Frequently Asked Questions

Star Stack helps developers and organizations find European alternatives to US cloud services. We provide sovereignty assessments, an interactive Stack Builder tool, and resources to support digital independence. Think of it as an audit tool for your tech stack's dependency on non-EU infrastructure.

Star Stack is an independent project focused on European digital sovereignty. We're not affiliated with any cloud provider or sponsored by government bodies. Our mission is to make information about EU alternatives accessible and actionable.

Several reasons: (1) Data sovereignty — keep your data under EU jurisdiction and GDPR protection; (2) Reduced legal risk — no exposure to the US CLOUD Act or FISA; (3) Geopolitical resilience — reduce dependency on services affected by sanctions or policy changes; (4) Compliance simplification — easier GDPR, NIS2, and DORA compliance; (5) Economic impact — support the European tech ecosystem.

Yes, completely free for everyone. We sustain the project through optional sponsorships from EU service providers who want increased visibility. Sponsorships never influence our sovereignty assessments — our methodology is transparent and consistently applied to all services.

No, this is a closed-source, public benefit project. While we believe in transparency, we've chosen to keep the codebase private to maintain focus on our core mission. Our methodology, data sources, and scoring criteria are fully documented and publicly available.

We use three sovereignty levels: 🟢 EU-Owned means the company is controlled by EU entities with headquarters in the EU/EFTA — this offers maximum legal protection. 🟠 EU-Hosted means data is stored in EU data centers, but the company may be subject to foreign jurisdiction (like the US CLOUD Act) — use with caution. 🔵 Self-Hostable means you can run it on your own EU infrastructure — sovereignty depends on where you deploy it.

A US company with EU data centers (EU-Hosted) is still subject to US laws. Under the CLOUD Act, US authorities can compel US-based companies to provide data stored anywhere in the world, even if that data is in the EU. This creates a fundamental conflict with GDPR. EU-Hosted is better than US-hosted, but it's not true sovereignty.

We use a 6-dimension weighted model: Jurisdictional (25%) evaluates legal exposure like CLOUD Act risk; Ownership (20%) assesses who controls the company; Governance (20%) examines decision-making structure and foundation backing; Portability (15%) measures exit options and lock-in; License (10%) evaluates software licensing and stability; Community (10%) assesses project health and sustainability. See our methodology page for the full breakdown.

Scores are grouped into tiers: Excellent (80-100) means fully EU-sovereign with minimal foreign dependency risks. Good (60-79) indicates strong EU orientation with manageable considerations. Moderate (40-59) means mixed sovereignty profile requiring careful evaluation. Poor (0-39) indicates significant sovereignty concerns and limited EU independence.

Open source doesn't automatically mean sovereign. A project controlled by a US company (like Next.js by Vercel) still creates dependency risk — they control the roadmap, features may favor their hosting, and license changes can happen. We assess governance structure, maintainer geography, funding sources, and license stability to help you understand the true risk.

We include all 27 EU member states plus EFTA countries (Switzerland, Norway, Iceland, Liechtenstein). These have strong data protection laws and no history of extraterritorial data demands. The UK is evaluated case-by-case due to post-Brexit legal changes. We explicitly exclude US, China, and Russia due to surveillance concerns and extraterritorial legal reach.

The Stack Builder is our interactive tool to audit your current tech stack. Add the US services you use, see EU alternatives with coverage levels, and build a migration plan. Your stack is saved locally in your browser, can be exported (JSON, Markdown, PDF), and shared via URL. No account required.

Paste a description of your tech stack (from a README, job posting, or just free text) and our AI will identify the services mentioned and add them to your Stack Builder. It recognizes common services like 'we use Firebase for auth and Vercel for hosting' and maps them automatically.

FULL coverage means the EU service can completely replace the foreign service with equivalent features. PARTIAL coverage means it handles core functionality but may lack some advanced features — we list what's missing. SUPPLEMENT means it should be used alongside another service to fill specific gaps (like adding EU serverless functions to a BaaS that lacks them).

