Scoring Methodology
Our transparent methodology for assessing digital sovereignty. Learn how we evaluate EU services across six dimensions to calculate sovereignty scores.
Overview
Star Stack uses a 6-dimension weighted scoring system to assess the sovereignty of EU services. Each dimension evaluates a different aspect of independence from foreign control, data access risks, and long-term sustainability. The final score is a weighted average of all dimensions, scaled to 0-100.
The Six Dimensions
Jurisdictional
25%Evaluates legal jurisdiction exposure, including company jurisdiction, parent company jurisdiction, and potential foreign data access laws.
Key factors:
- HQ location (EU/EFTA vs others)
- Parent company jurisdiction
- Five Eyes membership exposure
- US Cloud Act exposure
- Extraterritorial risk assessment
Ownership
20%Assesses ownership structure, funding sources, and acquisition risk that could affect independence and data sovereignty.
Key factors:
- Ownership type (bootstrapped, VC-funded, public)
- Funding stage and investor geography
- Non-EU ownership percentage
- Acquisition risk level
- Control mechanisms
Governance
20%Examines decision-making structure, foundation backing, and community governance to assess long-term independence.
Key factors:
- Governance type (foundation, community, BDFL, single company)
- Foundation backing (Apache, CNCF, etc.)
- Single entity control percentage
- Documented governance processes
- Community decision-making
Portability
15%Measures ability to migrate away from the service, including self-hosting options, data export, and vendor lock-in factors.
Key factors:
- Self-hosting availability
- Self-host feature parity
- Self-host complexity
- Standard API support
- Data export formats
- Proprietary lock-in factors
License
10%Evaluates software licensing, license stability, and protection from restrictive license changes.
Key factors:
- License type (permissive, copyleft, proprietary)
- License stability history
- Foundation protection
- License change count
- Open source commitment
Community
10%Assesses project health, contributor diversity, and community engagement as indicators of long-term sustainability.
Key factors:
- Bus factor (key contributor dependency)
- Organizational diversity
- Release frequency
- Project health status
- Issue response time
Why These Weights?
Our weighting reflects the relative impact each dimension has on practical sovereignty risk:
- Jurisdictional (25%) — Highest weight because legal jurisdiction creates immediate, enforceable risks. Laws like the US CLOUD Act can compel data disclosure regardless of where data is stored.
- Ownership (20%) — Who owns a company determines its ultimate direction. VC funding from non-EU investors or acquisition by foreign entities can shift sovereignty overnight.
- Governance (20%) — Foundation-backed projects with diverse governance resist single-entity control. This provides resilience against hostile changes.
- Portability (15%) — Your exit options matter. Strong portability means you can migrate if sovereignty changes, reducing long-term lock-in risk.
- License (10%) — Important for open source projects, but less critical for SaaS. License changes (like recent MongoDB, Redis shifts) can affect self-hosting rights.
- Community (10%) — A health indicator rather than a direct sovereignty factor. Diverse, active communities signal project sustainability.
How We Calculate Scores
The Formula
Each dimension is scored from 0-100, then combined using weighted average:
Final Score = (Jurisdictional × 0.25) + (Ownership × 0.20) + (Governance × 0.20) + (Portability × 0.15) + (License × 0.10) + (Community × 0.10)Worked Example: Hypothetical EU SaaS
Consider a bootstrapped SaaS company under German jurisdiction with open source components:
| Dimension | Score | Weight | Weighted | Reasoning |
|---|---|---|---|---|
| Jurisdictional | 90 | × 0.25 | = 22.5 | EU HQ, no foreign parent, GDPR-only jurisdiction |
| Ownership | 85 | × 0.20 | = 17.0 | Bootstrapped, founders retain control |
| Governance | 70 | × 0.20 | = 14.0 | Single company, but transparent roadmap |
| Portability | 75 | × 0.15 | = 11.25 | Self-hosting available, standard APIs, good export |
| License | 80 | × 0.10 | = 8.0 | AGPL core, stable license history |
| Community | 65 | × 0.10 | = 6.5 | Growing community, moderate contributor diversity |
| Total | = 79.25 | Good tier |
Score Tiers
Fully EU-sovereign with minimal foreign dependency risks
Strong EU orientation with manageable considerations
Mixed sovereignty profile, requires careful evaluation
Significant sovereignty concerns, limited EU independence
How We Assess Services
Initial Assessment
- Research company registration and ownership structure
- Review legal pages, terms of service, privacy policy
- Analyze GitHub/GitLab repository metrics (if applicable)
- Check funding history and investor geography
- Evaluate self-hosting options and data portability
Ongoing Updates
- Quarterly reviews for high-traffic services
- Event-triggered updates for acquisitions, funding rounds, license changes
- Community reports reviewed within 7 days
- Vendor responses incorporated when provided
How We Handle Missing Data
Principle: Pessimistic Defaults
When data for a scoring field is missing or unverified, we apply worst-case assumptions rather than neutral defaults. This means under-researched services receive lower scores until their data is verified, preventing inflated scores for services we know little about.
