Sovereignty Scan
Scan
Sovereignty Scan/Vendors
Risiko-Indikator, kein DSGVO-Konformitätsurteil. Stichtag-basiert auf öffentlichen Web-Stack-Signalen.Methodik & GrenzenListing korrigieren / Stellungnahme einreichen

Vendor Directory

assessment & EU alternatives for SaaS tools

In total, the Sovereignty Scan detects 3,039 Tools tools with jurisdiction, owner chain, CLOUD Act assessment and DPF status. 433 are hand-curated. These have their own GDPR profile with data categories, EU alternatives, migration plan and FAQ.

Tools detected
3,039
433 curated
EU vendors
269
Recommended
UK / CH
44
US vendors
402
DPF certified
97
Scan your own domainMethodology

Last updated:

By Jurisdiction

Sovereign-first: EU vendors first

Four risk classes, each with their own overview page: owner chain, hosting region and privacy assessment per vendor.

Recommended
EU & EEA vendors269
GDPR baseline · no third-country transfer101 curated profiles
UK & Switzerland44
Adequacy decision · low risk13 curated profiles
US vendors402
USA jurisdiction · subject to CLOUD Act247 curated profiles
Vendor review2,324
Jurisdiction not yet clearly determined72 curated profiles

By Category

Vendors by use case

Each category has its own overview page with GDPR verdict per vendor, EU alternatives and migration plan. Ideal for the question: «Which GDPR-compliant alternative is there to Tool X?»

Appointment Booking

26

Online scheduling & appointment tools

Acuity Scheduling-LogoAddEvent-LogoAgendize-LogoAimy-Logo+22
6 EU15 USView all

Lead Routing & Scheduling

8

Inbound lead routing with scheduling

Apollo.io-LogoChili Piper-LogoGoHighLevel Calendars-Logomeetergo-Logo+4
1 EU7 USView all

CRM

33

Customer Relationship Management

1C-Bitrix-Logo6sense-LogoAdabra-LogoAdaptix-Logo+29
5 EU18 USView all

Forms & Lead Capture

39

Form builders & lead capture

Airtable Forms-LogoAllbookable-LogoFillout-LogoFormstack-Logo+35
8 EU17 USView all

E-Signature

7

Electronic signatures & eIDAS

Adobe Acrobat Sign-LogoDocuSign-LogoDropbox Sign-Logomeetergo-Logo+3
2 EU5 USView all

Sales Content / Deal Rooms

2

Deal rooms & sales content platforms

DocSend-Logomeetergo-Logo
1 EU1 USView all

Analytics & Tracking

119

Web analytics & tracking tools

33Across-Logo52Degrees-LogoAB Tasty-LogoAbralytics-Logo+115
32 EU53 USView all

Tag Management & CDPs

20

Tag managers & customer data platforms

2B Advice-LogoAble CDP-LogoAdobe Launch / DTM-LogoAdOpt-Logo+16
10 EU7 USView all

Session Replay & Heatmaps

9

Session recording & UX analysis

Contentsquare-LogoCrazy Egg-LogoFullStory-LogoHotjar-Logo+5
3 EU6 USView all

Email Marketing & Sending

44

Newsletters, transactional email & sending

Acquia Campaign Factory-LogoAct-On-LogoActito-LogoActiveCampaign-Logo+40
12 EU29 USView all

Office & Communications

13

Office suites & team communication

Accredible-LogoAdobe Experience Manager-LogoAgora-LogoAircall-Logo+9
3 EU9 USView all

Live Chat & Support

33

Live chat, helpdesk & customer support

42Chat-LogoAcquire Live Chat-LogoActivEngage-LogoAda-Logo+29
5 EU24 USView all

Video Conferencing

14

Online meetings & video conferencing

11Sight-LogoBitmovin-LogoGoogle Meet-LogoGoTo Meeting-Logo+10
3 EU11 USView all

Payments

20

Payment providers & processing

Adyen-LogoAffirm-LogoAfosto-LogoAfterBuy-Logo+16
5 EU13 USView all

CDN

17

Content Delivery Networks

5centsCDN-LogoAcquia Cloud Platform CDN-LogoAiree-LogoAiSpeed-Logo+13
2 EU10 USView all

