Data Sovereignty Analysis

Scoring Methodology

Understanding how we assess website data sovereignty and calculate risk scores.

Jurisdiction Risk Levels

Each jurisdiction is assigned a risk score from 0.0 (safest) to 1.0 (highest risk) based on their data protection laws and surveillance capabilities.

Code Jurisdiction Risk Description
US United States 1.0 Subject to the CLOUD Act (2018), which allows US law enforcement to compel technology companies to provide data stored on servers regardless of physical location. Also subject to PATRIOT Act surveillance provisions.
CLOUD Act (2018), PATRIOT Act (2001), FISA Section 702
UK United Kingdom 0.7 Five Eyes intelligence alliance member with Investigatory Powers Act (2016) requiring broad surveillance capabilities and data retention.
Investigatory Powers Act (2016), Five Eyes Alliance
AU Australia 0.7 Five Eyes member with Assistance and Access Act (2018) requiring providers to help decrypt communications when technically possible.
Assistance and Access Act (2018), Five Eyes Alliance
CA Canada 0.7 Five Eyes intelligence alliance member. Subject to mutual legal assistance treaties and intelligence sharing agreements.
Five Eyes Alliance, PIPEDA
NZ New Zealand 0.7 Five Eyes intelligence alliance member with intelligence sharing obligations.
Five Eyes Alliance, TICS Act (2013)
CN China 1.0 Subject to strict data localization requirements and national security laws that can compel companies to share data with authorities.
Cybersecurity Law (2017), Data Security Law (2021), National Security Law
RU Russia 1.0 Data localization requirements mandate storage of Russian citizens' personal data within Russia. Authorities have broad access powers.
Data Localization Law (2015), Yarovaya Law (2016)
EU European Union 0.2 GDPR provides strong data protection rights including data portability, right to erasure, and restrictions on international transfers. Schrems II invalidated EU-US Privacy Shield.
GDPR (2018), ePrivacy Directive, Schrems II Ruling
CH Switzerland 0.1 Strong privacy protections with federal data protection laws. Not EU member but maintains GDPR-equivalent standards. Traditional banking secrecy culture extends to data protection.
Federal Act on Data Protection (FADP), Swiss-US Privacy Shield (suspended)
IS Iceland 0.2 EEA member with GDPR compliance and strong press freedom. Constitutional privacy protections and no Five Eyes membership.
GDPR (via EEA), Icelandic Data Protection Act
NO Norway 0.2 EEA member with GDPR compliance. Strong data protection authority.
GDPR (via EEA), Personal Data Act
OTHER Other Jurisdictions 0.5 Unknown or varied jurisdictions. Risk assessment cannot be determined precisely without specific country analysis.

Category Weights

Detected services are categorized by their function. Each category has a weight reflecting its importance to overall data sovereignty.

Category Weight Description
CDN 35% Content Delivery Network providers. CDNs terminate TLS and see all traffic in plaintext — request bodies, cookies, headers, and passwords. This is the highest-weighted category because CDN providers can intercept or monitor all communications regardless of user consent.
  • Cloudflare
  • AWS CloudFront
  • Fastly
  • Akamai
Hosting 30% Origin hosting providers identified via ASN lookup. The hosting provider stores and processes all application data, including databases and user accounts.
  • AWS EC2/ECS
  • Microsoft Azure
  • Google Cloud
  • Hetzner
DNS 10% DNS providers identified via NS records. DNS providers see every domain lookup and can redirect traffic. Lower weight because DNS sees only domain names, not content.
  • AWS Route53
  • Cloudflare DNS
  • Google Cloud DNS
Analytics & Tracking 10% User behavior tracking and analytics services. These collect detailed data about user interactions, page views, and often unique identifiers. Note: Many EU sites block trackers until consent is given, which may not be detected.
  • Google Analytics, Google Tag Manager
  • Facebook Pixel, Meta tracking
  • Mixpanel, Amplitude, Segment
  • HubSpot, Marketo
Third-Party Services 5% External services integrated into the website that may collect user data. Includes chat widgets, payment processors, CAPTCHAs, and CRM integrations.
  • Live chat (Intercom, Zendesk, Drift)
  • Payments (Stripe, PayPal)
  • CAPTCHAs (reCAPTCHA, hCaptcha)
  • Error tracking (Sentry, Bugsnag)
Embedded Content 5% Third-party content embedded in pages, such as videos, maps, and social media widgets. These can track users even without direct interaction.
  • Video embeds (YouTube, Vimeo)
  • Maps (Google Maps)
  • Social embeds (Twitter, Instagram, Facebook)
Static Resources 5% External static assets like fonts and JavaScript libraries. Lower risk as they typically don't collect personal data, but can still leak referrer information.
  • Fonts (Google Fonts, Adobe Fonts)
  • JS CDNs (cdnjs, jsDelivr, unpkg)

Data Sensitivity Multipliers

Services that collect certain types of sensitive data receive penalty multipliers.

Data Type Multiplier Description
Behavioral Data 1.5× User behavior tracking including page views, clicks, scroll depth, session recordings, and interaction patterns. Highly sensitive as it reveals user intent and habits.
Personal Identifiers 1.3× Personally identifiable information such as user IDs, email addresses, device fingerprints, and IP-based location data.

Modifiers

Modifier Multiplier Description
First-Party Services 0.5× Services hosted on the same domain as the website. Reduces risk since data doesn't cross organizational boundaries, but jurisdiction risk still applies.

Grade Thresholds

The final score (0-100) is converted to a letter grade for quick assessment.

Grade Score Range Assessment
A 90-100 Excellent data sovereignty. Minimal exposure to high-risk jurisdictions with strong privacy protections.
B 80-89 Good data sovereignty. Limited exposure to surveillance jurisdictions with some privacy-conscious choices.
C 70-79 Moderate data sovereignty. Mixed infrastructure with some exposure to high-risk jurisdictions.
D 60-69 Poor data sovereignty. Significant reliance on surveillance-jurisdiction infrastructure.
E 50-59 Very poor data sovereignty. Heavy use of US-based tracking and infrastructure with substantial data exposure.
F 0-49 Critical data sovereignty issues. Extensive tracking, analytics, and infrastructure in high-risk jurisdictions.

Scoring Formula

The sovereignty score is calculated as follows: 1. Each detected service/provider incurs a base penalty based on: - Jurisdiction risk (0.0 to 1.0) - Category weight (CDN 35%, hosting 30%, DNS 10%, analytics 10%, others 5% each) 2. Base penalty = jurisdiction_risk × category_weight × 100 3. Penalties are modified by: - Data sensitivity multiplier (behavioral: 1.5×, identifiers: 1.3×) - First-party modifier (0.5× if on same domain) 4. Category penalties are capped at their maximum weight 5. Final score = 100 - total_penalties (minimum 0) CDN and hosting are weighted heavily because these providers see all traffic regardless of user consent choices for tracking.

Example Calculation

Example: Site with US Cloudflare CDN, Norwegian hosting, local DNS - CDN: 1.0 (US risk) × 0.35 (CDN weight) × 100 = 35 points - Hosting: 0.2 (NO risk) × 0.30 (hosting weight) × 100 = 6 points - DNS: 0.2 (NO risk) × 0.10 (DNS weight) × 100 = 2 points - Final score: 100 - 43 = 57 (grade E) Compare: all US infrastructure - CDN: 35 + Hosting: 30 + DNS: 10 = 75 points → score 25 (grade F)
Back to Analysis