Shared Responsibility in the Sovereign Context

Sovereignty in the cloud is always a shared responsibility. The boundary is however different from classic security – sovereignty requires more active operator decisions, because provider defaults are often not sovereign.

What Providers Typically Control

Area	Provider Responsibility
Physical Security	Data center, network backbone, hardware security.
Base Compliance	ISO 27001, SOC 2, BSI C5 attestations of the provider. Note: these attestations cover the provider, not the operator’s portion.
Region Infrastructure	Availability of regions, documentation on subprocessors, compliance certificates.
Default Encryption	Many services offer standard encryption with provider-managed keys.
Audit Artefacts	SOC 2 reports, ISO certificates, BSI C5 attestations as evidence for the provider’s portion.

Area

Provider Responsibility

Physical Security

Data center, network backbone, hardware security.

Base Compliance

ISO 27001, SOC 2, BSI C5 attestations of the provider. Note: these attestations cover the provider, not the operator’s portion.

Region Infrastructure

Availability of regions, documentation on subprocessors, compliance certificates.

Default Encryption

Many services offer standard encryption with provider-managed keys.

Audit Artefacts

SOC 2 reports, ISO certificates, BSI C5 attestations as evidence for the provider’s portion.

Provider certificates (BSI C5, ISO 27001) cover the provider. They are not evidence of the operator’s sovereign compliance. Both sides must maintain their own evidence.

What Operators Control (WAF++ Focus)

Area	Operator Responsibility	WAF++ Control
Data Classification	Which data is classified how and what residency requirements apply.	WAF-SOV-010
Region Pinning	Technical enforcement of permitted regions via IaC and policy-as-code.	WAF-SOV-020
Backup Configuration	Where backups are stored, for how long, and whether restore tests are performed.	WAF-SOV-030
Log Destinations	Where logs, traces and metrics are exported.	WAF-SOV-040
Key Management	Whether CMK/BYOK/HYOK is used; rotation and deletion policies.	WAF-SOV-050
IAM & Access	Role model, privileged access, separation of duties, MFA enforcement.	WAF-SOV-060
Break-Glass Process	Who activates, what is logged, how it is reviewed afterwards.	WAF-SOV-070
Subprocessors & Dependencies	Inventory of all third-party providers and their jurisdiction, contractual basis.	WAF-SOV-080
Egress Control	Which outgoing connections are permitted and how exfiltration is detected.	WAF-SOV-090
Exit Capability	Documented, tested exit plan; data portability; IaC portability.	WAF-SOV-100

Area

Operator Responsibility

WAF++ Control

Data Classification

Which data is classified how and what residency requirements apply.

WAF-SOV-010

Region Pinning

Technical enforcement of permitted regions via IaC and policy-as-code.

WAF-SOV-020

Backup Configuration

Where backups are stored, for how long, and whether restore tests are performed.

WAF-SOV-030

Log Destinations

Where logs, traces and metrics are exported.

WAF-SOV-040

Key Management

Whether CMK/BYOK/HYOK is used; rotation and deletion policies.

WAF-SOV-050

IAM & Access

Role model, privileged access, separation of duties, MFA enforcement.

WAF-SOV-060

Break-Glass Process

Who activates, what is logged, how it is reviewed afterwards.

WAF-SOV-070

Subprocessors & Dependencies

Inventory of all third-party providers and their jurisdiction, contractual basis.

WAF-SOV-080

Egress Control

Which outgoing connections are permitted and how exfiltration is detected.

WAF-SOV-090

Exit Capability

Documented, tested exit plan; data portability; IaC portability.

WAF-SOV-100

The Sovereign Compliance Triangle

For complete sovereign compliance an organization needs three types of evidence:

         ┌─────────────────────────────┐
         │  Provider Compliance Artefact│  ← BSI C5 attestation, ISO 27001 of the provider
         └─────────────────────────────┘
                        +
         ┌─────────────────────────────┐
         │  Operator Technical Evidence │  ← IaC configuration, audit logs, WAF-SOV checks
         └─────────────────────────────┘
                        +
         ┌─────────────────────────────┐
         │  Contractual/Process Evidence│  ← DPA, subprocessor lists, runbooks, reviews
         └─────────────────────────────┘

If any one of the three layers is missing, the sovereign evidence is incomplete.

Contractual vs. Configurable Sovereignty

A common misconception: many providers offer "Sovereign Cloud" products. For WAF++ the following distinction applies:

Aspect	Contractual	Configurable/Technical
Jurisdiction	Contract governs data location; often hard to enforce.	Region pinning via IaC and policy – measurable and verifiable.
Data access by provider	Contractual clauses; Cloud Act risks cannot be eliminated by contract.	HYOK technically eliminates the access possibility.
Subprocessor changes	Provider notifies; no technical control.	Inventory + review process + contractual exit right.
Data deletion at contract end	Contractual clause; no technical proof.	S3 Lifecycle, GDPR Art. 17 – technically implementable and verifiable.

Aspect

Contractual

Configurable/Technical

Jurisdiction

Contract governs data location; often hard to enforce.

Region pinning via IaC and policy – measurable and verifiable.

Data access by provider

Contractual clauses; Cloud Act risks cannot be eliminated by contract.

HYOK technically eliminates the access possibility.

Subprocessor changes

Provider notifies; no technical control.

Inventory + review process + contractual exit right.

Data deletion at contract end

Contractual clause; no technical proof.

S3 Lifecycle, GDPR Art. 17 – technically implementable and verifiable.

For sovereignty-critical workloads the rule of thumb should apply: "If it is only governed contractually and not technically verifiable, it is not a sovereign control."