| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | UpCloud Oy is incorporated and headquartered in Helsinki, Finland; the group's parent and all customer contracts sit with the Finnish (EU) entity. Non-EU data centres are run by separated subsidiaries (e.g. UpCloud USA Inc), but legal entity control is entirely EU. (src: https://upcloud.com/european-data-sovereignty/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Founder-led independent Finnish company backed by EU/Finnish VCs (Inventure, Connected Capital) and the Finnish state investor Tesi; no controlling non-EU shareholder. As a VC-backed scale-up a future trade sale is conceivable, so takeover is unlikely rather than very unlikely. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | As a privately held vendor the roadmap is controlled internally; customers influence it through standard product feedback / voice-of-customer channels rather than formal EU governance bodies. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Funding comes from EU/Finnish investors (Inventure, Connected Capital) plus the Finnish state fund Tesi; majority EU-based capital with no dominant non-EU investor. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | HQ, R&D, engineering and most jobs are in Finland and the EU, with the majority of revenue from European customers; some economic activity tied to non-EU regions (US, APAC) keeps it short of fully-EU. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | CISPE member and active in the European sovereign-cloud / sovereign-AI conversation (e.g. Cloud2 partnership), but no documented role in flagship EU strategic programmes like Gaia-X labels or IPCEI-CIS. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets itself explicitly as the European sovereign alternative to hyperscalers with concrete CLOUD-Act-mitigating corporate structure and CISPE commitment; an articulated action plan but not measured/governed achievement of EU industrial strategy. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: vertically integrated EU provider running its own software stack on owned/colocated EU data centres with in-house teams and a documented continuity/exit plan; only residual foreign-chip hardware dependency -> key 1.8 own_stack -> opt5 'Full autonomy and continuity'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | All customers worldwide are contracted by the Finnish entity UpCloud Oy under EU/Finnish law; the customer legal relationship is exclusively EU. (src: https://upcloud.com/european-data-sovereignty/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | Structural separation but no certified immunity (no SecNumCloud 3.2 / EUCS-High) and a real non-EU operational nexus (UpCloud USA Inc, non-EU DCs) -> not the immunity flag -> key 2.2 opt4 'Legal structures shielding' (seal 2). This is a SEAL-2 ceiling, analogous to S3NS. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: the Finnish EU parent is not a US person, holds EU-stored data outside US 'possession/custody/control', and commits to reject non-EU compelled-access requests -> key 2.3 (no foreign_parent) -> opt5 'Requests always rejected'. (src: https://upcloud.com/european-data-sovereignty/) |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | low | EU-owned provider, majority of revenue in Europe, no export-control restrictions toward EU member states; part of the offer is shielded toward EU MSs, though non-EU regions and the US subsidiary leave residual exposure -> key 2.4 opt4 'Part of offer shielded' (seal 3). (src: https://upcloud.com/european-data-sovereignty/) |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform software (MaxIOPS storage, control plane) is designed and owned by the Finnish company, so the operationally critical IP is mostly EU-origin; underlying hardware/firmware IP is foreign. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | The company's own IP is held by the Finnish parent under EU law. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | As an IaaS provider, storage/server encryption is primarily provider-managed; customers can bring their own encryption inside their instances but UpCloud does not market customer-exclusive, provider-cannot-read key custody by default. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Provides API/usage and audit logging to customers but not independently auditable real-time access oversight; logs are vendor-controlled. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001 processes cover data handling and deletion per policy, with internal validation, but no published independently verified proof-of-erasure mechanism. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | Not eu_exclusive: the same product offers third-country regions (UK, US, Chicago/NY/San Jose, Singapore, Sydney) alongside EU/EEA regions; customers can opt into EU-only but there is no contractual no-third-country-fallback guarantee -> key 3.4 opt4 'EU by default, tightly controlled exceptions' (seal 1). Gating floor. (src: https://upcloud.com/data-centers/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | No managed (black-box) AI service: GPU IaaS is EU-hostable and customers run their own open/auditable models on foreign NVIDIA accelerators, so no foreign-AI lock-in -> key judgment-call (no in-scope foreign AI dependency / EU-led AI on foreign accelerators) -> opt4 (seal 3), consistent with the OpenStack Nordic peers. (src: https://upcloud.com/data-centers/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standard open APIs, documented data export, and S3-compatible object storage plus migration guidance; portability is well supported on standards-based interfaces. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops (predominantly): core operations, SRE and engineering run by the Helsinki in-house team, predominantly EU-based though with some global staff -> key 4.2 eu_ops -> opt4 'predominantly EU-based teams' (seal 3). |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | low | Engineering and key skills are concentrated in Finland with an international team; majority EU with some escalation/staff abroad. |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | In-house 24/7 support is centred in Helsinki; round-the-clock coverage implies some non-EU follow-the-sun escalation, so majority-EU with non-EU escalations. