Sovereignty Scan
Scan

Why · Background

Why digital sovereignty matters in Europe.

A visual explanation in seven chapters: what really happens when you use a US tool, what is at stake. And why even a YouTube embed is a data transfer.

Back to ScanView Methodology

01 · The Uncomfortable Truth

A US tool stays under US law. Even in Frankfurt.

Servers in Frankfurt sound reassuring, but they are legally irrelevant. What matters is who controls the contract, not where the cable ends.

01

User in Germany

Personal data, protected by GDPR

02

EU Server (e.g. Frankfurt)

Marketing promise, not a legal argument

03

US Parent Company

CLOUD Act applies here, with or without an EU server

Data flow · Legal jurisdiction access via CLOUD Act

As soon as the parent company is based in the US, it can be compelled via to hand over data, without notifying those affected, without a German court, without any right of objection. The ECJ confirmed this with ; the current is already being challenged.

02 · The Five Tiers

What digital sovereignty looks like in practice.

Not every "EU solution" is equally sovereign. These five tiers help to assess a tool soberly, from default US SaaS to a fully sovereign EU stack.

  1. Level0

    US vendor, US servers

    Examples

    Google Workspace, Calendly, Typeform (default), HubSpot, Zoom

    Full CLOUD Act reach. In the event of a subsequent Schrems ruling, the risk of a short-notice migration obligation is highest.

  2. Level1

    US vendor, EU servers

    Examples

    AWS Frankfurt, Azure DE, Microsoft 365 EU, Salesforce Hyperforce EU

    A marketing argument, not a legal one. The CLOUD Act continues to apply structurally. The parent company remains subject to US obligations.

  3. Level2

    EU subsidiary of a US group

    Examples

    Google Sovereign Cloud, Microsoft EU Data Boundary, Oracle EU Sovereign

    Somewhat better, but corporate directives can override subsidiary contracts in a conflict. OFAC sanctions can also affect access, as the 2025 Microsoft block on the International Criminal Court showed.

  4. Level3

    EU vendor with US subprocessors

    Examples

    EU SaaS on AWS/Cloudflare, EU tools with Stripe, Intercom, or SendGrid in the chain

    The contractual partner is EU. But a single US reintroduces third-country risk into the entire setup.

  5. Level4

    EU vendor, EU hosting, EU subprocessors

    Examples

    meetergo, Hetzner, OVHcloud, IONOS, STACKIT, Nextcloud, Sentry SaaS EU

    The highest sovereignty tier in our model: no US parent company, no US subprocessors in the contract chain. Therefore the lowest structural third-country transfer risk.

In short: "EU server" ≠ "EU sovereignty". What counts is the ownership chain including all subprocessors. That is exactly what the Sovereignty Scan reconstructs automatically.

03 · What Is at Stake

Four risks every CEO should know.

Data protection is often dismissed as compliance hygiene. In 2026 that is no longer realistic. The consequences are concrete, personal, and in some cases existential.

Fines of up to 4% of group revenue

defines the framework. In 2025, over €1 billion in GDPR fines were imposed across Europe, with a continuing upward trend. Third-country transfers are Tier 2: up to €20M or 4% of annual turnover, whichever is higher.

Personal liability of the CEO

requires the “diligence of a prudent businessman”. Those who ignore the are personally liable in the event of damages. regularly does not cover gross negligence.

Disqualification from public tenders

Federal, state, and corporate procurement are increasingly making “EU hosting” and “CLOUD Act-free” knockout criteria. is the binding roadmap here. A single US tool in the can disqualify an offer, often without explanation.

Political shutdown shock

In 2025, Microsoft blocked, on , accounts of the International Criminal Court, without any transition period. US law applies to every US tool, at any time. Anyone without an alternative in place is left standing still.

04 · The Invisible Exports

Even a YouTube embed is a data transfer.

Very few data protection risks are prominently displayed on a website. They are embedded, third-party loaded, pre-consented. From the browser's perspective, it is still a full cross-border request.

YouTube Embed

What happens: When the embed loads, technically unavoidable headers (IP, User-Agent) are transmitted to Google. Even the “nocookie” variant means: one request lands in the US legal jurisdiction.

EU Alternative: PeerTube, Vimeo (EU DSA model), or self-hosted video via Bunny Stream / Mux EU.

Google Fonts (CDN)

What happens: Munich Regional Court I, judgment of 20 Jan 2022, case 3 O 17493/20: embedding via fonts.googleapis.com without consent was assessed in that case as a violation of personality rights. An IP address suffices as personal data. Have your own setup reviewed.

