Scoring Methodology
Our transparent methodology for assessing digital sovereignty. Learn how we evaluate EU services across six dimensions to calculate sovereignty scores.
Overview
Star Stack uses a 6-dimension weighted scoring system to assess the sovereignty of EU services. Each dimension evaluates a different aspect of independence from foreign control, data access risks, and long-term sustainability. The final score is a weighted average of all dimensions, scaled to 0-100.
The Six Dimensions
Jurisdictional
25%Evaluates legal jurisdiction exposure, including headquarters location, parent company jurisdiction, and potential foreign data access laws.
Key factors:
- HQ location (EU/EFTA vs others)
- Parent company jurisdiction
- Five Eyes membership exposure
- US Cloud Act exposure
- Extraterritorial risk assessment
Ownership
20%Assesses ownership structure, funding sources, and acquisition risk that could affect independence and data sovereignty.
Key factors:
- Ownership type (bootstrapped, VC-funded, public)
- Funding stage and investor geography
- Non-EU ownership percentage
- Acquisition risk level
- Control mechanisms
Governance
20%Examines decision-making structure, foundation backing, and community governance to assess long-term independence.
Key factors:
- Governance type (foundation, community, single company)
- Foundation backing (Apache, CNCF, etc.)
- Single entity control percentage
- Documented governance processes
- Community decision-making
Portability
15%Measures ability to migrate away from the service, including self-hosting options, data export, and vendor lock-in factors.
Key factors:
- Self-hosting availability
- Self-host feature parity
- Self-host complexity
- Standard API support
- Data export formats
- Proprietary lock-in factors
License
10%Evaluates software licensing, license stability, and protection from restrictive license changes.
Key factors:
- License type (permissive, copyleft, proprietary)
- License stability history
- Foundation protection
- License change count
- Open source commitment
Community
10%Assesses project health, contributor diversity, and community engagement as indicators of long-term sustainability.
Key factors:
- Bus factor (key contributor dependency)
- Organizational diversity
- Release frequency
- Project health status
- Issue response time
Why These Weights?
Our weighting reflects the relative impact each dimension has on practical sovereignty risk:
- Jurisdictional (25%) — Highest weight because legal jurisdiction creates immediate, enforceable risks. Laws like the US CLOUD Act can compel data disclosure regardless of where data is stored.
- Ownership (20%) — Who owns a company determines its ultimate direction. VC funding from non-EU investors or acquisition by foreign entities can shift sovereignty overnight.
- Governance (20%) — Foundation-backed projects with diverse governance resist single-entity control. This provides resilience against hostile changes.
- Portability (15%) — Your exit options matter. Strong portability means you can migrate if sovereignty changes, reducing long-term lock-in risk.
- License (10%) — Important for open source projects, but less critical for SaaS. License changes (like recent MongoDB, Redis shifts) can affect self-hosting rights.
- Community (10%) — A health indicator rather than a direct sovereignty factor. Diverse, active communities signal project sustainability.
How We Calculate Scores
The Formula
Each dimension is scored from 0-100, then combined using weighted average:
Final Score = (Jurisdictional × 0.25) + (Ownership × 0.20) + (Governance × 0.20) + (Portability × 0.15) + (License × 0.10) + (Community × 0.10)Worked Example: Hypothetical EU SaaS
Consider a German-headquartered, bootstrapped SaaS company with open source components:
| Dimension | Score | Weight | Weighted | Reasoning |
|---|---|---|---|---|
| Jurisdictional | 90 | × 0.25 | = 22.5 | EU HQ, no foreign parent, GDPR-only jurisdiction |
| Ownership | 85 | × 0.20 | = 17.0 | Bootstrapped, founders retain control |
| Governance | 70 | × 0.20 | = 14.0 | Single company, but transparent roadmap |
| Portability | 75 | × 0.15 | = 11.25 | Self-hosting available, standard APIs, good export |
| License | 80 | × 0.10 | = 8.0 | AGPL core, stable license history |
| Community | 65 | × 0.10 | = 6.5 | Growing community, moderate contributor diversity |
| Total | = 79.25 | Good tier |
Score Tiers
Fully EU-sovereign with minimal foreign dependency risks
Strong EU orientation with manageable considerations
Mixed sovereignty profile, requires careful evaluation
Significant sovereignty concerns, limited EU independence
How We Assess Services
Initial Assessment
- Research company registration and ownership structure
- Review legal pages, terms of service, privacy policy
- Analyze GitHub/GitLab repository metrics (if applicable)
- Check funding history and investor geography
- Evaluate self-hosting options and data portability
Ongoing Updates
- Quarterly reviews for high-traffic services
- Event-triggered updates for acquisitions, funding rounds, license changes
- Community reports reviewed within 7 days
- Vendor responses incorporated when provided
Comparison to Other Frameworks
| Framework | Focus | Scope | Our Relation |
|---|---|---|---|
| Star Stack | Practical sovereignty for developers | All EU services | — |
| Gaia-X | Federated data infrastructure | Enterprise cloud | We incorporate Gaia-X compliance as a governance factor |
| EUCS | Security certification | Cloud services | EUCS certification improves governance scores |
| CISPE | Code of conduct for IaaS | Infrastructure | CISPE membership noted in portability assessment |
Our methodology complements rather than replaces these frameworks. We focus on practical decision-making for developers and small teams who need actionable sovereignty guidance without enterprise certification overhead.
