Sovereignty Scan
Scanning domain: qform.io
We are checking DNS, hosting, detected tools and EU alternatives. Large sites can take a moment on the first request.
Sovereignty Scan
Scanning domain: qform.io
We are checking DNS, hosting, detected tools and EU alternatives. Large sites can take a moment on the first request.
2 of 5 detected tools fall under ( reach).
We show the 3 easiest switches with matching EU alternatives.
Assessment
Above average. Few US tools, selectively replaceable.
Personal Data
NiedrigContact, appointment and customer data in US tools.
Marketing Data
NiedrigTracking, email lists, conversion data.
Infrastructure
MittelHosting, CDN, DNS and email delivery.
The 3 biggest levers for qform.io
Sorted by impact per effort. The first switch typically delivers more than the next two combined.
Analytics · Yandex N.V. (Other)
Yandex.Metrica überträgt Nutzungsdaten nach Russland, Drittlandtransfer ohne Angemessenheitsbeschluss.
Instead
Matomo
More than a fine
Fines make headlines, but rarely balance sheets. They arrive late, selectively, and are negotiable. What US tools cost you sooner is the sum of lost tenders, suspicious enterprise clients, a growing audit backlog, personal liability for your management, and a tool that could be shut down tomorrow with a single executive order.
Procurement
Federal, state, and enterprise procurement now make "EU hosting" and "CLOUD Act-free" knockout criteria. A single US tool in your stack is enough for disqualification — without ever making the shortlist.
by 2027
Federal administration sovereignty roadmap (BMI, "Sovereign IT 2027")
Trust & Churn
Since Schrems II, every serious procurement department checks the DPA annex. A US logo under "subprocessor" means a renewal negotiation — or a lost deal you never see as a lost deal.
73%
of GDPR-aware B2B buyers check subprocessors (Gartner, 2024)
Operational Burden
Every US tool requires its own Data Protection Impact Assessment, Standard Contractual Clauses, and a Transfer Impact Assessment. With every subprocessor change, the audit cycle restarts — usually unnoticed.
8–16 h
effort per tool and audit cycle, recurring
Management Liability
Under corporate governance law, those who ignore the state of the art are liable with personal assets, not the company treasury. D&O insurance regularly excludes GDPR intent and gross negligence.
Personal assets
of management in case of damage
Geopolitics
CLOUD Act, OFAC sanctions, a new Schrems ruling: when Washington pulls the plug, there is no transition period. Real precedent: in 2025, Microsoft blocked International Criminal Court accounts on US orders.
0 days
transition period for US embargo or account lockout
And when the authority does knock
Authorities in Germany investigate slowly but increasingly systematically. The expected value is lower than the headline, but the reach is not.
€50,000
realistic risk · max. €200,000 (Art. 83 (5) GDPR, up to 4% of annual revenue)
Detected Tools · 5 found
| Tool | Category | Hosting | Owner | Risk | EU Alternative |
|---|---|---|---|---|---|
Snowplow Analytics JS-Bundle → sp.js | Behavioral Data Platform | Selbst-gehostet oder Snowplow BDP Cloud (AWS) | Snowplow Analytics Ltd UK | Niedrig | |
Vimeo JS-Bundle → player.vimeo.com/video | Video-Hosting | AWS / Edge (Global) | Vimeo Inc. US · CLOUD Act | Mittel | |
Yandex.Metrica Skript / Iframe → mc.yandex.ru/metrika | Analytics | Yandex (RU) | Yandex N.V. Other | Hoch | |
Yandex.Metrika Skript / Iframe → mc.yandex.ru/metrika/tag.js | Analytics | Eigenes Netz, primäre Region Russland | Yandex LLC Other | Hoch | |
YouTube JS-Bundle → youtube-nocookie.com/embed/ | Video-Plattform | Google Cloud US und global | Google LLC (Alphabet Inc.) US · CLOUD Act | Hoch |
Snowplow Analytics
Behavioral Data Platform
EU Alternative
+2Yandex.Metrika
Analytics
EU Alternative
+2YouTube
Video-Plattform
EU Alternative
+2Eight pages: legal classification per tool, migration effort, prioritized roadmap. Ready to use in the boardroom or with your Data Protection Officer.
The DPO decides on DPAs, TIAs, and subprocessor approvals. With one click, they receive a compact summary of this scan, directly in their inbox.
Share Kit · for LinkedIn, X, TikTok & more
A card with logo, grade, and detected tools. On LinkedIn and X it auto-renders large; for TikTok & Reels there's a 9:16 format to download.
Suggested text
I just ran qform.io through meetergo's Sovereignty Scan. Result: Grade B (76/100), clean. Only 2 of 5 tools with US ties. I wanted this in black and white. Which domains in your network would also give you a positive surprise?
Ends with a question on purpose — the algorithm likes questions.
Trust page, footer, RFP response. Updates automatically after every re-scan. Clicking the image opens the full report.
<a href="https://scan.meetergo.com/de/r/qform.io" target="_blank" rel="noopener" aria-label="qform.io: Sovereignty-Score B – meetergo Sovereignty Scan"> <img src="https://meetergo.com/scan/api/og?domain=qform.io&grade=B&score=76&tools=5&us=2&logo=qform.io&theme=light&eu=5&tools_list=Vimeo%2CYouTube" alt="qform.io: Sovereignty-Score B – meetergo Sovereignty Scan" width="600" height="315" loading="lazy" style="max-width:100%;height:auto;border-radius:14px;border:1px solid #e5e5e5" /> </a>
Embed Badge
Trust page, footer, RFP response. Updates automatically after every re-scan.
