Sovereignty

Not all sovereignty is the same.

Most “sovereign” clouds only store data in region. Real sovereignty is layered, and it has to be proven.

Residency is not sovereignty

A global provider can store your data in country and still be reachable by foreign law and operated from outside your borders. Where the data sits is the easy part. Sovereignty is everything around it.

Without sovereignty, there is no security. Without security, there is no trust. Without trust, healthcare cannot advance.

The components

Six dimensions, not one.

Data

Where it lives and whose law governs it.

Physically resident in jurisdiction, subject only to local law.

Operational

Who can actually touch the systems.

Operated and supported by vetted, in jurisdiction teams, with no foreign back door.

Jurisdictional

Whose courts can compel access.

A structure that keeps control local and beyond the reach of foreign law.

Technical

Who controls the stack.

A controlled stack with no foreign control plane and nothing proprietary holding you captive.

Supply chain

Who is in the hardware and recovery path.

Hardware, vendors and disaster recovery free of single nation dependency.

Assurance

Whether it is certified, not just claimed.

Independently audited against the standards that matter.

The ascent

Where does your sovereignty stop climbing?

Sovereignty is a climb, not a checkbox. Most providers stop at base camp. We carry it to the summit.

WHERE MOST “SOVEREIGN” CLOUDS STOPBASE CAMPResidencyData stored in regionthe market defaultCAMP IOperationalLocal operations and accessCAMP IIJurisdictionalBeyond the reach of foreign lawCAMP IIITechnical and supply chainControlled stack and recovery path▲ 3verestSUMMITAssuredCertified and audited end to end

Assurance

Proven, not promised.

The summit is the only level you can audit. Sovereignty at 3verest is independently certified, and the programme keeps climbing.

Currently held

ISO 27001:2022

Current

Reissued Feb 2026, valid to Dec 2027.

SOC 2 Type II

Current

Security, audit period Aug 2024 to Aug 2025, clean opinion. Scope expanding (see roadmap).

Cyber Essentials Plus

Current

Renewed Mar 2026, valid to Mar 2027, whole org scope.

GAIA-X

Member

Active member of the European sovereign cloud framework.

GDPR

Current

Compliance documentation maintained in the data room.

NHS HSCN

Current

Active connection to the UK health and social care network.

On the roadmap · 2026

NHS DSPT

In progress

2026, under the A-LIGN consolidated programme.

SOC 2 Type II, expanded

H2 2026

Adds Availability and Confidentiality, multi region across US, UK, AU and CA.

CSA STAR Level 2

H2 2026

Independent third party assessment, bundled with SOC 2.

BSI C5 (Germany)

H2 2026

German cloud security, overlapping SOC 2 and STAR.

ISO 27017

H2 2026

Cloud security controls, building on ISO 27001.

ISO 27018

H2 2026

Cloud privacy and protection of personal data.

Sovereignty is not a feature. It’s the foundation.