This approach rewards services with transparent, well-documented profiles and incentivizes data contributions from both the community and project owners.
We recognize that this can temporarily lead to scores that are sometimes unfairly low compared to what a service actually delivers. We deliberately accept this tradeoff: the alternative would be giving the benefit of the doubt to services we haven't been able to verify, which risks presenting poorly-documented or genuinely problematic services as safer than they are.
We are currently in our launch phase, actively working to expand and solidify our data. As coverage improves, scores will become more accurate and these gaps will narrow. If you believe a score is inaccurate, we welcome corrections and evidence from both users and service operators.
What Gets Penalized
| Missing Field | Assumed As | Impact |
|---|---|---|
| Funding stage | Late-stage VC (Series C+) | -10 pts (Ownership) |
| Acquisition risk | High | -15 pts (Ownership) |
| Governance type | Single company | -10 pts (Governance) |
| Entity control | >80% single entity | -20 pts (Governance) |
| License type | Proprietary | -20 pts (License) |
| License stability | At risk | -20 pts (License) |
| Bus factor | 1 (single maintainer) | -10 pts (Community) |
| Release frequency | Stale | -15 pts (Community) |
| Project health | Stale | -10 pts (Community) |
Data Completeness Tiers
Each service displays a data completeness indicator alongside its score, so you know how much of the score is based on verified data vs. pessimistic defaults.
Most fields verified. Score is highly reliable.
Key fields present. Some pessimistic defaults may apply.
Many fields missing. Score relies heavily on pessimistic defaults.
Very limited data. Score is primarily based on assumptions.
Score not yet calculated. Service is newly added and awaiting initial assessment.
Help Us Improve
If you notice a service with missing or incorrect data, you can help by submitting corrections. Every verified data point removes a pessimistic default and gives the service a fairer score.
Submit Data CorrectionsComparison to Other Frameworks
| Framework | Focus | Scope | Our Relation |
|---|---|---|---|
| Star Stack | Practical sovereignty for developers | All EU services | — |
| Gaia-X | Federated data infrastructure | Enterprise cloud | We incorporate Gaia-X compliance as a governance factor |
| EUCS | Security certification | Cloud services | EUCS certification improves governance scores |
| CISPE | Code of conduct for IaaS | Infrastructure | CISPE membership noted in portability assessment |
Our methodology complements rather than replaces these frameworks. We focus on practical decision-making for developers and small teams who need actionable sovereignty guidance without enterprise certification overhead.
Data Sources
Our assessments are based on publicly available information from:
- Official company sources: Websites, documentation, legal pages, press releases
- GitHub repositories: Stars, contributors, commit activity, release frequency
- Business registries: Company registration, ownership structures
- News and press: Funding announcements, acquisition news, policy changes
Ownership Data Model
Ownership is the hardest dimension to get right. Corporate structures are complex, opaque, and constantly changing. A company can be EU-headquartered but ultimately controlled by a non-EU parent through layers of holding companies, or it can have foreign investors without any of them having actual control.
