Sovereignty Scan
Scan

Methodology · Transparency

How the Sovereignty Scan works

What data we evaluate, how we determine vendor jurisdiction, what we deliberately don't check — and why a Grade A doesn't mean "compliant".

Methodology v2.3Updated
Back to ScanWhy Sovereignty?

01 · What we evaluate

Five signal sources — all publicly accessible

The scan doesn't initiate a login and reads no private data. We use only what any browser or DNS tool can see. On SPA sites we render the page once in a real browser and click "Accept all" to expose the tracker layer hidden behind the consent banner — without that step, Adobe Analytics, Tealium, and OneTrust would stay invisible on most enterprise sites. The same beacons fire as on a normal post-consent visit.

  • Homepage HTML + Legal pages

    We additionally load /privacy, /imprint, /contact and their German equivalents. From these we detect tracking scripts, embedded iframes, form endpoints, and CSP directives.

  • DNS Records (MX, NS, A, PTR)

    Mail servers (MX) reveal the office suite and newsletter provider. Nameservers (NS) show the DNS provider. Reverse DNS (PTR) of A records identifies the hosting provider.

  • SPF Records (recursive)

    We follow `include:` directives across multiple levels to detect SendGrid, Mailgun, AWS SES, Brevo etc. even behind SPF flatteners (EasyDMARC) — by reverse-lookup of IP ranges to AS owner names.

  • ASN / IP Owner (Team Cymru)

    The primary A record IP is resolved via Team Cymru to the AS owner (e.g. AMAZON-02 vs HETZNER). Unblockable: whoever accepts an IP packet reveals their ASN.

  • HTTP Headers + Pre-Consent Cookies

    Server headers (cf-ray, x-vercel-id, fastly-debug-path) reveal edge and hosting providers. Cookies set *before* a consent banner are a GDPR indicator.

  • TLS Certificate + DNSSEC

    The cert issuer (Let's Encrypt vs DigiCert vs Sectigo) and DNSSEC validation status flow into the report as context. They don't directly affect the score.

02 · What we deliberately don't read

Limits of the scan

We only scan what is publicly accessible. This is a deliberate choice, not a technical limitation.

  • No authenticated areas: member zones, customer portals, and SaaS backends are excluded. We only assess the public-facing representation of your domain.
  • No personal data: no content behind a login, no emails, no data from your website visitors.
  • If a website actively blocks our crawler, we report that openly in the result. DNS-based detection continues regardless.

03 · How we determine jurisdiction

Who is the actual contractual party?

The most important question in a CLOUD Act context: not where the server runs, but who the legal owner is. Here is our heuristic.

For each detected vendor, we determine jurisdiction as follows, in this order:

  1. Hand-curated for approximately 400 high-relevance vendors: we manually maintain the legal parent company, its and the key EU subsidiaries (e.g. Typeform SL → Typeform Inc. US).
  2. Automated for the broader catalog (~2,600 additional vendors): we derive jurisdiction from the top-level domain of the vendor's website (.de → EU, .com → unclear, etc.). These entries are flagged in the result with the notice "Vendor review recommended" .
  3. Third-country transfer is additionally flagged when the primary vendor is EU-based, but a sits in the contract chain (example: Typeform = EU with US subprocessor).
  4. for US parent companies, even when the specific server is in Frankfurt. This logic is based on and EDPB Recommendations 01/2020.

04 · How the score is calculated

Sovereignty risk — not a meetergo promotional score

The A–E grade is based exclusively on the data protection risk assessment of detected vendors, regardless of whether meetergo can replace the tool in question. This is a deliberate decision.

Step 1 · Per vendor

For each detected vendor, we calculate a as the product of two factors:

Sovereignty Risk=Jurisdiction×Data Sensitivity
Range: 1 (EU analytics) to 25 (US scheduling tool)
JurisdictionWeight
  • USA5
  • Unknown3
  • UK / Switzerland2
  • EU / EEA1
Data SensitivityWeight
  • Scheduling · CRM · Forms · Email · Signatures5
  • Hosting · DNS · CDN · Payments · Video3
  • Analytics · Error Tracking · CDN-only1

Step 2 · Domain score

We start at 100 and deduct points per detected non-EU vendor. The deduction is a smooth function of risk and detection confidence (risk × 0.7 × confidence factor; high 1.0 / medium 0.75 / low 0.5). Deductions accumulate per category bucket and are capped: personal data max 35, marketing max 25, infrastructure max 20 — so many similar findings don't compound endlessly. Pre-consent tracker cookies add a small further deduction (max 8). For every "critical" category (scheduling, CRM, email, hosting, DNS) covered by an EU vendor, the score gets a sovereignty bonus of +3 (max +12). EU tools themselves are not deducted — sovereignty is the desired state, not the punished one. The resulting score from 0–100 maps to a grade A–E:

  1. AScore ≥ 90Exemplary sovereignty
  2. BScore ≥ 75Largely sovereign
  3. CScore ≥ 55Conditionally sovereign
  4. DScore ≥ 30Significant risk
  5. EScore < 30High CLOUD Act risk

Note: If the website blocks our scan or returns a pure JS SPA, we cap the grade at C. An unread page cannot be "A".

Confidence weighting, not floor: A low-confidence detection (e.g. a TLD heuristic alone) deducts only half as much as a high-confidence detection of the same vendor. Issuing a grade A ("exemplary") or E ("high risk") therefore requires correspondingly load-bearing evidence. Earlier versions binary-clamped the score at a confidence threshold — the current weighting scales smoothly with actual evidence quality.

05 · Vendor database

~3,000 vendors, two trust levels

So your DPO knows how reliable each individual match is, we label every detected vendor with one of two confidence levels.

Core catalog (~400 vendors)

Hand-curated datasets for the most common tools in DACH B2B: owner chain, hosting region, migration effort, EU alternative. Treated as "high confidence" in results.

Extended catalog (~2,600 vendors)

Broader coverage for long-tail tools: jurisdiction derived from TLD, generic recommendation text. Flagged with "Vendor review recommended" so your DPO can verify the match before acting on it.

The core catalog is continuously maintained editorially; the extended catalog is updated at regular intervals as owner structures or change.

06 · What the scan is NOT

What we don't claim

To avoid misunderstandings, here explicitly:

  • The scan is not legal advice. It does not replace a , a , or a legal opinion.
  • We make no claim as to whether a specific vendor can be used in a -compliant manner in any particular use case. This depends on your , your , and the type of data.
  • A Grade A does not mean "fully compliant" — it means "based on the detected tools, the setup looks very clean". A Grade F does not mean "illegal" — it means "there is significant third-country transfer risk here".
  • Tools meetergo can directly replace (Calendly, Typeform, DocSend, etc.) are preferentially shown with a meetergo recommendation. Tools meetergo does not replace (AWS, Cloudflare, Stripe) receive a neutral EU recommendation. We are not selling you hosting.

Ready to check your own domain?

60 seconds. No sign-up. You get a grade from A to E with all detected tools and EU alternatives.

Go to ScanWhy digital sovereignty?