Some services don't have good EU alternatives yet — we're honest about this. In these cases, we suggest: (1) Self-hosted open source options if they exist; (2) EU-Hosted as a partial improvement; (3) Combinations of services that together cover the functionality. We also track 'gaps' to help identify where the EU ecosystem needs investment.

Templates are pre-built, opinionated EU stacks for common use cases — like a Bootstrapper Stack for indie hackers or a Privacy-First Stack for maximum data control. They're starting points you can customize: load a template into the Stack Builder, then swap out services to match your needs.

Click the heart icon on any service to add it to your favorites. Without an account, favorites are stored in your browser. With an account (free, magic link login), favorites sync across devices and you can subscribe to update notifications for services you're interested in.

We use multiple sources: official company websites and documentation, business registries (company registration, ownership verification), GitHub repositories for open source metrics, press releases and funding announcements, and community reports. Each service shows when sovereignty was last verified and the source used.

GitHub statistics (stars, forks, activity) are refreshed automatically weekly. High-traffic services get quarterly reviews. Event-triggered updates happen for acquisitions, funding rounds, or license changes. Community reports are reviewed within 7 days. Every service shows its last verification date — check this for critical decisions.

Use the 'Report an issue' link on any service page, or contact us directly. We take accuracy seriously and aim to correct verified errors within 48 hours. If a company's ownership or jurisdiction has changed, please include a source (press release, registry link) to help us verify quickly.

For open source projects, we show activity status: Active (recent commits/issues in 90 days), Slow (no commits in 90 days but activity in 6 months), Stale (no activity in 6-12 months — warning), Abandoned (no activity in 12+ months or archived — strong warning). These help you assess project sustainability.

Use our submission form to suggest a new EU service. We review submissions to verify: EU/EEA headquarters or EFTA country, transparent ownership structure, genuine EU data residency options. We assess all services using the same methodology — no pay-to-play. Review typically takes 5-7 business days.

If you represent a listed service and need to update information, use the 'Report an issue' link on your service page or contact us directly. Include what needs updating and a source for verification. For substantial updates (new features, pricing changes), we may ask for documentation.

Sponsorship supports the project and provides visibility benefits (featured badge, homepage logo placement). We only accept sponsors that are EU-owned or truly open-source with EU-friendly governance. Sponsorship NEVER influences sovereignty scores or editorial content — our methodology is applied identically to all services. See our sponsors page for details.

Yes! We display company-provided discount codes on service pages to help developers trying EU alternatives. These are a goodwill gesture — we don't take any commission or affiliate fees. Contact us if you'd like to offer one.

The CLOUD Act (2018) allows US authorities to compel US-based companies to provide data stored anywhere in the world — even if that data is in the EU and subject to GDPR. This creates a fundamental legal conflict: US companies may be forced to choose between US law and EU law. Using EU-owned services eliminates this conflict entirely.

The Schrems II ruling (2020) invalidated the Privacy Shield framework for EU-US data transfers, finding that US surveillance laws conflict with EU privacy rights. While mechanisms like SCCs and the new Data Privacy Framework exist, they may face future legal challenges. Using EU-based services eliminates the need for these complex transfer mechanisms entirely.

NIS2 (Network and Information Security Directive) and DORA (Digital Operational Resilience Act) are EU regulations imposing strict requirements on critical infrastructure and financial services. They often require careful assessment of third-country dependencies. Many organizations find EU-based infrastructure simplifies compliance. We flag services as 'NIS2 suitable' or 'DORA suitable' where applicable.

No. Star Stack provides information to help you make informed decisions, but we are not lawyers and this is not legal, compliance, or professional advice. For decisions involving GDPR compliance, data residency requirements, or regulatory obligations, consult qualified legal professionals who understand your specific situation.

Yes, you can use Star Stack to inform your commercial decisions. However, always verify critical information directly with service providers before making commitments. Our assessments are based on publicly available information and may not reflect recent changes. Check verification dates and use our data as a starting point, not a final determination.