Twelve questions across the four sovereignty pillars: residency, subprocessors, jurisdiction and key custody. The output is an honest score plus a remediation list — not a sales call.
12 questions · 5 minutes · no email required
Question 1 / 128%
Residency
Where is your primary application compute hosted?
The bulk of your application servers — not edge or CDN.
Residency
Where is your primary database hosted?
Including managed database services like RDS, Cloud SQL, Atlas.
Subprocessors
What CDN sits in front of your application?
Subprocessors
How does transactional and marketing email leave your application?
Subprocessors
Where is your error tracking sent?
Subprocessors
What analytics platform processes user behaviour?
Subprocessors
Where does customer support and live chat run?
Jurisdiction
Is the parent company of your primary cloud provider headquartered in the US?
Including EU subsidiaries of US groups — the parent matters for CLOUD Act exposure.
Jurisdiction
Have you completed a Schrems II Transfer Impact Assessment (TIA) for your data flows?
Key custody
Who holds the encryption keys for your data at rest?
Documentation
Does your DPA name every subprocessor with country and parent jurisdiction?
Documentation
Do you have a documented exit plan from your current cloud provider?
Required under DORA Article 28 for financial entities; good practice for everyone.
Your sovereignty score
Score
—/ 100
High exposureSovereign
Breakdown by sovereignty pillar
Top fixes, in priority order
Want a written remediation plan?
Drop your email and we will turn this score into a concrete migration plan with effort estimates per finding. No sales pitch — engineering review only.
Thank you. You will hear from an engineer within one business day.