| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (Vultr = The Constant Company, LLC, US-incorporated, West Palm Beach FL); controlling entity entirely outside the EU -> SOV-1.1 opt1. (src: https://www.vultr.com/company/) |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | low | Took first outside capital (LuminArx, AMD Ventures) Dec 2024 at $3.5B; venture-backed US firm, realistic acquisition target amid AI-cloud consolidation, any change of control stays non-EU. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap set by US parent and strategic investor AMD; EU customers have only voice-of-the-customer channels, no governance bodies giving EU actors influence -> opt2 (seal 2). |
| SOV-1.4 | Financial independence from non-EU capital | 2. Mostly relying on non-EU funding | 31/125 | SEAL-4 | high | Dec 2024 raised $333M from US investors LuminArx Capital and AMD Ventures; relies mostly on non-EU funding. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | low | US-HQ global business with some EU data-centre spend/revenue, but HQ, R&D and profits accrue outside the EU -> Some EU contribution. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No clear participation in EU strategic programs (Gaia-X, IPCEI-CIS); positioned as a US 'alternative hyperscaler'. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No action plan/governance aligning the company with EU industrial strategies; strategy driven by US AI-cloud expansion. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | Not own_stack (depends on US chip vendors and a US-controlled control plane), but a standard IaaS with documented data-export tooling and contractual terms under which the service could continue temporarily after a cut-off rather than shutting down immediately -> opt3 (seal 2), consistent with US commodity-IaaS peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | EU customers contract under a GDPR DPA/SCCs while the contracting entity and parent are US (Florida-law ToS); primary jurisdiction is therefore mixed EU/non-EU rather than exclusively EU -> opt2. (src: https://www.vultr.com/legal/eea-gdpr-privacy/) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | No immunity (US company, no SecNumCloud/EUCS-High, no EU trustee structure); DPA/SCC mitigation clauses exist but exposure to US extraterritorial law (CLOUD Act, FISA 702) remains -> opt2. |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent: under US CLOUD Act a US provider can be compelled to produce data, with gag provisions in specific cases -> opt2; key caps data-access at seal 1. |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | US entity subject to US export-control/OFAC regimes that can restrict access for specific sanctioned EU citizens/orgs, but no EU Member State is under restriction and EU revenue is not a >50% majority -> opt2. |
| SOV-2.5 | Origin of IP | 2. Mostly outside the EU | 42/167 | SEAL-4 | medium | Proprietary control-plane IP developed by the US company; uses open-source components but core IP originates mostly outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | IP held by the single US entity The Constant Company, LLC under non-EU (US) law, single country -> opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | medium | Standard IaaS; provider manages platform encryption and could access guest storage; customer can self-manage in-guest keys but control is primarily provider's -> opt2. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Vendor-controlled activity/audit logs and monitoring portal exist but are not real-time independently auditable oversight of all provider access -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows internal policy with platform wiping; no published independently verifiable proof-of-erasure for customers -> opt3 (policy-only). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | No eu_exclusive sovereign offer in the default IaaS, but data uploaded to a chosen EU region (Amsterdam, Frankfurt, Paris, Madrid, Milan, Stockholm, Warsaw) stays in that region: EU-by-default with tightly controlled exceptions rather than a contractual no-third-country guarantee -> opt4 (seal 1). (src: https://www.vultr.com/features/datacenter-regions/) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | AI/GPU offering built on US NVIDIA/AMD accelerators and licensed model stacks (NVIDIA Nemotron/Dynamo); mostly non-EU, licensed AI + chip dependency -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard documented data-export methods and compatible APIs/snapshots; no formal sovereign-migration program -> opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | medium | No eu_ops at platform level: critical operations, engineering and control plane run by the US parent's global teams, not EU teams -> opt1 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Engineering/operations skills sit mainly in the US/global org; only a minority of relevant staff are EU-based -> opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Support delivered globally 24x7 from the US-led org, majority of support capacity outside the EU -> opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge bases are global/US-hosted; EU residency is optional and not enforced -> opt2 (seal 2), consistent with US commodity-IaaS peers. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Relies on non-EU subcontractors/suppliers (US chip vendors, global facilities); a forced cut-off stops service after a delay rather than allowing continuity -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware built from US/Asian components (AMD, NVIDIA, Broadcom, Juniper); only partial public provenance disclosure, no EU-certified provenance -> opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Servers/accelerators manufactured outside the EU (US-designed chips, Asian fab) with partial disclosure; not built/designed by EU teams -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode from foreign OEM and chip vendors (AMD, NVIDIA) with partial disclosure, no EU-certified provenance. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | Core control-plane software is the US company's proprietary stack (foreign origin) with limited disclosure; not maintained by EU teams -> opt2 (seal 2). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | low | Software build and release controlled and executed by the US engineering org; no EU control or EU policy gates -> opt1. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | low | Critical dependencies (US chip vendors, US-controlled control plane and facilities ops) mostly non-EU and not comprehensively documented for EU customers -> opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers disclosed via sub-processor list, but the broader hardware/firmware supply chain is not independently auditable by customers -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces (standard Linux VMs, S3-compatible object storage, Kubernetes, public REST API) despite proprietary control plane -> opt4. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Adopts common open standards for several core services (S3 API, Kubernetes, standard hypervisor images) but no published policy mandating open standards across all services -> opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Platform/control plane vendor-controlled and closed-source; uses/exposes open-source tooling but core service code is not open source -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public insight via docs, blogs and trust center, but no deep architectural transparency or customer ability to inspect/adapt internals -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | GPU/HPC clusters hosted in EU regions but built entirely on foreign (US) NVIDIA/AMD stacks; EU-hosted on a foreign stack -> opt2 (seal 3), consistent with US commodity-IaaS peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | high | No SecNumCloud/EUCS-High/Common Criteria EAL, but holds ISO 27001/27017/27018, SOC 1/2, PCI DSS and HIPAA; per the key's cert map ISO 27001 + SOC 2 -> EAL2-equivalent -> opt3 (seal 2). (src: https://www.vultr.com/legal/compliance/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | GDPR alignment via DPAs/sub-processor controls plus ISO/SOC attestations and an independent DORA assessment, but no full independently-audited NIS2/DORA -> moderate compliance opt3. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations/incident response run by the global US-led org; at best hybrid EU/non-EU, not an EU-only SOC lifecycle -> opt2. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a basic monitoring/logging portal and activity logs, not full direct access with EU-stored immutable logs -> opt3 (basic monitoring portal). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Incident disclosure aligned with GDPR/NIS2-style breach notification via DPAs, without published real-time CSIRT/SLA flows -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | As IaaS the customer controls guest patching with notice/testing for platform maintenance, except emergency/zero-day fixes pushed by the provider -> moderate autonomy opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | high | No audit_rights: assurance only via vendor SOC 2/ISO reports under NDA; customers cannot perform full independent audits -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Operates in modern data centres with reported annualised PUE around 1.15 (e.g. Sabey hydropower sites): PUE well under 1.5 with an efficiency focus -> opt3. (src: https://www.businesswire.com/news/home/20240305527534/en/Vultr-Expands-Footprint-with-New-NVIDIA-Cloud-GPU-Capacity-Using-Clean-Renewable-Hydropower-in-Sabey-Data-Centers) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Hardware lifecycle is handled via Vultr's colocation partners (e.g. Sabey), whose documented circular/recycling and net-zero programs provide a documented hardware-lifecycle program -> opt3, consistent with US commodity-IaaS peers. (src: https://www.businesswire.com/news/home/20240305527534/en/Vultr-Expands-Footprint-with-New-NVIDIA-Cloud-GPU-Capacity-Using-Clean-Renewable-Hydropower-in-Sabey-Data-Centers) |
| SOV-8.3 | Environmental impact reporting | 1. No reporting | 0/250 | SEAL-1 | low | No public environmental-impact or sustainability report from Vultr/The Constant Company itself (genuine gap vs peers that publish annual reports) -> opt1. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Global footprint across six continents means a mix of EU and non-EU energy supplies; no traceable EU-only or green-EU commitment published -> opt3. |