<a href="https://scan.meetergo.com/de/r/qform.io" target="_blank" rel="noopener" aria-label="Sovereignty Score: B – qform.io">
<iframe src="https://scan.meetergo.com/scan/api/badge/qform.io?variant=card&theme=light" width="360" height="240"
title="Sovereignty Score: B – qform.io" loading="lazy"
style="border:0;display:block;max-width:100%"
sandbox="allow-popups allow-popups-to-escape-sandbox"></iframe>
</a>Self-hosted oder EU-Cloud. 1:1-Migration aus GA4.
Analytics · Yandex LLC (Other)
Yandex.Metrika überträgt Besucher-IPs, Session-Replays und Heatmaps an Server in Russland. Keine DSGVO-Adäquanz; russisches Recht erlaubt FSB-Zugriff auf gespeicherte Datensätze.
Instead
etracker
Hamburger Web-Analytics-Anbieter, voll DSGVO-konform.
Video-Plattform · Google LLC (Alphabet Inc.) (US)
YouTube ist ein Dienst von Google LLC (Mountain View, CA). Videoeinbettungen übertragen Nutzerdaten an Google in den USA; CLOUD Act gilt. Erweiterte Datenschutzmodus-Einbettung (youtube-nocookie.com) reduziert das Risiko.
Instead
VIMP
Videoportal-Software aus München: On-Prem oder als EU-Cloud, ideal für interne Kommunikation.
5entries
2TIAs
5DPAs
Legal basis: GDPR Art. 28, 30, 44 ff. · EDPB Recommendations 01/2020 (Schrems II).
Sorted by effort. Expand a row for details.
Behavioral Data Platform
Tag austauschen, Goals/Ziele neu konfigurieren, ggf. Daten via API/BigQuery für Vergleichsperiode exportieren.
Time-to-Value: 1–2 Wochen
Video-Hosting
meetergo ersetzt kein Video-Hosting. Quick-Win: Privacy-Embed (z.B. youtube-nocookie.com) mit Consent-Gate. Vollwechsel: EU-Video-Hosting (Vimeo EU-Region, Bunny Stream EU/Slowenien, selbst gehostetes Peertube). Embeds und Player-IDs austauschen.
Time-to-Value: 1–3 Werktage pro Plattform (Embed-Swap)
Analytics
Tag austauschen, Goals/Ziele neu konfigurieren, ggf. Daten via API/BigQuery für Vergleichsperiode exportieren.
Time-to-Value: 1–2 Wochen
Analytics
Tag austauschen, Goals/Ziele neu konfigurieren, ggf. Daten via API/BigQuery für Vergleichsperiode exportieren.
Time-to-Value: 1–2 Wochen
Video-Plattform
meetergo ersetzt kein Video-Hosting. Quick-Win: Privacy-Embed (z.B. youtube-nocookie.com) mit Consent-Gate. Vollwechsel: EU-Video-Hosting (Vimeo EU-Region, Bunny Stream EU/Slowenien, selbst gehostetes Peertube). Embeds und Player-IDs austauschen.
Time-to-Value: 1–3 Werktage pro Plattform (Embed-Swap)
Fastest lever: Booking & lead routing. Infrastructure (hosting, DNS, CDN) is a separate project.
Operational Signals
Five operational signals that any DNS resolver or TLS handshake exposes. They show who's behind the domain — even when the brand promises something different.
Cookies the server sets on the very first visit, before anyone clicks a cookie banner.
Cryptographic signature of DNS responses. Prevents attackers from redirecting the domain to malicious servers.
Encrypts the connection between browser and website. The Certificate Authority (CA) guarantees the domain belongs to the stated owner.
Who actually owns the website's IP address. Shows the real hosting corporation, even if the contractual partner is different.
Hostname the IP points back to. Often reveals the actual hosting provider, even when the brand name suggests otherwise.
Capped per bucket, low-confidence hits weighted half, EU vendors not deducted.
Total deductions: −23.9 · Sovereignty bonus: +0
No critical vendors detected in this bucket.
0 cookie(s) set before consent.
No critical category covered by an EU vendor.
The Sovereignty Scan evaluates publicly accessible signals (homepage and legal page HTML, DNS, MX, SPF, and ASN data) and compares them against our database of approximately 3,000 vendors. The mapping of tools to owners and jurisdictions is based on public sources (legal notices, privacy policies, Wappalyzer, RIPE/ARIN registrations) and is intended as a first indication at the time of evaluation, not a legally binding assessment.
The A–E grade is a risk indicator, not a GDPR compliance verdict. For a concrete GDPR assessment — especially regarding Data Processing Agreements (DPA), Standard Contractual Clauses (SCC), and Transfer Impact Assessments (TIA) — please consult your Data Protection Officer or external legal counsel. meetergo makes no claim as to whether a specific vendor can be used in a GDPR-compliant manner in any particular use case.
Correction & Response: If you are the domain owner, Data Protection Officer, or press office of the assessed domain and the signals shown here do not reflect your current tool configuration, we welcome corrections and will update the listing promptly after review.