“Sovereign” has become a marketing word, which makes it useless for deciding anything. So here is a concrete test. Run your current setup through these twelve checks. They take five minutes, need no email, and will tell you honestly how much of your stack is genuinely under your control — versus merely hosted in the right place.
The 12-point self-check
For each point, a confident “yes” is a good sign. A “no” or “not sure” is where your exposure lives.
- 1. Provider jurisdiction — is every provider holding your data incorporated under a law you trust, rather than a subsidiary of a foreign one?
- 2. CLOUD Act exposure — can you say, for each system, that no US-headquartered provider controls the data, even in an EU region?
- 3. Data location — do you actually know which country each dataset is stored in, and can you prove it?
- 4. Encryption keys — do you hold your own keys, so access is your decision rather than a provider default?
- 5. Provider portability — could you move to another provider without a rebuild, and is there a written exit path?
- 6. Email control — is your email on infrastructure you control or a European provider, with SPF, DKIM and DMARC enforced?
- 7. Backups — are backups held somewhere you control, restorable without the original vendor, and actually tested?
- 8. AI data flow — when your team uses AI, do you know whether your documents leave your perimeter, and where they go?
- 9. Identity & access — do you run your own identity (accounts, MFA, joiners/leavers) rather than depending on one foreign platform?
- 10. Lock-in — are your core systems open-source or based on open standards, so you are not a hostage to one vendor's roadmap and pricing?
- 11. Documentation — could a new partner pick up your stack from written documentation you own, without the current supplier in the room?
- 12. Sub-processors — do you have a current list of who actually touches your data, and under whose law they operate?
How did you score?
Nobody scores twelve out of twelve, and you don't need to. The point isn't a perfect score — it's knowing where your real exposure is, and deciding which gaps are worth closing. A bank's risk profile is different from a design studio's.
Mostly “yes”
You're in genuinely good shape — more sovereign than most. Worth a periodic re-check as you add tools, since each new SaaS quietly adds sub-processors and data flows.
A handful of “no” or “not sure”
Normal, and fixable. The “not sure” answers are the ones to chase first — uncertainty usually hides the biggest exposure. Pick the two or three that matter most for your sector and close them deliberately.
If you'd like a second pair of eyes, that's exactly what our free sovereignty & AI audit does: we run your stack through this in depth and hand you a written, prioritised set of next steps — no obligation.
Frequently asked questions
- Do I need to give my email to get this?
- No. The whole self-check is on this page, free, with nothing to fill in — that's the privacy-first point. If you'd like it applied to your specific stack, the free audit does exactly that.
- What's the difference between hosted-in-Europe and sovereign?
- Hosting in Europe satisfies data residency — where the data sits. Sovereignty is about control and jurisdiction: who can compel access, whether you hold the keys, and whether you can leave. A US cloud's EU region is resident but not sovereign.
- Is a perfect score the goal?
- No. The goal is an honest map of your exposure so you can close the gaps that matter for your business. Different sectors warrant different levels of rigour.