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation and knowledge are EU-primary (Helsinki HQ owns product/engineering docs), with global team access acting as a non-EU fallback. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Runs its own stack on owned/colocated infrastructure and can source alternative suppliers or internalise functions if a subcontractor is lost; depends on hardware vendors but not a single irreplaceable non-EU operator. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Server hardware (Intel/AMD CPUs, NVIDIA GPUs) is foreign-sourced; UpCloud discloses some hardware/lifecycle info in sustainability reporting but does not provide a full certified component bill of materials. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Compute hardware is manufactured by non-EU vendors (US/Asia) and assembled into UpCloud's design; foreign-origin with only partial disclosure. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode on CPUs, GPUs and NICs comes from foreign vendors with limited provenance disclosure typical of any IaaS operator. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | NOT foreign_core: platform software (custom hypervisor integration, MaxIOPS storage, control/API plane) is EU-designed and maintained in-house, running atop open-source Linux/KVM (no licensed Google/MS/AWS core) -> key 5.4 EU-maintained core -> opt4 'Large majority maintained by EU teams' (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Software is developed and released by the Helsinki engineering team, i.e. EU control and EU execution; no evidence of formal EU policy gates/certified release controls. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Critical dependence on non-EU hardware vendors (Intel/AMD/NVIDIA) remains, though these are documented and substitutable; the operational and legal stack is otherwise EU-controlled. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | ISO 27001 and CISPE entail supplier controls so critical suppliers are auditable, but there is no published full supply-chain transparency for all suppliers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces: REST API, S3-compatible object storage, Terraform/Kubernetes integrations and standard Linux images enable portability. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | low | Adopts open standards (S3 API, OpenAPI, Kubernetes, standard VM images) across most core services as a matter of practice. |
| SOV-6.3 | Open source availability | 1. Fully closed-source, vendor-controlled | 0/200 | SEAL-2 | medium | Core platform is proprietary and vendor-controlled (open-source client tools/SDKs only); not foreign_core, so seal is the closed-source-EU floor -> key 6.3 opt1 'Fully closed-source, vendor-controlled' (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Provides public documentation, architecture/performance blogs and benchmarks giving some public insight into the service architecture, but not customer-modifiable internals. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | GPU/accelerated compute is EU-hosted but built entirely on a foreign stack (NVIDIA GPUs and CUDA), with no EU HPC processor IP. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | Holds ISO 27001 (plus data-centre certs) and the CISPE Code of Conduct; no verifiable SOC 2 attestation and no SecNumCloud/EUCS/C5/ENS-High or Common Criteria EAL -> key 7.1 'ISO 27001 only -> opt2' (EAL1-equiv, seal 1), consistent with the other Nordic ISO-only IaaS providers. Caps the SEAL. (src: https://upcloud.com/global/blog/gdpr-iso-27001-cispe-guide-european-compliance/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-compliant, ISO 27001 certified and a CISPE Code of Conduct member, addressing EU Data Act; broad compliance with most EU regulation, but no evidence of full independently audited DORA/NIS2 conformity across the board. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident handling are run by the in-house Helsinki team within the EU; no documented ENISA/CSIRT information-sharing membership to reach the top tier. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring and API access plus logs but not full immutable tamper-proof customer-controlled log custody; a basic monitoring/portal level. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Incident disclosure follows GDPR/NIS2-aligned breach-notification obligations as an EU operator, without published real-time CSIRT sharing or SLA-backed flows. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | low | Operates its own platform and can deploy maintenance/patches independently on its own schedule without third-party vendor approval; high maintenance autonomy. |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | No audit_rights flag: audits available only via UpCloud's ISO 27001 / CISPE certification bodies, not a SecNumCloud-grade contractual full-audit right for the contracting authority and independent EU bodies -> key 7.7 (audits only via cert bodies) -> opt3 'Partial independent control' (seal 1). Gating floor. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | medium | Best facilities (Norway) reach PUE as low as ~1.2 and the company publishes efficiency improvements with a roadmap, but the fleet average is higher than 1.3, so PUE<1.5 with roadmap fits the whole estate. |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Has identified hardware purchases as its largest footprint and is implementing hardware lifecycle management; a documented program rather than a fully EU-certified circular lifecycle. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Publishes sustainability/environmental information including renewable share and PUE figures, consistent with regular reporting, but not detailed EU-methodology or independently audited disclosures. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | Around 70% of data centres run on renewable energy (Norway 100% hydro) with the rest a mix; an EU-located but mixed renewable/non-renewable energy supply. (src: https://upcloud.com/data-centers/) |