| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-0 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-0 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | non-EU HQ (Vercel Inc., California; US company) -> SOV-1.1 opt1; no EU entity exercises control (src: https://vercel.com/legal/terms). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Already US-owned/controlled, so a transfer FROM EU TO a non-EU entity is not applicable; 'very unlikely' fits (all-seal-4 factor, choice retained). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | foreign-set roadmap (US leadership) -> SOV-1.3 opt2; EU customers influence only via public feedback channels, no EU governance body. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funding (~$863M) overwhelmingly US/global VC (Accel, CRV, Tiger Global, GV, Khosla, General Catalyst); no EU capital control (all-seal-4 factor). |
| SOV-1.5 | EU economic contribution | 1. Minimal | 0/125 | SEAL-4 | medium | R&D, headcount and economic activity concentrated in the US; EU contribution minimal (all-seal-4 factor). |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No participation in EU strategic programs (Gaia-X, IPCEI-CIS) (all-seal-4 factor). |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No action plan/governance aligned with EU industrial/sovereignty strategies; US commercial PaaS (all-seal-4 factor). |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | medium | no own_stack: PaaS on non-EU hyperscalers (AWS/Azure/GCP) whose withdrawal halts the service -> SOV-1.8 opt2 (seal 0); customers get only a delay to migrate. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | Contract under US (Delaware/California) law only -> SOV-2.1 opt1 (non-EU only, seal 1) (src: https://vercel.com/legal/terms). |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | no immunity: US company fully exposed to CLOUD Act/FISA 702; DPA/SCC mitigation clauses but residual exposure remains -> SOV-2.2 opt2 (seal 1) (src: https://vercel.com/legal/dpa). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | consistency (cluster norm 2.3=opt2): foreign US parent under CLOUD Act/FISA can compel access (incl. EU-region data, Schrems II) without notification in specific national-security cases (gag orders) -> opt2 (seal 1); caps SEAL at 1. |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | consistency (cluster norm 2.4=opt2): subject to US export controls (EAR/OFAC), no EU-MS shielding and no >50% EU revenue dominance -> opt2 (seal 1). |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core IP (Vercel platform, Next.js, Turbopack, AI SDK) created and owned by US-based Vercel Inc.; entirely outside EU (all-seal-4 factor). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP held by Vercel Inc. under US law, single non-EU country -> SOV-2.6 opt1 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 1. Provider only | 0/200 | SEAL-0 | high | Provider-managed AES-256 keys, no customer-managed/BYOK -> SOV-3.1 opt1 (provider can decrypt, seal 0). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | medium | Audit/observability logs and Trust Center exist but data-access logs are vendor-controlled, not real-time customer-auditable -> SOV-3.2 opt3 (seal 2). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows internal GDPR-aligned policy with no independently verifiable cryptographic erasure proof -> SOV-3.3 opt3 (policy-only, seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | no eu_exclusive: default region is US (iad1), data runs on US hyperscalers with third-country processing/fallback under SCCs (not EU-default) -> SOV-3.4 opt2 (partly EU, significant third-country reliance, seal 0). US PaaS without EU-exclusivity guarantee (src: https://vercel.com/docs/regions). |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | AI Gateway/AI SDK route to mostly non-EU proprietary models (OpenAI, Anthropic, Google, xAI, Meta) on foreign accelerators -> SOV-3.5 opt2 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard documented export via Git source, CLI and APIs on open frameworks (Next.js) -> SOV-4.1 opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | no eu_ops: critical platform ops/SRE run by US-centric global teams on US hyperscaler infra -> SOV-4.2 opt1 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 1. Global team, mainly non-EU | 0/167 | SEAL-1 | medium | Engineering/ops is a global, predominantly US team; EU staffing a minority -> SOV-4.3 opt1 (seal 1). |
| SOV-4.4 | Support channels | 1. Global, majority outside EU | 0/167 | SEAL-1 | medium | Support delivered globally, majority of staff/coverage outside EU (US-centric follow-the-sun) -> SOV-4.4 opt1 (seal 1). |
| SOV-4.5 | Documentation & knowledge transfer | 1. Global/non-EU exposure | 0/167 | SEAL-0 | medium | Documentation/knowledge repos are global/US-hosted (platform + GitHub) with no EU-only guarantee -> SOV-4.5 opt1 (global/non-EU exposure, seal 0). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | medium | Core subcontractors (AWS/Azure/GCP) are non-EU US hyperscalers; cut-off stops service after a delay, not readily substitutable in place -> SOV-4.6 opt2 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 1. No disclosure | 0/143 | SEAL-1 | medium | Vercel owns no hardware; physical component origin sits with US hyperscalers, undisclosed -> SOV-5.1 opt1 (no disclosure, seal 1). |