Hosting / Compute

25

Cloud hosting & compute

Acquia Cloud Platform-LogoAcquia Cloud Site Factory-LogoAlibaba Cloud Verification Code-LogoAmazon Web Services-Logo+21
6 EU15 USView all

DNS Providers

6

DNS hosting & anycast DNS

Amazon Route 53-LogoCloudflare DNS-LogoGoogle Cloud DNS-LogoHetzner DNS-Logo+2
2 EU4 USView all

Error Tracking

4

Error monitoring & crash reporting

Akamai mPulse-LogoDatadog-LogoGlitchTip-LogoSentry-Logo
1 EU3 USView all
Editorial

Ongoing maintenance

The catalog grows weekly

Every week, new hand-curated vendor profiles are added, with owner chain, hosting region, EU alternatives and migration plan. We review existing entries after acquisitions and subprocessor changes. Current focus: procurement-relevant tools, government and KRITIS stacks, and EU alternatives for recent US acquisitions.

433 433 hand-curated profilesLast updated:

Missing a tool?

Send us the vendor name and website. We will add it to the next maintenance wave, including owner chain and EU alternatives.

Suggest a vendorHow we assess vendors

Frequently Asked Questions

, , : explained

What does 'GDPR-compliant' mean for a SaaS vendor?

A GDPR-compliant tool processes personal data exclusively on a lawful basis (Art. 6 GDPR), enters into a data processing agreement (DPA), documents technical and organisational measures (TOMs) and transfers data, if at all, only on the basis of Standard Contractual Clauses, an adequacy decision or the EU-US Data Privacy Framework, supplemented by a Transfer Impact Assessment.

What is the CLOUD Act and why is it relevant for US vendors?

The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) obliges US companies to grant US authorities access to stored data upon request, regardless of the physical storage location. Even if a US vendor offers EU hosting, the parent company remains subject to disclosure obligations as a US entity. This is the core risk highlighted by the Schrems II ruling.

What does the EU-US Data Privacy Framework (DPF) mean for GDPR compliance?

The DPF (in force since July 2023) is an adequacy decision for US recipients that have certified on the DPF list. It addresses the third-country transfer argument: SCCs become unnecessary, though a TIA remains recommended. However, the CLOUD Act is not overridden by the DPF: state access remains legally possible. We explicitly label DPF vendors because this is an important differentiator, but not a free pass.

How is a vendor's jurisdiction determined?

We check the registered seat and parent company (commercial register, imprint, privacy policy), the contractual counterparty for EU customers (e.g. Pipedrive OÜ in Estonia for Pipedrive), the hosting region (often AWS/GCP/Azure region) and the subprocessor list. For multi-tier structures (EU contractual party + US parent), we label the primary jurisdiction and additionally flag 'check third-country transfer'.

How does the Sovereignty Scan differ from cookie scanners?

Cookie scanners check what is set after consent. The Sovereignty Scan analyses the underlying tool architecture. We detect vendors via script tags, CSP headers, MX/DNS records, CNAME cloaking, DKIM signatures and TLS SANs — including tools that set no cookie at all (backend CRMs, e-signature iframes, webhook endpoints). Result: a DPA-relevant view, not just a tracking view.

Are the assessments legal advice?

No. The Sovereignty Scan is a technical-organisational pre-screening with clear risk labels. Legal assessment in individual cases (data protection impact assessment, TIA, DPA review) remains the responsibility of your data protection officer or a specialist law firm.

Next step

Which of these vendors are running on your website?

60 seconds, no login. The Sovereignty Scan lists all detected tools with jurisdiction, owner chain and matching EU alternative.

Start Sovereignty ScanMethodology & data sources