Data Sources
Our assessments are based on publicly available information from:
- Official company sources: Websites, documentation, legal pages, press releases
- GitHub repositories: Stars, contributors, commit activity, release frequency
- Business registries: Company registration, ownership structures
- News and press: Funding announcements, acquisition news, policy changes
References & Further Reading
Legal Framework
- Schrems II Ruling (2020) — CJEU invalidated Privacy Shield, establishing that US surveillance laws conflict with EU data protection. Case C-311/18
- US CLOUD Act (2018) — Allows US government to compel US-based providers to disclose data regardless of storage location. H.R.4943
- GDPR (2016/679) — EU regulation on data protection and privacy, basis for data residency requirements. EUR-Lex
- EU Data Act (2023) — Regulation on fair access to and use of data, including cloud switching provisions. EUR-Lex
- European Parliament Report A10-0107/2025 (2025) — Report on Europe's technological sovereignty documenting 80%+ dependency on foreign digital services, 69% US cloud dominance, and calling for sovereign cloud solutions. europarl.europa.eu
Industry Standards & Initiatives
- Gaia-X — European initiative for federated data infrastructure and digital sovereignty. gaia-x.eu
- EUCS — EU Cybersecurity Certification Scheme for Cloud Services under the Cybersecurity Act. ENISA
- CISPE Code of Conduct — GDPR code of conduct for cloud infrastructure service providers. cispe.cloud
Academic Research That Inspired Our Approach
- Pohle, J. & Thiel, T. (2020). "Digital Sovereignty" — Foundational paper defining digital sovereignty dimensions and policy implications. Internet Policy Review
- Opara-Martins, J. et al. (2016). "Critical analysis of vendor lock-in" — Framework for assessing cloud portability risks that informed our portability dimension. Journal of Network and Computer Applications
- Eghbal, N. (2020). "Working in Public: The Making and Maintenance of Open Source Software" — Research on open source sustainability that shaped our community health metrics. Stripe Press
- Floridi, L. (2020). "The Fight for Digital Sovereignty" — Philosophy of information perspective on data governance and jurisdictional control. Philosophy & Technology
- O'Mahony, S. (2007). "The governance of open source initiatives" — Seminal research on open source governance models that informed our governance dimension. Research Policy
- Coyle, D. et al. (2020). "The Value of Data" — Bennett Institute research on data economics and ownership structures. Bennett Institute
Technical Reports & Standards Bodies
- ENISA Cloud Security Reports — Technical guidance on cloud security and risk assessment. ENISA
- European Commission Digital Decade Policy — Policy framework on strategic autonomy in digital technologies. EC Digital Strategy
- CHAOSS Project Metrics — Open source community health metrics that inform our community dimension. chaoss.community
- Linux Foundation "Bus Factor" Research — Analysis of contributor concentration risk in open source projects. Linux Foundation
Methodology Changelog
Initial methodology release with 6-dimension weighted scoring system.
Future updates will be documented here. Subscribe to our newsletter for methodology change notifications.
Limitations & Disclaimer
Our sovereignty scores are assessments based on publicly available information and should be considered as guidance, not definitive judgments.
We cannot guarantee:
- Complete accuracy of all data points
- Real-time updates to ownership or policy changes
- Legal compliance advice for your specific use case
- Protection from future changes in company direction
We encourage users to verify critical information independently and consult legal professionals for compliance matters.
Feedback on Methodology
Have suggestions to improve our scoring methodology? We're always looking to refine our approach.