Methodology

staysin.eu analyses seven layers of a domain's infrastructure to determine whether data stays within European Union jurisdiction. This page explains exactly how each check works, how countries are determined, and how the final score is calculated.

What counts as "EU"?

The 27 member states of the European Union: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

EEA countries (Norway, Iceland, Liechtenstein), Switzerland, and the United Kingdom are not counted as EU, even though some have GDPR-equivalent legislation or EU adequacy decisions. The United Kingdom, for instance, has enacted the Investigatory Powers Act 2016 which grants broad government surveillance powers similar in scope to the US CLOUD Act. The scope of staysin.eu is strictly EU membership.

How countries are determined

Country determination follows a consistent two-tier approach across all checks:

  1. Provider match (preferred): When an IP address resolves to an ASN (Autonomous System Number) that is mapped to a known provider in our database, the provider's registered country is used. This reflects the legal jurisdiction of the operator, not the physical location of a particular server. For example, a German hosting provider operating a server in Finland still counts as Germany (DE), because the company is incorporated in Germany and data is processed under German/EU jurisdiction.
  2. IP geolocation (fallback): When no provider match exists, the country is determined by IP geolocation, which maps IP ranges to countries based on BGP routing data.

The one exception is Server location, which always uses pure IP geolocation. This provides a complementary data point: where data physically travels, alongside the jurisdiction-based checks.

Checks performed

For each domain, staysin.eu runs the following checks. Each check is either scored (counts towards the verdict) or informational (displayed but excluded from scoring).

Provider

Scored

Resolves the domain's A/AAAA records to get the server IP address. Looks up the ASN and matches it against the provider database. If a known provider is found, the provider's registered country determines EU status. If no provider match exists, the IP geolocation country is used.

DNS

Scored

Queries NS records for the domain. Each nameserver hostname is first matched against known providers by name (e.g. a nameserver hostname containing a known provider's domain). If no hostname match, the nameserver IP is resolved and matched by ASN. Falls back to IP geolocation if no provider match exists.

Mail

Scored

Queries MX records. Same matching logic as DNS: hostname match first, then ASN match, then IP geolocation fallback. If no MX records exist, the item is neutral and excluded from scoring.

CDN

Scored if detected

Detects CDNs through four methods (in priority order): HTTP response headers (e.g. provider-specific headers), the Server header, CNAME records for the domain itself, and CNAME records for asset subdomains.

CDN checks only produce a scored result when a provider is explicitly identified. If no CDN is detected, the item shows "None detected" and is excluded from scoring. There is no geolocation fallback for CDN because CDNs use anycast routing, making IP geolocation unreliable.

Server location

Scored

Geolocates the domain's primary IP address using the iptoasn.com database. Unlike other checks, this always uses pure IP geolocation without provider override. This captures where data physically travels, providing a counterpart to the jurisdiction-based Provider check.

A non-EU company hosting in an EU data centre will show as non-EU for Provider (jurisdiction) but EU for Server location (physical location). Both dimensions are relevant: jurisdiction determines legal obligations (e.g. CLOUD Act), while physical location determines where data actually resides (relevant for GDPR enforcement and data seizure).

External requests

Scored

Loads the website in a headless browser and captures all network requests to third-party domains. Each external host is resolved to an IP address, and the ASN is matched against the provider database to determine the operator and country. Same two-tier approach as the other checks: provider match preferred, IP geolocation as fallback.

TLS certificate issuer

Informational

Inspects the TLS certificate chain and identifies the Certificate Authority. Mapped to a country based on a curated list of well-known CAs. Always excluded from scoring because the CA's country does not determine where data flows.

Registrar

Informational

Performs an RDAP lookup to identify the domain registrar and its country. The registrar is displayed with an EU/non-EU indicator but is excluded from scoring. The registrar is an administrative relationship that does not affect where data flows or is processed.

Additionally, staysin.eu collects and displays several purely informational items that are never scored: DNSSEC validation status, notable HTTP headers (X-Powered-By, Via, X-Cache), pre-consent cookies, and reverse DNS (PTR) records.

Scoring

The sovereignty score is calculated from all scored items (infrastructure checks + detected external services):

Score = (EU items / total scored items) × 100

Items excluded from scoring: those marked as neutral (TLS, DNSSEC, headers, cookies, PTR), items with label "Registrar", and items where no provider could be detected ("Unknown", "None detected").

The final verdict follows strict rules:

  • Stays in EU — 100% of scored items are EU-based. No exceptions.
  • Leaves EU — At least one scored item is outside the EU. A single non-EU external service is enough to flip the verdict.
  • Insufficient data — No items could be scored at all (e.g. domain does not resolve).

Each scored item carries equal weight. A non-EU DNS provider has the same impact as a non-EU external service.

Data sources

  • IP geolocation: iptoasn.com — maps IP ranges to ASN, country, and organization based on BGP routing data. Updated regularly.
  • Internal provider database: A curated mapping of ASN numbers, hostnames, and HTTP headers to service providers and their registered countries. Used across all checks to identify operators of hosting, DNS, mail, CDN, and external services. Validated against PeeringDB.
  • Registrar data: RDAP (Registration Data Access Protocol) — the standardized successor to WHOIS for domain registration information.

Limitations

  • IP geolocation is based on BGP routing data and may not always reflect the physical server location precisely.
  • CDN edge node locations are not sovereignty-relevant (anycast), so CDN country reflects the provider's jurisdiction, not where the request was served.
  • Headless browser checks capture a snapshot in time. Dynamically loaded third-party services that require user interaction may not be detected.
  • The provider database is curated and may not cover all hosting providers. Unknown providers fall back to IP geolocation.
  • EEA countries, Switzerland, and the UK are not counted as EU despite partial regulatory alignment.