UpCloud

Provider-specific sources from the current dataset. Use the Compass for scoring, weighting, and A/B comparison.

Compare in the Compass

Provider Snapshot

Criterion	Score
Customer content in the EU	4.0
Customer-created metadata in the EU	3.0
Physically & logically separated	1.0
EU-based operations & support	4.0
No critical non-EU dependencies	3.0
Ownership / ultimate parent (EU-owned?)	5.0
Controlling interest & FISA 702 risk (jurisdiction ≠ residency)	5.0
Local contracting entity & EU governance (operational model)	4.0
Independent advisory board	0.0
EU root CA / trust services	1.0
BSI C5	0.0
ISO 27001 / ISMS	3.0
IT-Grundschutz (BSI)	0.0
SecNumCloud (ANSSI)	0.0
Open standards / API portability	4.0
Service portfolio depth	2.6
Geographic footprint & redundancy (regions/AZ/DCs in EU/DE)	4.0
Audit reports / evidence pack	3.0
Policy enforcement (guardrails)	2.0
Default deny / secure by default	3.0
Independent verification (continuous)	2.0
Blackbox exposure (ops/control plane)	2.0
Operator access exclusion (workload scope)	3.0
IaC & automation (Terraform/OpenTofu, SDKs, APIs)	5.0
Everyday SDLC/DevOps (CI/CD, registry, secrets, K8s)	2.0
Observability (logs/metrics/traces, alerting)	2.0
Limits/quotas (transparency & increase)	3.0
Reference architectures / landing zones	3.0
Unified security stack	1.5
Energieeffizienz / PUE & Zielwerte	2.0
CO₂-/Wasser-Reporting + erneuerbare Energiequellen	3.0

Scope: IaaS

Customer content in the EU: 4.0; Customer-created metadata in the EU: 3.0; Physically & logically separated: 1.0; EU-based operations & support: 4.0; No critical non-EU dependencies: 3.0; Ownership / ultimate parent (EU-owned?): 5.0; Controlling interest & FISA 702 risk (jurisdiction ≠ residency): 5.0; Local contracting entity & EU governance (operational model): 4.0; Independent advisory board: 0.0; EU root CA / trust services: 1.0; BSI C5: 0.0; ISO 27001 / ISMS: 3.0; IT-Grundschutz (BSI): 0.0; SecNumCloud (ANSSI): 0.0; Open standards / API portability: 4.0; Service portfolio depth: 2.6; Geographic footprint & redundancy (regions/AZ/DCs in EU/DE): 4.0; Audit reports / evidence pack: 3.0; Policy enforcement (guardrails): 2.0; Default deny / secure by default: 3.0; Independent verification (continuous): 2.0; Blackbox exposure (ops/control plane): 2.0; Operator access exclusion (workload scope): 3.0; IaC & automation (Terraform/OpenTofu, SDKs, APIs): 5.0; Everyday SDLC/DevOps (CI/CD, registry, secrets, K8s): 2.0; Observability (logs/metrics/traces, alerting): 2.0; Limits/quotas (transparency & increase): 3.0; Reference architectures / landing zones: 3.0; Unified security stack: 1.5; Energieeffizienz / PUE & Zielwerte: 2.0; CO₂-/Wasser-Reporting + erneuerbare Energiequellen: 3.0

Sources / Evidence

Customer content in the EU

Customer Data stays in chosen EU DC; DPA integrated into ToS; non-EU ops staff technically prevented from accessing Customer Data; SCCs for international transfers. CISPE Code of Conduct adherent. Finnish-owned, GDPR-compliant.

Customer-created metadata in the EU

DPA in ToS covers 'Relevant Personal Data'; customer DB on UpCloud's EU servers; non-EU ops staff technically prevented from accessing Customer Data. Billing/telemetry metadata routing not individually documented.

Physically & logically separated

N/A (keine separate, physisch/logisch getrennte Sovereign-Cloud-Instanz nachweisbar).

EU-based operations & support

Betrieb & Orchestrierung aus Europa (24/7/365) (stated).

No critical non-EU dependencies

Teilweise/unklar (globaler Footprint; EU Access Mgmt Policy für EU-DCs) (stated).

Ownership / ultimate parent (EU-owned?)

EU-owned (Finnland) (stated).

