SUPRA Sovereign Cloud Platform
Digital sovereignty · EU jurisdiction

Sovereign. Resilient. Secure. Cloud platform built in the EU.

Multi-cloud federation across European providers — with failover measured in seconds and keys that never leave the EU.

EU multi-cloud federation · live failover
Failover
EU Region A Region outage
EU Region B Region outage
EU Region C Region outage
EU Region D Region outage
EU Region E Region outage
EU Region F Region outage
EU Region G Region outage
workload
workload
The real gap

Hyperscalers give you a technical air-gap — never a jurisdictional one. The CLOUD Act and FISA reach your data regardless of where the servers physically stand. SUPRA moves the keys, the orchestration and the jurisdiction inside EU borders.

Independence & contingency

Leaving foreign jurisdiction is possible — and controlled.

SUPRA sovereign platform · EU Jurisdiction: EU · Keys: EU-owned
Recommended target
EU-A·EU-B·EU-C
Contingency
Full migration
Migration
Non-EU cloud provider
Jurisdiction: outside EUKeys: held by the provider
Keep running there — SUPRA as a contingency plan first, full migration later.
On-prem environment
Single site · outage & scale risk
Migration that buys resilience to outages and geographic distribution across the EU.

From a non-EU cloud provider, SUPRA can run first as a contingency plan and later take over the workload in a full migration. From on-prem — a controlled migration for resilience and EU-wide distribution.

EU Compliance

Built to the standards that matter in the EU.

IPCEI-CIS
EU strategic project
ICRA v2.0
Control reference
CSF v2.0
NIST framework
CRA
Cyber Resilience Act
NIS2-ready
Directive-aligned
PQC roadmap
Quantum-ready
Cloud & AI Development Act (CADA)

The EU's single sovereignty framework defines four cloud assurance levels. SUPRA is built for L3–L4: EU-owned and controlled, full software-supply-chain control, no third-country interference.

SUPRA target
L1
Data in EU
L2
Independence
L3
EU-owned
L4
Full control
Technical stack

Open components, mapped to the IPCEI-CIS reference architecture.

No proprietary lock-in. Every layer maps to a concrete tool against IPCEI-CIS RA v2.0 and the CSF v2.0 security framework — auditable end to end.

Faza 1
Roadmap
Application layer RA · L7
GitLab CIArgoCDHelmEnvoy GatewayOpenTelemetryBackstage
Data layer RA · L6
Kafka · StrimziRook · CephCloudNativePGApache FlinkOpenMetadata
AI layer RA · L5
vLLMGPU nodes K8sKubeflowMLflow Registry
Service orchestration RA · L4
ArgoCD GitOpsK8s APIOpenSearchLiqo
Cloud-edge platform RA · L3
ArgoCD MCMCilium CECK8s RBAC · KyvernoKnative
Networking & SDN RA · L2
Cilium · eBPFLinkerd / Istio AmbientKubernetes CaaS
Cross-cutting domains
Federation & DR
Cross-region replication
Kafka MirrorMaker2Ceph RGWGitLab GeoCloudNativePG HALiqo
Management & ops
Observability, GitOps
Prometheus · GrafanaOpenSearch SIEMAlertmanagerOpenCost
Sustainability
Per-pod energy, OSS
KeplerOpen-source stack

CSF v2.0 — security coverage

10 themes · Phase 1 live

Each Collaborative Security Framework theme is satisfied by a concrete, deployed component.

01
Identity & Access Management
GitLab OIDC · K8s RBAC · Cilium Mutual Auth · Kyverno
02
Network Security
Cilium NetworkPolicy · mTLS · Falco · cert-manager
03
Data Security
Rook/Ceph encryption · Vault KMS · External Secrets
04
Application Security
Syft · Grype · Dependency-Track · Cosign · GitLab SAST
05
Endpoint & Device Security
Falco (eBPF) · Kyverno admission control
06
Security Operations
OpenSearch SIEM · Falco Sidekick → Kafka → OpenSearch
07
Governance, Risk & Compliance
Kyverno policy-as-code · audit logs · EUCS / NIS2 / GDPR baseline
08
Resilience & Availability
ArgoCD multi-region · CloudNativePG HA · PDB · HPA
09
Privacy & User Control
Kyverno privacy-by-design · Vault dynamic secrets
10
Emerging & Future Threats
Supply chain (SBOM + provenance) · PQC on roadmap
Security

Security across the whole lifecycle — build, run, communicate.

Not just distribution. Every stage — from source code to data at rest — is verified, isolated and encrypted.

CI/CD · DevSecOps
source
scan
SBOM
sign
01

Secure application build

Every image is scanned, gets a CRA-aligned SBOM and is cryptographically signed before it ever ships.

Syft · SBOMGrypeDependency-TrackCosignGitLab SAST
eBPF · runtime
policy-as-code · isolated
02

Secure runtime & operation

Workloads run under restricted runtimes with eBPF syscall monitoring and admission policy enforced as code.

Falco · eBPFKyvernoPolicy-as-codeRestricted runtimes
mTLS · KMS
encrypted at rest
in transit
03

Secure communication & storage

Zero-trust mTLS between every workload, EU-owned keys, encryption in transit and at rest.

Cilium mTLSVault KMScert-managerRook/Ceph
Who we are

An engineering team building sovereign cloud infrastructure for organisations that cannot afford to depend on a single provider — or a single jurisdiction.