How we assess
The factual signals we publish (jurisdiction, privacy and transparency): what each means and how we verify it.
Last updated 2026-05-18
EU Vetted does not publish a single grade. Instead, every listing carries a fixed set of factual signals, and each signal is marked as verified (✓), not present (✗), or not assessed (—). The marks are grouped so a reader can weigh the concerns that matter to them, rather than trusting one number to stand in for all of them.
The signal groups
Each product is assessed against the same set of signals, organised into three groups.
Jurisdiction
- EU / adequacy hosting: customer data at rest is hosted in the EU or in a jurisdiction recognised under an adequacy decision.
- EU ownership: the operating company is EU-incorporated and EU-controlled, without significant non-EU ownership in the cap table.
- No CLOUD Act exposure: the operator is not US-incorporated, has no US parent, and relies on no core US-owned sub-processor for customer data at rest. The US CLOUD Act (2018) lets US authorities compel US-controlled companies to produce data regardless of where it sits; data-centre region alone does not remove this exposure.
Privacy
- End-to-end encryption and related data-protection properties, marked where they are applicable to the category. A signal that does not apply to a category (for example, end-to-end encryption for an analytics product that holds no message content) is shown as not assessed rather than as a failure.
Transparency
- Public DPA: a Data Processing Addendum a prospective buyer can read without logging in or contacting sales.
- Sub-processor disclosure: a publicly accessible, current list of the vendor's sub-processors.
- Open-source clients: client applications whose source is publicly available for inspection.
- Third-party certification: an independent audit such as SecNumCloud (ANSSI), EUCS (ENISA), BSI C5, or ISO/IEC 27001. We surface a certificate only when the vendor publicly claims it; we never manufacture one.
How we verify
Each signal is checked against the vendor's own public disclosures. We read the published DPA, the sub-processors document, the hosting-region declaration, the certifications, and the corporate ownership records. Every entry carries a timestamp (the "Last verified" date on the listing) and is re-checked at least quarterly. We never accept self-attestation: if a claim cannot be confirmed against a public source, the signal is marked not present or not assessed, not verified.
The marks are editorial. They reflect the editor's reading of public sources at the stated date, not a certification we issue.
Why no single number
We previously published a 1–5 compliance score. We retired it. A single grade compressed independent concerns (where data is hosted, who owns the company, whether US law can reach the data, what the vendor discloses) into one figure, and it could not stay consistent across very different products and categories. Separate factual marks let each reader apply their own priority: a buyer in a regulated sector may treat any CLOUD Act exposure as a hard veto, while another reader cares most about a public DPA. None of these signals substitutes for the vendor's own compliance evidence; before contracting, obtain the DPA, the current sub-processor list, and the relevant certificates directly from the vendor.
Affiliate independence
Signals and the order in which products appear are never influenced by affiliate relationships. Some links on the site are affiliate links and we may earn a commission at no extra cost to you, but that has no bearing on whether a signal is marked verified or on how a listing ranks. Sponsored placement, where it exists, is always labelled as such.