| SOV-5.2 | Manufacturing location | 1. Fully foreign, black box | 0/143 | SEAL-1 | medium | Underlying hardware manufactured by foreign (US/Asian) vendors via hyperscalers; foreign black box -> SOV-5.2 opt1 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 1. No disclosure | 0/143 | SEAL-4 | low | Firmware/embedded-code provenance of underlying hyperscaler hardware undisclosed -> SOV-5.3 opt1 (all-seal-4 factor). |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | high | Platform software designed/maintained by US-based Vercel (foreign origin); developer-facing stack (Next.js, Turbopack, AI SDK) is open-source MIT giving partial disclosure -> SOV-5.4 opt2 (seal 2). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | high | Software build/release controlled and executed by US-based Vercel engineering -> SOV-5.5 opt1 (non-EU control & execution, seal 1). |
| SOV-5.6 | Single point of dependency | 1. Only non-EU vendors/facilities | 0/143 | SEAL-1 | high | Critical dependency on non-EU vendors/facilities (AWS/Azure/GCP and Vercel Inc.); no EU vendor on the critical path -> SOV-5.6 opt1 (seal 1). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some subprocessors disclosed via Trust Center and SOC 2/ISO audits, but full customer supply-chain auditability is limited -> SOV-5.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces (Git, HTTP/REST, OpenAI-compatible AI Gateway) on open frameworks -> SOV-6.1 opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Most core developer services use open standards (Web/HTTP, React/Next.js, OCI-style builds, open AI SDK) as product policy -> SOV-6.2 opt4 (seal 3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | high | Flagship software (Next.js, Turbopack, AI SDK) fully open-source MIT but governance centralised within US Vercel; hosting platform proprietary -> SOV-6.3 opt3 (open-source centralised governance, seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Extensive public docs, architecture/engineering blogs and open-source code give substantial public insight -> SOV-6.4 opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 1. Imported black-box HPC | 0/200 | SEAL-0 | low | No EU-sovereign HPC; heavy compute/AI acceleration relies on imported black-box hyperscaler/GPU infrastructure -> SOV-6.5 opt1 (imported black-box HPC, seal 0). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | high | certs: ISO 27001:2022 + SOC 2 Type II (+PCI DSS, HIPAA; no SecNumCloud/EUCS/C5/Common Criteria EAL); per key ISO 27001 + SOC 2 maps to opt3 (EAL2-equiv, seal 2) (src: https://vercel.com/docs/security/compliance). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | GDPR-compliant with DPA/SCCs, EU-US DPF, SOC 2 Type II and ISO 27001:2022; partial compliance to most EU regimes, no independently-audited NIS2/DORA -> SOV-7.2 opt4 (all-seal-4 factor). |
| SOV-7.3 | EU-based SOC & incident handling | 1. SOC/IR outside EU | 0/143 | SEAL-1 | low | consistency (US-centric cluster norm): SecOps/IR run by US-based team, no dedicated EU SOC -> opt1 (SOC outside EU, seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | medium | consistency (cluster norm 7.4=opt3): customers get a logs/observability monitoring portal but Vercel retains primary control and logs are not guaranteed EU-resident/immutable -> opt3 (basic monitoring portal, seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Breach notification aligned with GDPR/contractual SLAs (moderate, not real-time CSIRT) -> SOV-7.5 opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | low | Managed PaaS: Vercel schedules/applies platform updates, customers control only their own deployments -> SOV-7.6 opt2 (vendor-scheduled, seal 1). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | no audit_rights: independent auditability limited to attestation reports (SOC 2, ISO) and Trust Center requests; no unrestricted independent audit -> SOV-7.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Runs on hyperscaler data centers (AWS/Azure/GCP) with PUE typically <1.5 plus roadmaps; Vercel publishes no PUE, inferred from infra -> SOV-8.1 opt3 (seal 4) (src: https://sustainability.aboutamazon.com/products-services/aws-cloud). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | consistency (hyperscaler-PaaS cluster norm 8.2=opt3): hardware reuse/recycling handled by the underlying hyperscalers' documented circular-economy programs which Vercel inherits -> opt3 (documented program) (src: https://sustainability.aboutamazon.com/products-services/aws-cloud). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Only basic environmental info, no detailed audited sustainability report of its own; inherits hyperscaler disclosures -> SOV-8.3 opt2 (seal 1). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Energy supply follows underlying hyperscaler regions, a mix of EU and non-EU sources, no EU-only guarantee for Vercel's footprint (all-seal-4 factor). |