Methodology

staysin.eu analyses many layers of a domain's infrastructure to determine whether data stays within European Union jurisdiction. This page explains exactly how each check works, how countries are determined, and how the final score is calculated.

What counts as "EU"?

The 27 member states of the European Union: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

EEA countries (Norway, Iceland, Liechtenstein), Switzerland, and the United Kingdom are not counted as EU, even though some have GDPR-equivalent legislation or EU adequacy decisions. The United Kingdom, for instance, has enacted the Investigatory Powers Act 2016 which grants broad government surveillance powers similar in scope to the US CLOUD Act. The scope of staysin.eu is strictly EU membership.

What sovereignty actually means here

Sovereignty is not "bits must never leave the EU." It's who has control over the data processing when something happens – who can be legally compelled to hand over, intercept, or deny access to the data.

A purely EU company that runs its own infrastructure is reachable only by EU legal process – even if a server happens to sit in a US data centre, the operator answers to its EU jurisdiction. Conversely, a non-EU-owned subsidiary or an EU-branded reseller of a non-EU cloud platform exposes its data to non-EU legal process (CLOUD Act, NSLs, comparable foreign laws) via the parent or the underlying contractor – even if every byte stays inside the EU.

How countries are determined

For an item to count as EU, all three of these must hold:

  1. Country: The provider's operational country is in the EU.
  2. Holding: No non-EU parent or holding company. A non-EU-owned subsidiary loses sovereignty regardless of where it operates – an EU operation owned by a US parent is non-EU.
  3. Own infrastructure: The provider runs its own stack rather than reselling a non-EU service. An EU-branded CDN that resells a non-EU CDN, or an EU SaaS that runs entirely on a non-EU cloud platform, is non-EU because operational control sits with the underlying contractor.
    Own infrastructure means the operator builds and operates the production stack themselves. Mixed setups – where a provider has a small operational footprint but resells third-party capacity for the bulk of delivery – are classified as resellers.

Three concrete shapes the rule produces:

  • An EU hoster serving from a US data centre – EU. EU company, no non-EU parent, runs its own infrastructure. The physical location of the box is informational; legal compulsion runs through the EU operator.
  • An EU hosting brand owned by a non-EU parent – non-EU. Local operations, but foreign authorities can compel the parent for any subsidiary's data.
  • An EU-branded CDN reselling third-party non-EU infrastructure – non-EU. Strong EU contractual hook, but operational control and legal reach lie with the underlying non-EU operator.

IP geolocation (the country where the ASN announces the IP) is shown alongside the verdict but is informational, not punitive. When the provider country and the GeoIP country diverge, the UI shows both – for example EU · Germany via United States – making the operational footprint visible without altering the verdict.

Server location is always pure IP geolocation by design – it's the physical-location data point alongside the jurisdiction-based checks. Registrar uses provider country only (no IP available from RDAP) and is excluded from scoring.

Checks performed

For each domain, staysin.eu runs the following checks. Each check is either scored (counts towards the verdict) or informational (displayed but excluded from scoring).

Provider

Scored

Resolves the domain's A/AAAA records to get the server IP address. Looks up the ASN and matches it against the provider database. The EU verdict follows the matched provider's curated classification (country + holding + own infrastructure). If no provider matches, only the ASN's country is used as a fallback.

DNS

Scored

Queries NS records for the domain. Each nameserver hostname is first matched against known providers by name. If no hostname match, the nameserver IP is resolved and matched by ASN. The IP is still resolved so the GeoIP country can be shown alongside the verdict for transparency.

Mail

Scored

Queries MX records. Same matching logic as DNS: hostname match first, then ASN match. The verdict follows the matched provider's classification. If no MX records exist, the item is neutral and excluded from scoring.

CDN

Scored

Detects CDNs through four methods (in priority order): HTTP response headers (e.g. provider-specific headers), the Server header, CNAME records for the domain itself, and CNAME records for asset subdomains.

