Glossary

Legal space under which data processing and accesses take place. Determines which authorities may make access requests and which data protection laws apply (e.g. GDPR for EU, CLOUD Act for USA).

Geographical and regional binding of data storage and processing, including backups, logs and metadata. Data Residency defines where data is physically stored.

A broader term than data residency. Refers to an organization’s complete control over its data, including access, encryption, processing and exit capability.

The management and API layer of a cloud provider (IAM, resource management, billing, policies). Accesses to the control plane can override all data controls.

Technical enforcement that cloud resources can only be created in explicitly approved geographical regions.

Encryption key fully managed by the cloud provider. The provider can theoretically use the key. Acceptable for non-sensitive data.

Encryption key whose lifecycle management (creation, rotation, deletion) rests with the customer, but is stored in the provider’s KMS. The provider has technical access to the KMS, but the key policy restricts who may use the key.

Key material is generated by the customer and imported into the cloud KMS. The customer controls the key material completely, but must import it into the cloud infrastructure.

Key material remains in a customer-controlled HSM infrastructure outside the cloud provider. Cloud services must contact the external HSM for every encryption operation. The provider has no technical access to the key material.

Physical or virtual device that securely stores cryptographic key material and performs cryptographic operations in a tamper-resistant environment.

Emergency access process with elevated privileges, activated only in documented exceptional situations. Strictly time-limited, fully logged and reviewed.

Access provisioning pattern where privileged permissions are only activated for a defined period of time and for a specific task. Eliminates "standing privilege".

Governance principle that prevents a single person from performing all steps of a critical process. Example: whoever can change a KMS key policy must not simultaneously be able to access the encrypted data.

In the GDPR context: a service provider that processes personal data on behalf of a controller or processor. Subject to special requirements (Art. 28 GDPR).

Network connection that enables direct access to cloud services (S3, KMS, etc.) via the internal cloud network, without traffic being routed over the public internet.

Outgoing network traffic from a workload or network segment. In the sovereign context, the primary exfiltration path for data.

Method for secure data deletion by destroying the encryption key. Since decryption is impossible without the key, the data material is effectively irrecoverable. Recognized as GDPR Art. 17-compliant deletion when correctly implemented.

Documented plan describing how an organization can migrate or port its workloads, data and processes from a cloud provider. Contains step-by-step procedures, timeline and data export mechanisms.

Ability to export data in standardized formats and operate workloads on alternative infrastructure. A measurable characteristic of a sovereign architecture.

EU regulation on the protection of personal data. Central basis for many data residency and sovereign cloud requirements.

Cloud Computing Compliance Criteria Catalogue of the Federal Office for Information Security. Audit standard for cloud services in Germany.

EU Cloud Services Scheme. European cybersecurity certification scheme for cloud services, developed by ENISA. Levels: Basic, Substantial, High.

European ecosystem project for a transparent, secure and federated cloud infrastructure. Defines requirements for data sovereignty and interoperability.

Network and Information Security Directive 2.0. EU directive for IT security at critical infrastructure and important facilities. Extends the scope of NIS1.

US law (Clarifying Lawful Overseas Use of Data Act) that gives US authorities the right to request data from US companies, even when stored abroad. Direct implication for HYOK/BSI-C5 requirements.

Framework for supply chain security in software development. Levels 1–4 define increasing requirements for build integrity and provenance evidence.