| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-2 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-2 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: Spanish company (Madrid), part of Spanish Grupo Aire; legal entity control entirely within the EU -> SOV-1.1 opt4. (src: https://www.stackscale.com/about-us/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Owned by Grupo Aire whose PE backer is Ardian (France, EU); transfer to a non-EU sovereign entity unlikely, though PE-owned assets can be sold -> opt4. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | Small EU provider; roadmap influence mainly via standard voice-of-customer/account channels, no formal EU governance body documented -> opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Funding flows through Grupo Aire, backed by EU private equity (Ardian, France); majority EU-based funding, not entirely (PE structures may include non-EU LPs) -> opt4. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, data centers, staff and revenue concentrated in Spain/Netherlands/Portugal; economic contribution fully in the EU -> opt5. (src: https://www.stackscale.com/data-centers/) |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Listed in pan-European federated infrastructure (Virtuora), but no named IPCEI-CIS or major EU strategic program participation; limited participation -> opt2. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets itself as EU sovereign infrastructure with renewable-energy positioning (action plan), but no measured achievements or dedicated sovereignty governance published -> opt2. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | medium | own_stack: self-owns its stack on Dell/AMD hardware in EU data centers operated by EU teams; could source alternatives or internalise key functions, but residual non-EU vendor dependency (Dell/AMD/VMware) -> opt4 'ability to source alternatives' (seal 2), not full autonomy. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Spanish entity within Grupo Aire; services governed exclusively under EU (Spanish/Dutch) law, no non-EU parent jurisdiction -> opt3 (seal 4). (src: https://www.stackscale.com/about-us/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | immunity structural-not-certified: fully EU-owned with no US/non-EU parent so structurally shielded from extraterritorial law, but lacks SecNumCloud/EUCS-High verified immunity -> opt4 'legal structures shielding' (seal 2 ceiling), consistent with the Spanish-provider basis. (src: https://www.stackscale.com/about-us/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: wholly EU-owned, no non-EU establishment, not subject to US CLOUD Act/FISA/PRC law; only EU legal process applies and requests would be rejected -> opt5 (seal 4). |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | EU-based provider with large majority of revenue in the EU; no export-control restrictions toward EU MSs, but no formally shielded offering documented -> opt3 (share of revenues >50% in EU). |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Own platform/orchestration developed by EU teams, but core dependencies (VMware virtualization, hardware firmware, OS) are non-EU IP; mixed origin -> opt3. |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | IP for own software sits under EU law, but underlying licensed platform/hardware IP held under non-EU (mainly US) law; mixed -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | IaaS/bare-metal/private cloud where customers run their own encryption; provider manages underlying infra and retains administrative access -> shared control with provider override -> opt3. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Provides monitoring/access logging consistent with ISO 27001, but logs are vendor-controlled and not independently real-time auditable -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | ENS-High plus ISO 27001/27018 mandate verified media-sanitisation controls with access logging, so deletion is technically verified with logs (uniform sovereign-operator basis, consistent with the cluster) -> opt4. (src: https://www.stackscale.com/about-us/) |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: all compute/storage data centers in EU/EEA (Madrid, Amsterdam, Spain/Portugal); EU-only with no third-country fallback for customer workloads -> opt5 (seal 4). (src: https://www.stackscale.com/data-centers/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope managed AI service (customers self-deploy on bare-metal); per key SOV-3.5 'no in-scope AI service -> opt4 (seal 3)', and consistent with the other Spanish provider with no AI service -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard IaaS/bare-metal with VMware/Proxmox/standard tooling, documented data export, no proprietary lock-in beyond common virtualization -> opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops: entire stack operated by EU-based teams in Spain and the Netherlands; no critical operations delivered by non-EU teams -> opt5 (seal 4). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering/operations staff in Spain (Madrid, Alicante) and Netherlands (Amsterdam); all-EU staff, no documented security-clearance program -> opt4 (seal 3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | 24x7 support delivered from EU offices (Madrid/Amsterdam) by EU staff; no documented security clearances -> opt4 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation/knowledge maintained by EU teams; no published guarantee of EU-only repositories -> EU-primary with possible non-EU fallback -> opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Subcontractors are EU colocation (Interxion/Equinix EU sites) and EU network; hardware vendors (Dell) non-EU but replaceable -> ability to source alternatives -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Discloses use of Dell PowerEdge servers with AMD EPYC processors; as an ISO 27001 / ENS-High certified operator it provides component transparency to customers/auditors with exceptions (uniform sovereign-operator basis, consistent with the cluster) -> transparent with exceptions (opt3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Servers (Dell) and CPUs (AMD/Intel) are foreign-manufactured but integrated and operated under ISO 27001 / ENS-High audited supply-chain controls (EU audit rights), matching the uniform key for EU sovereign providers -> mixed sourcing, EU audit rights (opt3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS and processor microcode from non-EU vendors (Dell/AMD/Intel); partial provenance disclosure -> opt2 (seal 4 per rubric). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | low | foreign_core: own orchestration/platform maintained by EU teams, but the core virtualization software (VMware) is licensed non-EU tech; core/essential parts maintained by EU teams atop foreign software -> opt3 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Software/configuration for its own platform controlled and built by EU teams in Spain/Netherlands (EU control & execution); no formal EU policy-gate certification -> opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | A few non-EU dependencies in critical services (Dell/AMD hardware, VMware virtualization), documented; the rest of supply (DCs, network, ops) is EU -> opt3 (few non-EU critical, seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers are large auditable vendors (Dell, Interxion/Equinix) and ISO-certified facilities; partial supply-chain auditability, not a fully published chain -> opt3 (critical suppliers auditable, seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | IaaS/bare-metal with standard APIs and common virtualization formats offering partial openness/compatibility, not fully open-by-default -> opt3 (seal 2). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Uses standard protocols and virtualization formats (partial core adoption of open standards) without a published open-standards policy across all services -> opt3 (seal 2). |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | foreign_core: core platform/orchestration relies on proprietary VMware; customers can run open-source on top but the provider stack itself is not open source -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Provides some public insight into architecture (network design, DC setup, SLAs) via blog/docs, but not a large corpus or customer-contributable platform -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Offers high-performance bare-metal/GPU in EU data centers but the HPC/compute stack (AMD EPYC, foreign accelerators) is foreign; EU-hosted on a foreign stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds Spanish ENS High plus ISO 27001/27017/27018 and ISO 22301; per key, ENS-High is a high-assurance national cloud certification mapping to EAL3 (opt4), consistent with the other ENS-High Spanish providers. No SecNumCloud/EUCS-High/Common Criteria held -> opt4 (EAL3, seal 3). (src: https://www.stackscale.com/about-us/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Holds ISO 27001/27017/27018, ISO 22301 and ENS High, GDPR-compliant EU provider; partial compliance to most relevant EU regimes, NIS2/DORA-specific attestations not published -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident handling run by EU-based teams (Spain/Netherlands) on EU infrastructure, full lifecycle by EU teams; no formal ENISA threat-intel sharing documented -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers have direct access to monitoring/logs with EU-hosted logging in its EU DCs (ENS-High mandates security-log access/traceability); immutable tamper-proof logging not explicitly documented -> full direct access, logs stored in EU (opt4), consistent with the cluster. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | EU provider following GDPR/NIS2-aligned breach-notification obligations; moderate compliance without documented real-time CSIRT sharing -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operates its own infrastructure and can schedule maintenance/patching with notice and testing as an independent EU operator -> moderate autonomy -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | low | audit_rights: the ENS-High sovereign offer for Spanish public administration implies tender-grade full audit rights for the contracting authority and independent EU bodies (uniform basis with the cluster's ENS-High/ACN-qualified members) -> full independent audit (opt5). (src: https://www.stackscale.com/about-us/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Claims low PUE with free-cooling and efficiency programs in modern EU data centers (Interxion/Equinix), but no specific verified figure published; consistent with PUE <1.5 + roadmap -> opt3 (seal 4). (src: https://www.stackscale.com/data-centers/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Holds ISO 14001 environmental-management certification, entailing a documented program covering equipment lifecycle/recycling -> opt3 documented program (seal 3). (src: https://www.stackscale.com/about-us/) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Holds ISO 14001 environmental management (which mandates periodic environmental-performance reporting/review); annual-report-level reporting rather than a fully EU-audited methodology -> annual report (opt3, seal 2). (src: https://www.stackscale.com/about-us/) |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | EU data centers rely on renewable energy with free cooling; only EU energy supplies with high renewable content, not certified exclusively green -> opt4 (seal 4). (src: https://www.stackscale.com/data-centers/) |