CDN checks only produce a scored result when a provider is explicitly identified. If no CDN is detected, the item shows "None detected" and is excluded from scoring. When a CDN is matched, the edge PoP IP is resolved to disclose the routing path (via <country>), but the verdict follows the CDN provider's classification – an EU CDN running its own globally distributed PoPs is still EU; an EU-branded CDN that resells third-party non-EU infrastructure is non-EU.

Server location

Scored

Geolocates the domain's primary IP address using the iptoasn.com database. Unlike the other checks, this never considers provider jurisdiction – it's a pure physical-location data point alongside the jurisdiction-aware checks.

Both dimensions are relevant: jurisdiction determines legal obligations (e.g. CLOUD Act, NSLs), while physical location determines where data actually resides (relevant for GDPR enforcement and data seizure). A US-owned provider hosting in an EU data centre scores non-EU for Provider (due to the parent's jurisdictional reach) but EU for Server location (physical placement).

External requests

Scored

Loads the website in a headless browser and captures all network requests to third-party domains. Each external host is resolved to an IP address, and the ASN is matched against the provider database. The verdict follows the matched provider's classification, the same as the other checks.

TLS certificate issuer

Informational

Inspects the TLS certificate chain and identifies the Certificate Authority. Mapped to a country based on a curated list of well-known CAs. Always excluded from scoring because the CA's country does not determine where data flows.

Registrar

Informational

Performs an RDAP lookup to identify the domain registrar and its country. The registrar is displayed with an EU/non-EU indicator but is excluded from scoring. The registrar is an administrative relationship that does not affect where data flows or is processed.

Additionally, staysin.eu collects and displays several purely informational items that are never scored: DNSSEC validation status, notable HTTP headers (X-Powered-By, Via, X-Cache), pre-consent cookies, and reverse DNS (PTR) records.

Scoring

The sovereignty score is calculated from all scored items (infrastructure checks + detected external services):

Score = (EU items / total scored items) × 100

Items excluded from scoring: those marked as neutral (TLS, DNSSEC, headers, cookies, PTR), items with label "Registrar", and items where no provider could be detected ("Unknown", "None detected").

The verdict is binary – scored items either all clear or at least one doesn't:

  • Stays in EU – every scored item is EU. No exceptions.
  • Leaves EU – at least one scored item is non-EU.
  • Insufficient data – no items could be scored at all (e.g. domain does not resolve).

The numeric score is the same fraction whether the verdict is Stays in EU or Leaves EU: (EU items / total scored items) × 100. A site that clears every check but one still scores numerically high even though its verdict flips to Leaves EU.

Data sources

  • IP geolocation: iptoasn.com – maps IP ranges to ASN, country, and organization based on BGP routing data. Updated regularly.
  • Internal provider database: A curated mapping of ASN numbers, hostnames, and HTTP headers to service providers and their registered countries. Used across all checks to identify operators of hosting, DNS, mail, CDN, and external services. Validated against PeeringDB.
  • Registrar data: RDAP (Registration Data Access Protocol) – the standardized successor to WHOIS for domain registration information.

Limitations

  • IP geolocation is based on BGP routing data and may not always reflect the physical server location precisely.
  • CDN edge node locations are not sovereignty-relevant (anycast), so CDN country reflects the provider's jurisdiction, not where the request was served.
  • Headless browser checks capture a snapshot in time. Dynamically loaded third-party services that require user interaction may not be detected.
  • The provider database is curated and may not cover all hosting providers. Unknown providers fall back to IP geolocation.
  • EEA countries, Switzerland, and the UK are not counted as EU despite partial regulatory alignment.

Found incorrect or misleading data?

The provider database is curated by hand. Holding structures change, brands get acquired, resellers swap their underlying infrastructure. If a verdict looks wrong – or you spot an entry that's misleading or out of date – please get in touch at enum.co/contact and we'll review it.

This assessment is based on publicly available technical data (DNS records, ASN allocations, HTTP responses) and defined classification criteria. staysin.eu is a technical indicator, not a legal audit or complete compliance check.