Skip to main content
starstack

Eligible Countries

Understanding which countries qualify for Star Stack listings and how we assess sovereignty.

Our Criteria

For a service to be listed as an "EU service" on Star Stack, it must meet one of these criteria:

  1. EU-Owned: Headquartered and majority-owned in an EU/EEA/EFTA country
  2. EU-Hosted: A service that stores and processes data exclusively within EU/EEA/EFTA data centers
  3. Self-Hostable: Open source software that can be deployed on your own EU infrastructure

We also list services from adequacy decision countries, but these are clearly marked and scored differently in our sovereignty assessment.

European Union (EU)

Full EU member states. Services headquartered here are subject to EU data protection law.

AustriaBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFranceGermanyGreeceHungaryIrelandItalyLatviaLithuaniaLuxembourgMaltaNetherlandsPolandPortugalRomaniaSlovakiaSloveniaSpainSweden

European Economic Area (EEA)

EEA countries have adopted EU data protection law. Services here are treated equivalently to EU services.

IcelandLiechtensteinNorway

European Free Trade Association (EFTA)

EFTA member with strong data protection framework aligned with EU standards.

Switzerland

Adequacy Decision Countries

Countries that have received an EU adequacy decision, allowing free data transfers. Listed separately as they are not EU/EEA/EFTA jurisdictions.

AndorraArgentinaCanada (commercial organizations)Faroe IslandsGuernseyIsle of ManIsraelJapanJerseyNew ZealandSouth KoreaUnited KingdomUruguay

Note: While adequacy decision countries have approved data transfer frameworks, services from these countries are not considered 'EU services' for our sovereignty scoring.

Why These Countries?

EU Member States

The 27 EU member states share a common legal framework for data protection (GDPR), a single digital market, and mutual recognition of court decisions. Services based in any EU country can serve the entire EU market under the same rules.

EEA Countries (Iceland, Liechtenstein, Norway)

The European Economic Area extends the EU internal market to these three EFTA countries. They have adopted GDPR and are treated as equivalent to EU countries for data protection purposes.

Switzerland

While not an EEA member, Switzerland has a bilateral agreement with the EU and maintains data protection standards recognized as adequate by the EU. Switzerland has a strong tradition of privacy protection and neutrality.

What About the UK?

Following Brexit, the UK received an EU adequacy decision in 2021, allowing data transfers. However, UK services are not considered "EU services" as the UK is no longer part of the EU single market or subject to EU regulations.

UK services may be listed with appropriate sovereignty scoring that reflects their non-EU status.

Sovereignty Scoring

Our sovereignty scoring system evaluates services across six dimensions. Country of headquarters is a key factor, but we also consider:

  • Ownership structure and parent companies
  • Data center locations
  • Corporate governance
  • License terms (for open source)
  • Community governance (for open source)

A service headquartered in the EU but owned by a non-EU parent company will have a different sovereignty score than a fully EU-owned company.

Jurisdiction Profiles

We maintain detailed profiles for 31 EU/EEA/EFTA jurisdictions, including democracy indices, rule of law scores, and surveillance exposure flags.

These profiles are used in our sovereignty scoring algorithm to provide nuanced assessments beyond simple country-of-origin checks.