| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: World4You Internet Services GmbH (Linz, part of the group since 2018) -> IONOS Group SE (Montabaur, DE) -> United Internet AG (German-listed, controlled by German national R. Dommermuth ~51-54%); entire control chain within the EU -> opt4. (src: https://www.ionos-group.com/brands/world4you.html) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | US PE Warburg Pincus fully exited IONOS in March 2025; majority German ownership (United Internet ~64% of IONOS, Dommermuth majority of United Internet). Publicly traded so a non-EU takeover is possible but unlikely -> opt4. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | A commercial Austrian webhost with no published governance bodies; customers influence the roadmap only through voice-of-customer support/feedback channels -> opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Funding flows from EU parent United Internet AG (German capital); Warburg Pincus (US) fully exited in 2025, so majority of funding is EU-based with residual free-float possibly non-EU -> opt4. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, staff, data centres and customer base are entirely in Austria; economic contribution fully within the EU -> opt5. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of participation in EU strategic programs (Gaia-X, IPCEI-CIS); commercial Austrian webhost without disclosed strategic-program involvement -> opt1. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | low | No published formal action plan or governance aligned to EU industrial strategies; sovereignty positioning limited to GDPR/EU-hosting marketing -> opt1. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | Runs own Austrian DCs on commodity x86 + open-source virtualization (Proxmox/KVM), so it could source alternatives or internalise; but real non-EU deps (Plesk, chips) and no documented exit/continuity plan, so not full autonomy -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Austrian GmbH, Austrian DCs (Linz, Wels, Vienna/Voesendorf), EU-only server locations; service governed exclusively by Austrian/EU law -> opt3. (src: https://www.world4you.com/en) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity (pure-EU entity, no non-EU parent/subsidiary/operational nexus after the March 2025 Warburg Pincus exit; control chain wholly German/EU) -> non-EU laws genuinely unenforceable -> opt5. (src: https://www.ionos-group.com/brands/world4you.html) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent and immunity hold: not subject to US CLOUD Act/FISA/PRC compelled access; only EU/Austrian legal process applies, requests rejected -> opt5. (src: https://www.ionos-group.com/brands/world4you.html) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | medium | EU-only operator with effectively all revenue in the EU/Austria (>50% EU); no specific shielding of the offer against export controls -> opt3. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Core operations mix EU-maintained config with widely-used third-party software (Linux open source, Plesk of non-EU origin); IP mixed within/outside the EU -> opt3. |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | Provider-developed IP under EU/Austrian law, but underlying third-party stack held under mixed (partly non-EU) licences -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | Shared/managed webhosting and vServers; keys are primarily provider-controlled with no advertised customer-held-key (HYOK/BYOK) option -> opt2. |
| SOV-3.2 | Transparent data flows & access logs | 2. Basic incomplete logs | 50/200 | SEAL-1 | low | Basic access/activity logs to customers but no documented real-time, independently auditable data-flow visibility -> opt2. |
| SOV-3.3 | Secure deletion & proof of erasure | 2. Manual confirmation only | 50/200 | SEAL-1 | low | Data deletion offered on request/cancellation but no published cryptographic proof or independent verification of irreversible erasure -> opt2. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: server locations explicitly EU-only, geo-redundant across own Austrian DCs (Linz, Wels, Vienna/Voesendorf); no third-country fallback -> opt5. (src: https://www.world4you.com/en) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope AI service offered, so no foreign-AI dependency to penalise; per key 'no in-scope AI -> opt4 (seal 3)'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard hosting/server platform with documented data export (file/database backups, standard protocols); portability via documented methods, no formal migration service -> opt3. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops: entire stack operated by World4You's own Austrian teams in Austrian DCs, no reliance on non-EU operations teams -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | All engineering/operations staff EU-based (Linz, Vienna); no documented security-clearance regime -> opt4. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support provided from Austria (German/English); all support staff EU-based, no security clearances -> opt4. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Austrian operator; documentation and knowledge repositories EU-based with no non-EU exposure, though EU-only end-to-end not formally certified -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Core subcontractors (DCs, connectivity) Austrian/EU; on supply disruption could source alternatives or internalise, though foreign hardware vendors remain a factor -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Commodity x86 servers (Intel/AMD) with no published bill-of-materials; component provenance only partially disclosed -> opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Server hardware manufactured by foreign OEMs/chipmakers (Intel/AMD, Asian/US fabs); foreign origin with at most partial disclosure -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs, BMCs and NICs from foreign vendors with no published provenance; partial disclosure at best -> opt2. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | low | No foreign_core: platform built on open-source software (Debian/Linux, KVM/Proxmox) with EU teams maintaining core integration/operations; some non-EU components (Plesk) -> opt3 (core maintained by EU teams). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Provider's platform configuration and releases controlled and executed by its Austrian (EU) teams; upstream software built elsewhere but operational build/release control is EU -> opt4. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Critical infrastructure (DCs, network) EU-based, but a few non-EU vendors (CPU/hardware OEMs, Plesk control-panel software) embedded in critical services with limited documentation -> opt3. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | No published supply-chain transparency program; only some suppliers (own EU DCs) auditable, hardware supply chains opaque -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | low | Built on standards-based, broadly compatible technologies (Linux, standard web/email protocols, SSH/FTP, REST/Plesk APIs); broadly interoperable but not open-by-default with guaranteed portability -> opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | low | Core services rely on open internet standards (HTTP(S), IMAP/SMTP, DNS, TLS) across most services, though no formal published open-standards policy -> opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | low | No foreign_core: stack heavily open source (Debian/Linux, KVM/Proxmox, ownCloud) but governance centralised by vendor and proprietary management layer not open -> opt3 (open source, centralised governance). |
| SOV-6.4 | Service architecture transparency | 2. Insight accessible during audits | 50/200 | SEAL-2 | low | Limited public architectural insight beyond marketing and DC descriptions; deeper insight only under audit/NDA -> opt2. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope HPC offering; per key 'no in-scope HPC -> opt2 (seal 3)'; any GPU capability would be EU-hosted foreign stack -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | low | No security certification published under World4You itself (no ISO 27001, no SecNumCloud/EUCS/C5/ENS); effectively EAL0/none -> opt1 (seal 1). (src: https://www.datacenters.com/providers/world4you-internet-services-gmbh) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | Demonstrates GDPR compliance (DPA/AVV, EU-only server locations, free SSL) but no published independent NIS2/DORA audit; moderate compliance -> opt3. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | 24/7 monitoring and incident handling run by own Austrian teams; full lifecycle EU-based, though no formal ENISA/CSIRT sharing documented -> opt4. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a basic monitoring/management portal with some logs; no documented full direct access to immutable security logs -> opt3. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Subject to GDPR/NIS2 breach-notification obligations as an Austrian provider; moderate, regulation-aligned disclosure without published real-time CSIRT sharing -> opt3. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operates own infrastructure with moderate maintenance autonomy (scheduled patching/notice with testing), dependent on upstream vendor patches for OS/hardware firmware -> opt3. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: no published independent third-party audit/certification (no ISO 27001) and no sovereign-offer terms implying full contractual audit rights; independent audit access limited -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 2. PUE < 3 | 63/250 | SEAL-1 | low | Modern Austrian DCs with redundant cooling/power but no published PUE figure; treated conservatively as managed but unverified (PUE < 3) -> opt2. (src: https://www.world4you.com/en) |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | No published hardware reuse/recycling program; at most basic circular practices implied for an operator of its own DCs -> opt2. |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Markets 100% green energy but publishes no formal annual environmental-impact report with EU methodology; basic reporting only -> opt2. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | medium | Explicitly states Austrian DCs run on 100% green energy (renewable electricity since 2021, Green Web Foundation partner); only green EU energy supplies -> opt5. (src: https://www.world4you.com/en) |