Controlling interest & FISA 702 risk (jurisdiction ≠ residency)

Ultimate Parent: UpCloud Oy (FI/EU). Kein US-Parent; Risiko extraterritorialer US-Zugriffspflichten deutlich geringer.

Local contracting entity & EU governance (operational model)

All customers contracted by UpCloud Oy (Finland, HQ Helsinki). DPA integrated into ToS with subprocessor list. CISPE Code of Conduct. EU Data Act disclosure confirms single Finnish entity for all customers globally. No US parent entity.

Independent advisory board

Kein unabhängiges Advisory Board dokumentiert. Finnisches Unternehmen.

EU root CA / trust services

Keine spezifische Dokumentation zu EU Root CA / Trust Services.

BSI C5

Finnisches Unternehmen. BSI C5 wird nicht adressiert.

ISO 27001 / ISMS

ISO 27001 zertifiziertes ISMS (stated).

IT-Grundschutz (BSI)

Finnisches Unternehmen. IT-Grundschutz wird nicht adressiert.

SecNumCloud (ANSSI)

N/A

Open standards / API portability

REST API + Terraform Provider (verified) + CLI (upctl) (stated).

Service portfolio depth

IaaS: Cloud Servers (6 plan families incl. GPU), Managed K8s (UKS), Managed Databases (MySQL/PostgreSQL/Redis/Valkey), Object Storage (S3-compat), Block Storage, File Storage (NFS, new), Load Balancer, SDN Private Networks. No native PaaS/SaaS/AI services.

Geographic footprint & redundancy (regions/AZ/DCs in EU/DE)

8 EU-DCs (u.a. FI, DE, NL, ES, PL, SE, DK) + weitere Regionen (stated).

Audit reports / evidence pack

ISO 27001 + standortbezogene DC-Zertifizierungen (u.a. SOC/PCI je Standort) (stated).

Policy enforcement (guardrails)

Permissions/Subaccounts + Object Storage User Access Policies dokumentiert; keine umfassenden Org-Guardrails belegt (partial).

Default deny / secure by default

Firewall Default Rule konfigurierbar; Best Practice: default 'drop' (secure-by-default via Konfiguration, Default unklar).

Independent verification (continuous)

ISO/ISMS vorhanden (periodisch); keine Continuous/maschinenlesbare Verification öffentlich belegt.

Blackbox exposure (ops/control plane)

In-house entwickelte Software reduziert Angriffsfläche. Privilegierter OS-Zugriff deaktiviert. ISO 27001. Aber: Ops/CP begrenzt transparent.

Operator access exclusion (workload scope)

EU Access Management Policy (privileged access nur EU-MA für EU-DCs) (stated).

IaC & automation (Terraform/OpenTofu, SDKs, APIs)

Official OpenTofu/Terraform provider (v5+, 50+ resources). Native SDKs (Go, Python, PHP). Ansible collection, Pulumi provider, Packer plugin, upctl CLI. Full REST API v1.3. All open-source.

Everyday SDLC/DevOps (CI/CD, registry, secrets, K8s)

Managed K8s; Terraform. Registry/Secret-Manager als Managed Service nicht nachgewiesen.

Observability (logs/metrics/traces, alerting)

Monitoring/Health für Services (stated); Logs/Traces als Plattform-Service nicht belegt.

Limits/quotas (transparency & increase)

Fair Transfer Policy with zero-cost egress; per-plan transfer quotas published. Per-product docs (servers, storage, network) detail configurations & limits. Free trial limits documented. API for usage monitoring. Quota increases via support.

Reference architectures / landing zones

GitHub repos: sample-uks-microservices (HCL, Jan 2026), sample-uks-web-app-demo (WordPress+MySQL+UKS), uks-instructions (K8s examples). Open-source data platform tutorial (Trino/Lakekeeper/OPA on UKS).

Energieeffizienz / PUE & Zielwerte

Energieeffizienzmaßnahmen beschrieben, aber keine PUE-KPIs/Targets veröffentlicht. (Quelle: UpCloud ESG Program)

CO₂-/Wasser-Reporting + erneuerbare Energiequellen

Commitment zu Carbon Footprint (Scope 1–3) und erneuerbaren Energien beschrieben, aber ohne öffentliche KPIs/Report in Quelle. (Quelle: UpCloud ESG Program)

Service catalog (core/security)

Expand to load the service catalog …