To handle this rigorously, we structure our ownership data in alignment with the Beneficial Ownership Data Standard (BODS) v0.4, an international open standard maintained by Open Ownership. BODS provides a principled way to represent ownership relationships as structured facts: who holds what type of interest (controlling shares, board appointments, voting rights), whether that interest is direct or indirect, and where the evidence comes from.
This matters for sovereignty scoring because it lets us distinguish between a company that has a foreign minority investor (low risk) and one where a foreign entity holds controlling ownership (high risk). Rather than relying on a single "ownership type" label, we model the actual relationship structure and derive the sovereignty implications from that.
References & Further Reading
Legal Framework
- Schrems II Ruling (2020) — CJEU invalidated Privacy Shield, establishing that US surveillance laws conflict with EU data protection. Case C-311/18
- US CLOUD Act (2018) — Allows US government to compel US-based providers to disclose data regardless of storage location. H.R.4943
- GDPR (2016/679) — EU regulation on data protection and privacy, basis for data residency requirements. EUR-Lex
- EU Data Act (2023) — Regulation on fair access to and use of data, including cloud switching provisions. EUR-Lex
- European Parliament Report A10-0107/2025 (2025) — Report on Europe's technological sovereignty documenting 80%+ dependency on foreign digital services, 69% US cloud dominance, and calling for sovereign cloud solutions. europarl.europa.eu
Industry Standards & Initiatives
- Gaia-X — European initiative for federated data infrastructure and digital sovereignty. gaia-x.eu
- EUCS — EU Cybersecurity Certification Scheme for Cloud Services under the Cybersecurity Act. ENISA
- CISPE Code of Conduct — GDPR code of conduct for cloud infrastructure service providers. cispe.cloud
- Beneficial Ownership Data Standard (BODS) v0.4 — Open standard for representing beneficial ownership as structured, verifiable facts. Our ownership data model is aligned with BODS. openownership.org
Academic Research That Inspired Our Approach
- Pohle, J. & Thiel, T. (2020). "Digital Sovereignty" — Foundational paper defining digital sovereignty dimensions and policy implications. Internet Policy Review
- Opara-Martins, J. et al. (2016). "Critical analysis of vendor lock-in" — Framework for assessing cloud portability risks that informed our portability dimension. Journal of Network and Computer Applications
- Eghbal, N. (2020). "Working in Public: The Making and Maintenance of Open Source Software" — Research on open source sustainability that shaped our community health metrics. Stripe Press
- Floridi, L. (2020). "The Fight for Digital Sovereignty" — Philosophy of information perspective on data governance and jurisdictional control. Philosophy & Technology
- O'Mahony, S. (2007). "The governance of open source initiatives" — Seminal research on open source governance models that informed our governance dimension. Research Policy
- Coyle, D. et al. (2020). "The Value of Data" — Bennett Institute research on data economics and ownership structures. Bennett Institute
Technical Reports & Standards Bodies
- ENISA Cloud Security Reports — Technical guidance on cloud security and risk assessment. ENISA
- European Commission Digital Decade Policy — Policy framework on strategic autonomy in digital technologies. EC Digital Strategy
- CHAOSS Project Metrics — Open source community health metrics that inform our community dimension. chaoss.community
- Linux Foundation "Bus Factor" Research — Analysis of contributor concentration risk in open source projects. Linux Foundation
Methodology Changelog
Switched to pessimistic defaults for missing data. Services with incomplete profiles now receive worst-case penalties instead of neutral scores. Added data completeness indicators to service pages. Jurisdiction data is now auto-derived from country codes.
Initial methodology release with 6-dimension weighted scoring system.
Limitations & Disclaimer
Our sovereignty scores are assessments based on publicly available information and should be considered as guidance, not definitive judgments.
We cannot guarantee:
- Complete accuracy of all data points
- Real-time updates to ownership or policy changes
- Legal compliance advice for your specific use case
- Protection from future changes in company direction
We encourage users to verify critical information independently and consult legal professionals for compliance matters.
Feedback on Methodology
Have suggestions to improve our scoring methodology? We're always looking to refine our approach.