Data Sovereignty Analysis

Scoring Methodology

Understanding how we assess website data sovereignty and calculate risk scores.

Jurisdiction Risk Levels

Each jurisdiction is assigned a risk score from 0.0 (safest) to 1.0 (highest risk) based on their data protection laws and surveillance capabilities.

Code Jurisdiction Risk Description
US United States 1.0 Subject to the CLOUD Act (2018), which allows US law enforcement to compel technology companies to provide data stored on servers regardless of physical location. Also subject to PATRIOT Act surveillance provisions.
CLOUD Act (2018), PATRIOT Act (2001), FISA Section 702
UK United Kingdom 0.7 Five Eyes intelligence alliance member with Investigatory Powers Act (2016) requiring broad surveillance capabilities and data retention.
Investigatory Powers Act (2016), Five Eyes Alliance
AU Australia 0.7 Five Eyes member with Assistance and Access Act (2018) requiring providers to help decrypt communications when technically possible.
Assistance and Access Act (2018), Five Eyes Alliance
CA Canada 0.7 Five Eyes intelligence alliance member. Subject to mutual legal assistance treaties and intelligence sharing agreements.
Five Eyes Alliance, PIPEDA
NZ New Zealand 0.7 Five Eyes intelligence alliance member with intelligence sharing obligations.
Five Eyes Alliance, TICS Act (2013)
CN China 1.0 Subject to strict data localization requirements and national security laws that can compel companies to share data with authorities.
Cybersecurity Law (2017), Data Security Law (2021), National Security Law
RU Russia 1.0 Data localization requirements mandate storage of Russian citizens' personal data within Russia. Authorities have broad access powers.
Data Localization Law (2015), Yarovaya Law (2016)
EU European Union 0.2 GDPR provides strong data protection rights including data portability, right to erasure, and restrictions on international transfers. Schrems II invalidated EU-US Privacy Shield.
GDPR (2018), ePrivacy Directive, Schrems II Ruling
CH Switzerland 0.1 Strong privacy protections with federal data protection laws. Not EU member but maintains GDPR-equivalent standards. Traditional banking secrecy culture extends to data protection.
Federal Act on Data Protection (FADP), Swiss-US Privacy Shield (suspended)
IS Iceland 0.2 EEA member with GDPR compliance and strong press freedom. Constitutional privacy protections and no Five Eyes membership.
GDPR (via EEA), Icelandic Data Protection Act
NO Norway 0.2 EEA member with GDPR compliance. Strong data protection authority.
GDPR (via EEA), Personal Data Act
OTHER Other Jurisdictions 0.5 Unknown or varied jurisdictions. Risk assessment cannot be determined precisely without specific country analysis.

Category Weights

Detected services are categorized by their function. Each category has a weight reflecting its importance to overall data sovereignty.

Category Weight Description
Infrastructure 30% Core hosting infrastructure including CDN, DNS, and hosting providers. These services have access to all traffic and can potentially intercept or monitor communications.
  • CDN providers (Cloudflare, AWS CloudFront, Fastly)
  • DNS providers (Route53, Google Cloud DNS)
  • Hosting providers (AWS, Azure, Google Cloud)
Analytics & Tracking 25% User behavior tracking and analytics services. These collect detailed data about user interactions, page views, and often unique identifiers.
  • Google Analytics, Google Tag Manager
  • Facebook Pixel, Meta tracking
  • Mixpanel, Amplitude, Segment
  • HubSpot, Marketo
Third-Party Services 20% External services integrated into the website that may collect user data. Includes chat widgets, payment processors, CAPTCHAs, and CRM integrations.
  • Live chat (Intercom, Zendesk, Drift)
  • Payments (Stripe, PayPal)
  • CAPTCHAs (reCAPTCHA, hCaptcha)
  • Error tracking (Sentry, Bugsnag)
Embedded Content 15% Third-party content embedded in pages, such as videos, maps, and social media widgets. These can track users even without direct interaction.
  • Video embeds (YouTube, Vimeo)
  • Maps (Google Maps)
  • Social embeds (Twitter, Instagram, Facebook)
Static Resources 10% External static assets like fonts and JavaScript libraries. Lower risk as they typically don't collect personal data, but can still leak referrer information.
  • Fonts (Google Fonts, Adobe Fonts)
  • JS CDNs (cdnjs, jsDelivr, unpkg)

Data Sensitivity Multipliers

Services that collect certain types of sensitive data receive penalty multipliers.

Data Type Multiplier Description
Behavioral Data 1.5× User behavior tracking including page views, clicks, scroll depth, session recordings, and interaction patterns. Highly sensitive as it reveals user intent and habits.
Personal Identifiers 1.3× Personally identifiable information such as user IDs, email addresses, device fingerprints, and IP-based location data.

Modifiers

Modifier Multiplier Description
First-Party Services 0.5× Services hosted on the same domain as the website. Reduces risk since data doesn't cross organizational boundaries, but jurisdiction risk still applies.

Grade Thresholds

The final score (0-100) is converted to a letter grade for quick assessment.

Grade Score Range Assessment
A 90-100 Excellent data sovereignty. Minimal exposure to high-risk jurisdictions with strong privacy protections.
B 80-89 Good data sovereignty. Limited exposure to surveillance jurisdictions with some privacy-conscious choices.
C 70-79 Moderate data sovereignty. Mixed infrastructure with some exposure to high-risk jurisdictions.
D 60-69 Poor data sovereignty. Significant reliance on surveillance-jurisdiction infrastructure.
E 50-59 Very poor data sovereignty. Heavy use of US-based tracking and infrastructure with substantial data exposure.
F 0-49 Critical data sovereignty issues. Extensive tracking, analytics, and infrastructure in high-risk jurisdictions.

Scoring Formula

The sovereignty score is calculated as follows: 1. Each detected service/provider incurs a base penalty based on: - Jurisdiction risk (0.0 to 1.0) - Category weight (infrastructure 30%, analytics 25%, etc.) 2. Base penalty = jurisdiction_risk × category_weight × 100 3. Penalties are modified by: - Data sensitivity multiplier (behavioral: 1.5×, identifiers: 1.3×) - First-party modifier (0.5× if on same domain) 4. Category penalties are capped at their maximum weight 5. Final score = 100 - total_penalties (minimum 0)

Example Calculation

Example: Google Analytics (US jurisdiction) in analytics category - Base: 1.0 (US risk) × 0.25 (analytics weight) × 100 = 25 points - With behavioral tracking: 25 × 1.5 = 37.5 points - Capped at category max: 25 points
Back to Analysis