EU Alternative: Self-hosting via @fontsource or Bunny Fonts (EU hosting, no third-country request by default).

reCAPTCHA / hCaptcha (US)

What happens: Both providers analyse mouse movements, browser fingerprints and IP addresses, even before the click. The parent company is based in the US, so the data flow falls under US jurisdiction.

EU Alternative: FriendlyCaptcha (Bavaria), Turnstile (with caveats), honeypot fields + rate limiting.

Cloudflare / Akamai (Edge)

What happens: Even without a visible logo, every request runs through the edge infrastructure of a US corporation. With TLS termination at the edge, the provider is structurally in a position to see plaintext content.

EU Alternative: Bunny.net (Slovenia), Fastly EU with data-location control, or direct-served via Hetzner/IONOS.

Pixels & Tag Manager

What happens: Meta Pixel, LinkedIn Insight, Google Tag Manager: loading before consent is legally challenging and is regularly assessed as a violation by supervisory authorities (ePrivacy/GDPR). Even after consent the data flow falls under US jurisdiction.

EU Alternative: Server-side tracking via Plausible EU, Matomo on-prem, Etracker.

Intercom, HubSpot Chat, Zendesk

What happens: Chat widgets from US providers process visitor IDs, IP addresses, and potentially conversation history. The data flow falls under US jurisdiction (CLOUD Act reach).

EU Alternative: Userlike (Cologne), Crisp (France), tidio with EU hosting, or a simple mailto:.

05 · The Bigger Picture

Sovereignty is infrastructure policy.

This is no longer just about individual data records. It is about whether Europe can operate its critical digital functions independently: economically, technically, and politically.

Economic Resilience

Every euro spent on US SaaS is a euro not flowing into European value creation. If a US provider shuts down tomorrow, there is no alternative — unless we consciously buy one today.

Political Agency

With , the BMI has set the direction: the federal administration must be able to demonstrate by 2027 that critical processing runs without CLOUD Act exposure.

Democratic Control

US intelligence agencies may collect data on non-US persons via FISA 702, without individual judicial review. Anyone living in Europe should be legally reachable within Europe.

Personal Note · Founder

Why this matters to me personally.

I have been building software in Europe for years. meetergo for appointment booking, CrabClear for GDPR-compliant data deletion, plus several smaller privacy tools. With every one of these products, I hit the same moment in a sales conversation: a DPO or procurement officer pulls up a US subprocessor list, and a competitor is out.

Yet those same companies spend years cleaning up their own stacks, mostly because nobody has an overview. That was exactly the trigger for the Sovereignty Scan: I wanted the tool I would have needed myself, to be able to say in a meeting “this is what the risk looks like for you specifically”, without a consulting contract and without signing up.

For me, sovereignty is not a political buzzword. It is the question of whether I am still allowed to deliver my customers’ data to them tomorrow, or whether a court ruling in Washington decides that for me. That is a bad position for a European company to be in.

Dominik Rapacki

Dominik Rapacki

Founder · meetergo, CrabClear

06 · What You Can Do Now

Three pragmatic steps. No complete migration.

Sovereignty is not a binary decision. It is a series of swap operations, ordered by risk and effort.

  1. 1

    Audit your stack

    Run the Sovereignty Scan on your domain. In 60 seconds you will get a list of all detected tools with jurisdiction, sensitivity, and EU alternative.

  2. 2

    Grab the quick wins

    Self-host Google Fonts, replace YouTube with a lazy embed behind consent, swap reCAPTCHA for FriendlyCaptcha: three hours of work, three fewer GDPR risks.

  3. 3

    Migrate strategic tools

    Where personal data is processed — booking, CRM, forms, email — the switch to a -sovereign provider is especially worthwhile. meetergo replaces Calendly, Typeform, Cal.com & Co. without CLOUD Act exposure.

Further Reading

If you want to go deeper.

Methodology

How the Sovereignty Scan works

Which five signal sources we evaluate, how we determine jurisdiction, how vendor risks become a grade A–E.

Read more

Scoreboards

How sovereign is the German Mittelstand

Publicly ranked domains from government, DAX, and mid-market. No more guesswork, just hard numbers.

Read more

Ready to audit your own stack?

60 seconds. No sign-up. You get a grade from A to E with all detected tools and EU alternatives.

Go to Scan