Cloud Sovereignty for Research and Education
Research data, student records, and institutional workloads require more than "hosted in Europe." The EU Cloud Sovereignty Framework defines eight dimensions that determine whether a cloud provider is truly sovereign, from ownership and legal jurisdiction to supply chain transparency and open-source technology.
VSHN and Exoscale deliver cloud services through the GÉANT OCRE 2024 framework with a sovereignty profile that meets the highest standards defined by the EU.
Why sovereignty matters for research institutions
Most hyperscale cloud providers (AWS, Azure, Google Cloud) are US-headquartered and subject to the CLOUD Act, which allows US authorities to compel disclosure of data stored anywhere in the world, without notifying the data subject or the institution.
For research institutions handling sensitive data (clinical trials, genomics, student records, pre-publication research), this creates legal and ethical risks that "EU region" deployments do not solve. The CLOUD Act applies to the company, not the data center location.
VSHN and Exoscale are both Swiss companies. Swiss law governs all data processing, and neither company is subject to the CLOUD Act or equivalent foreign access laws.
Shortest GDPR compliance path
Switzerland holds an EU adequacy decision, which means transfers of personal data to Switzerland are treated like intra-EU transfers under GDPR. For institutions using Exoscale's Swiss or EU data centers, this eliminates the requirement for Standard Contractual Clauses (SCCs) or a Transfer Impact Assessment (TIA).
By contrast, institutions using AWS, Azure, or Google Cloud must complete a full TIA and implement SCCs because these providers are US-headquartered and subject to FISA Section 702. The GÉANT GDPR Transfer Guide for NRENs explicitly calls out this distinction: for EU/EEA-operated platforms from non-US companies, the compliance checklist reduces to verifying encryption in transit and at rest.
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026. Three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so institutions can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Data centers in CH/DE/AT/HR/BG with guaranteed data location. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic: customer chooses provider. Open-source software throughout |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Strong | 90% renewable energy across Exoscale zones (100% in CH/DE/AT). Equinix + A1 Group targeting carbon neutrality by 2030. Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent, the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4: it requires fully EU/EEA-sourced hardware supply chains and open-source foundations, structural gaps shared by every cloud provider.
Exoscale: European cloud infrastructure
Exoscale is Swiss-headquartered (part of A1 Telekom Austria Group) and operates data centers in seven European cities across Equinix and A1 Group facilities:
| Zone | City | Facility | Renewable energy |
|---|---|---|---|
| CH-DK-2 | Zürich | Equinix | 100% (Swiss hydro) |
| CH-GVA-2 | Geneva | Equinix | 100% (Swiss hydro) |
| DE-FRA-1 | Frankfurt | Equinix | 100% |
| DE-MUC-1 | Munich | — | 100% |
| AT-VIE-1 | Vienna | Arsenal | 100% |
| AT-VIE-2 | Vienna | A1 Next Generation DC | 100% |
| HR-ZAG-1 | Zagreb | A1 Hrvatska DC | 91% |
| BG-SOF-1 | Sofia | — | 75% |
90% of Exoscale's electricity comes from renewable sources across all zones. Both Equinix and A1 Group target carbon neutrality by 2030. Sustainability carries 10% weight (AC8) in the GÉANT evaluation scoring, where Exoscale's renewable energy profile scored competitively. See Exoscale sustainability for details and green energy certificates.
Key sovereignty features:
- Guaranteed data location: you choose which data center zone your workloads run in
- No US parent company: A1 Telekom Austria Group is European-owned
- ISO 27001, ISO 27018, BSI C5, and SOC 2 certified, ISAE 3402 audit reports available
- GDPR-compliant DPA provided free of charge
- Free traffic to GÉANT and connected NRENs, no egress charges for academic networking
Sovereignty compared: hyperscalers vs. VSHN + Exoscale
| Dimension | AWS / Azure / Google Cloud | VSHN + Exoscale |
|---|---|---|
| Headquarters | USA | Switzerland |
| Governing law | US law (CLOUD Act applies) | Swiss law (no CLOUD Act) |
| GDPR compliance | Requires SCCs + Transfer Impact Assessment | No SCCs needed (Swiss adequacy decision) |
| Data location | Configurable, but company subject to US jurisdiction | European-only, guaranteed data location |
| Ownership | US publicly traded | Swiss AG + Austrian group |
| Data egress to GÉANT | Standard egress charges apply | 100% waived |
| Open source | Proprietary platforms | Open-source operations stack |
| OCRE framework | Available through OCRE | Available through OCRE |
Request a sovereignty assessment
Concerned about data sovereignty for your research workloads? We can assess your current cloud setup against the EU framework and propose a migration path to sovereign European infrastructure.