SEAL Assessment: Clouds of Europe
Clouds of Europe scores SEAL-2 (60%) — strong on data residency and operational independence (all infrastructure EU-based via Scaleway), but weakened by US-based OAuth providers and an unmirrored npm/container supply chain. This matters because the EU Cloud Sovereignty Framework is becoming a procurement gatekeeper, and organizations below threshold risk exclusion from public sector tenders. Top improvements: EU image mirroring, an EU-native identity provider, and sustainability documentation.
By Jurg van Vliet
·
The EU Cloud Sovereignty Framework (published Oct 2025) grades across 8 Sovereignty Objectives (SOV-1 to SOV-8), each scored SEAL-0 to SEAL-4. Here's where this project lands:
Overall Score: SEAL-2 (Data Sovereignty)
EU law applies and data stays in the EU, but material non-EU dependencies remain.
SOV-1: Strategic Sovereignty (15%) — SEAL-3
| Factor | Status |
|---|---|
| Ownership | Private project, no non-EU investors |
| Governance | Self-hosted GitLab on EU infrastructure |
| License | EUPL-1.2 (specifically European) |
| Capital | No dependency on non-EU capital |
Strong. European license, EU-hosted source control, no foreign governance exposure.
SOV-2: Legal & Jurisdictional (10%) — SEAL-2
| Factor | Status |
|---|---|
| Infrastructure jurisdiction | French law (Scaleway) |
| OAuth providers | Google, GitHub, LinkedIn — all US, subject to CLOUD Act |
| CI/CD | Self-hosted GitLab (EU) |
The three OAuth providers create exposure to US jurisdiction. User tokens and profile data flow through US services. Email magic links are EU-only, but social login is the primary path.
SOV-3: Data & AI (10%) — SEAL-3
| Factor | Status |
|---|---|
| Database | PostgreSQL on Scaleway, fr-par region |
| Backups | Scaleway S3, fr-par, SOPS-encrypted |
| Data residency | All data in France |
| AI/ML | None used |
Data never leaves the EU. Encryption at rest (SOPS/AGE) and in transit (TLS). No AI/ML processing, so no data sovereignty concerns there.
SOV-4: Operational (15%) — SEAL-3
| Factor | Status |
|---|---|
| Infrastructure management | OpenTofu, Flux GitOps — all EU-hosted |
| Monitoring | HeyStaq Grafana (EU) |
| Support staff | EU-based |
| Autonomous operation | Can operate without non-EU dependencies |
Full operational control. GitOps model means no external operator access. Monitoring is EU-based. Could operate independently if needed.
SOV-5: Supply Chain (20%) — SEAL-1
| Factor | Status |
|---|---|
| Base container images | node:22-alpine from Docker Hub (US) |
| PostgreSQL image | ghcr.io/cloudnative-pg/postgresql (GitHub, US) |
| npm packages | 95%+ US-maintained |
| Hardware | Scaleway (French), but underlying chips are non-EU |
| Container registry | Scaleway (EU) for built images |
Weakest area. Every build pulls base images from US registries. The npm ecosystem is overwhelmingly US-based. This is the industry-wide problem — no European project can score high here without significant investment in mirroring infrastructure.
SOV-6: Technology (15%) — SEAL-3
| Factor | Status |
|---|---|
| Open source stack | 100% (Next.js, PostgreSQL, Kubernetes, Flux) |
| Vendor lock-in | None — standard K8s, portable across providers |
| Proprietary dependencies | Zero |
| Open APIs/protocols | HTTPS, SQL, SMTP — all open standards |
Excellent technology sovereignty. Entire stack is open source, runs on standard Kubernetes, and could be migrated to any EU cloud provider.
SOV-7: Security & Compliance (10%) — SEAL-3
| Factor | Status |
|---|---|
| GDPR | Privacy-by-design, no tracking, consent-based |
| Encryption | SOPS/AGE (at rest), TLS/Let's Encrypt (in transit) |
| Secrets management | SOPS-encrypted, Flux auto-decrypts |
| Network security | NetworkPolicies deployed |
| Rate limiting | Distributed via Memcached |
| Security scanning | TruffleHog, SOPS validation in CI |
Good compliance posture. Recent improvements (NetworkPolicies, rate limiting) strengthen this. Missing: container scanning (Trivy/Snyk) and SAST.
SOV-8: Environmental (5%) — SEAL-1
| Factor | Status |
|---|---|
| Green energy | No documentation |
| Scaleway DC-5 | Adiabatic cooling, PUE ~1.3 |
| Carbon reporting | None |
No explicit sustainability commitments or documentation. Scaleway's French DCs are relatively efficient but this isn't documented or leveraged.
Weighted Score Breakdown
| SOV | Weight | Score | Weighted |
|---|---|---|---|
| SOV-1 Strategic | 15% | 3 | 0.45 |
| SOV-2 Legal | 10% | 2 | 0.20 |
| SOV-3 Data | 10% | 3 | 0.30 |
| SOV-4 Operational | 15% | 3 | 0.45 |
| SOV-5 Supply Chain | 20% | 1 | 0.20 |
| SOV-6 Technology | 15% | 3 | 0.45 |
| SOV-7 Security | 10% | 3 | 0.30 |
| SOV-8 Environmental | 5% | 1 | 0.05 |
| Total | 100% | 2.40 / 4.00 (60%) |
Top 3 Improvements for SEAL-3
- Supply chain mirroring (SOV-5, 20% weight) — Mirror base images to Scaleway registry, add SBOM generation. Moves from SEAL-1 to SEAL-2.
- EU authentication (SOV-2, 10% weight) — Add Keycloak or EU-based IdP alongside existing OAuth. Moves from SEAL-2 to SEAL-3.
- Sustainability documentation (SOV-8, 5% weight) — Document Scaleway's energy efficiency, add to README. Low effort, moves from SEAL-1 to SEAL-2.
Sources: