How we score
The compliance score, ownership signal and CLOUD Act exposure flag: what each value means and how we assign it.
Last updated 2026-05-18
Every listing on EU Vetted carries three independent editorial signals: a compliance score, a CLOUD Act exposure flag, and an ownership signal. They answer different buyer questions, and a reader should not collapse them into a single number. This page explains each value and how we assign it.
Compliance score (1–5)
An editorial reading of how compliance- and privacy-ready a vendor is, based on the four sources listed in Editorial guidelines → How we verify: published DPA, sub-processors list, hosting region declaration, corporate ownership record.
| Score | Meaning |
|---|---|
| 5 / 5 | EU-incorporated, no customer data at rest on US-owned cloud, DPA and sub-processors public, SCCs in place for any non-EU transfer, no CLOUD Act exposure on customer product data. Ancillary US sub-processors (system email, error tracking, billing) that do not touch customer product data do not block a 5/5. |
| 4 / 5 | EU-incorporated and EU-hosted, but uses Cloudflare or one or two US sub-processors with SCCs; minor CLOUD Act exposure noted. |
| 3 / 5 | EU-incorporated, EU primary hosting, but ≥3 US sub-processors OR meaningful CLOUD Act exposure OR no publicly accessible DPA (see DPA accessibility below). |
| 2 / 5 | EU office but US parent or US infrastructure mostly. Significant CLOUD Act exposure. Listed only when no better option exists in the category. |
| 1 / 5 | Not really European; flagged as "questionable EU claim". Listed only as a warning. |
The score is editorial, not certified. It reflects the editor's reading at a stated point in time, against public disclosures only. The "Last verified" date on each listing is the date of that reading. We re-verify at least quarterly.
DPA accessibility. A publicly accessible DPA — one a prospective buyer can read without logging in or contacting sales — is required for a 5/5. If a DPA exists but is reachable only inside a customer account, the score caps at 4/5; if it is available only on request, or not published at all, it caps at 3/5. This criterion does not apply to self-hosted or local software, where the vendor never processes customer data, nor to vendors that are genuinely not data processors, nor to products holding a SecNumCloud, EUCS or BSI C5 certification — an independent audit that already covers processor governance — those listings are scored on the remaining criteria.
CLOUD Act exposure flag
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) gives US authorities the legal mechanism to compel US-incorporated companies to produce data they control, regardless of where the data is physically located. The Schrems II ruling (CJEU, 2020) and the Microsoft Ireland v US precedent make clear that data-centre region is not sufficient to protect against this if the operating company is US-controlled.
The flag is independent of the compliance score because a buyer in a regulated sector (defence, public health data, certain financial services) may treat CLOUD Act exposure as a hard veto regardless of the rest of the posture.
| Flag | Definition |
|---|---|
| none | EU-incorporated operator, no US parent company, no US sub-processors of consequence. |
| minor | One transient US sub-processor (Cloudflare for DDoS, Mapbox for maps, error tracking) but customer data at rest is EU-only. |
| material | US parent company, OR at least one core sub-processor handling customer data at rest is a US-owned hyperscaler (AWS EU-region, Google Cloud, Azure, Stripe US, Twilio US, etc.). EU region of a US-owned cloud does not change the flag — the parent jurisdiction does. |
| direct | The operating SaaS is itself US-incorporated. Subject to US extraterritorial demands by default. |
Ownership signal
Where ultimate control over the operating company sits. Distinct from the compliance score, which is about how the vendor processes data rather than who owns the company.
| Signal | Definition |
|---|---|
| eu-owned | EU-incorporated, EU-controlled, no significant US ownership in the cap table. |
| eu-hq-us-funded | EU-headquartered but US VC- or US PE-controlled. Cap-table evidence cited in the verification notes. |
| us-owned | US-headquartered or US parent. Listed only when it is genuinely the leading option in a category and the alternative options are weak. |
| other | Swiss, post-Brexit UK, Israeli, Norwegian, or other non-EU European jurisdiction. The specific country is noted in the listing. |
Compliance framework references
When a vendor publicly attests to one of the following frameworks, we surface it on the listing. We do not manufacture certifications: if the vendor does not publicly claim a certificate, we do not list it.
- EUCS — European Cybersecurity Certification Scheme for Cloud Services (ENISA)
- C5 — Cloud Computing Compliance Criteria Catalogue (BSI Germany)
- SecNumCloud — French national cloud-services qualification (ANSSI)
- ISO/IEC 27001, 27017, 27018 — information-security management, cloud-security controls, cloud-PII protection
- SOC 2 — US framework; surfaced for completeness but it does not, on its own, satisfy any EU-specific requirement
For multi-tier vendors (where, for example, SecNumCloud applies only to the Bare Metal product and not to Public Cloud), we note which product tier the certificate covers. A flat "ISO 27001" claim without a per-tier breakdown is shown without amplification.
What this is not
None of the three signals is a substitute for the vendor's own compliance evidence. Before contracting, a buyer should obtain the DPA, the current sub-processors list, and the relevant certificates directly from the vendor, and confirm they match the public state on the listing's "Last verified" date.