inputs documented at a high level, with EU-controlled software and DCs -> opt4 (few non-EU in non-critical services, documented). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Running its own EU DCs with C5 Type 2/ISO 27001 supplier audits, most suppliers are auditable, beyond just the critical ones -> opt4 (most suppliers auditable). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | high | Standards-based and broadly compatible: Kubernetes, S3-compatible APIs, Apache Iceberg, OpenStack APIs and Terraform provider enable portability -> opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Open standards (S3, Kubernetes, OTLP, Iceberg, OpenStack) are adopted as policy across most core services -> opt4. |
| SOV-6.3 | Open source availability | 4. Open source, significant EU contributions, restricted governance | 150/200 | SEAL-4 | medium | No foreign_core: platform is open-source-based (OpenStack/Kubernetes) with significant EU upstream contributions; governance of those projects is community-led rather than fully EU-controlled -> opt4 (open source, significant EU contributions, restricted governance). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Provides substantial public documentation, source-accessible technology and published architecture insight via docs and the OpenInfra community -> opt3 (some public insight). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | HPC/GPU capacity (e.g., the Luebbenau GPU build) is EU-hosted but runs on a foreign hardware/software stack (NVIDIA accelerators) -> opt2 (EU-hosted, foreign stack), seal 3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | BSI C5 Type 2 (one of the highest German cloud security standards) plus ISO 27001 and ISAE 3000 (SOC 2); mapped as high-assurance EU cloud cert / EAL3-equivalent per the answer key for an awarded SEAL-3 sovereign offer -> opt4 (EAL3), seal 3. (src: https://schwarz-digits.de/en/presse/archive/2024/c5-type-2-certificate-stackit-receives-confirmation-of-the-highest-security-standards-for-cloud-services) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | GDPR-compliant by design, BSI C5 Type 2, ISO 27001, ISAE 3000 (SOC 2) and ISAE 3402, all independently audited; positioned for NIS2/DORA in the EU -> opt5. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling are run by EU-based teams in Germany over the full lifecycle; no explicit ENISA/CSIRT real-time sharing for choice 5 -> opt4 (entire lifecycle by EU teams). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get direct access to monitoring/logging (OTLP, audit logs) with logs stored in EU (German) DCs; tamper-proof immutability not explicitly documented -> opt4 (full direct access, logs in EU). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Incident disclosure aligned with GDPR/NIS2 with monitored notification flows and SLAs as an EU provider; real-time CSIRT sharing not explicitly evidenced -> opt4. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | As operator of its own open-source-based stack in its own DCs, StackIT has high autonomy to schedule and deploy maintenance independently -> opt4. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: as an awarded Cloud III SEAL-3 sovereign offer, the tender-grade terms provide full audit rights for the contracting authority and independent EU bodies -> opt5 (full independent audit by any entity). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | high | Published DC PUE values of 1.5, 1.3 and 1.2 (Ostermiething as low as 1.1) with an efficiency roadmap; best sites are below 1.5 with a clear improvement program -> opt3 (PUE < 1.5 + roadmap). (src: https://stackit.com/en/learn/knowledge/cloud/sustainability) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Sustainability messaging covers efficient operations and waste-heat reuse; a documented hardware reuse/recycling program -> opt3 (documented program). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | low | Schwarz Group publishes detailed sustainability reporting under EU methodology (energy, efficiency, renewable sourcing) covering StackIT DCs -> opt4 (detailed EU methodology). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | All data centers are operated with certified green electricity in the EU (Germany/Austria), including on-site PV and renewable-only operation at new sites -> opt5. (src: https://stackit.com/en/learn/knowledge/cloud/sustainability) |