Why this report exists
I’ve seen “sovereignty” used a lot — usually as something you either have or don’t. That’s not how it works. Once you start building and operating these systems yourself, you realize pretty quickly that you never fully “have” control. You either understand where you have it — or you don’t. And if you don’t, it tends to slip over time, quietly.
This report exists because I didn’t want us to rely on assumptions. I wanted us to be able to answer simple questions, properly: where do we actually have control, where do we depend on others, and what happens if those dependencies fail?
Not in theory. In practice.
Overview
WAYSCloud is designed to operate with a high degree of practical control across identity, infrastructure, storage, and AI workloads.
Core platform components are developed, operated, and controlled by WAYSCloud. External dependencies exist, but they are deliberately selected, constrained, and continuously evaluated.
Sovereignty is treated as something you maintain — not something you claim.
In this context, it means:
- control over core platform components
- control over data processing and data flow
- alignment with European jurisdiction where relevant
- the ability to operate independently where required
The objective is not to eliminate dependencies — that’s not realistic — but to ensure they don’t compromise control.
Identity and Access Management
Identity services are self-hosted and operated internally.
No external identity providers are used.
Control Plane and Orchestration
Provisioning systems, APIs, and orchestration logic are developed and operated by WAYSCloud.
No external provider controls the control plane.
Data and Storage Systems
Databases and object storage are operated within infrastructure under WAYSCloud control.
No hyperscaler storage services are used.
Compute and Infrastructure
Core workloads are executed on infrastructure managed and controlled by WAYSCloud across European data centers.
AI and LLM Workloads (Core Inference)
Core LLM inference runs on infrastructure under WAYSCloud control.
No external inference providers are used for these workloads.
Operational and Audit Systems
Monitoring, operational control, and audit systems are developed and operated internally.
No external observability platforms are used for core operational oversight.
External Dependencies and Control Measures
External dependencies exist.
They always will.
What matters is whether you know exactly where they are — and what happens if they stop working.
WAYSCloud uses a limited set of external providers where appropriate. These are governed through explicit control measures.
Jurisdictional Constraints
External providers are selected within European jurisdiction where relevant.
Operational Constraints
External services are integrated in a way that limits their control surface:
- no external provider controls identity or authentication
- no external provider controls the control plane
- data processing remains within WAYSCloud-controlled infrastructure unless explicitly stated
Vendor Independence
Architectural decisions aim to avoid lock-in:
- standardized interfaces and protocols
- ability to replace providers without redesign
- avoidance of tight coupling where possible
From my perspective, dependency becomes a problem the moment you stop seeing it.
Requirements Imposed on Third-Party Providers
External providers are not treated as black boxes.
Requirements are defined at integration level:
- jurisdictional alignment where relevant
- no unauthorized data processing or reuse
- operational isolation from control plane and identity
- replaceability without architectural breakage
For critical components, these are enforced through design — not just contracts.
Product-Specific External Processing (AI Generation Workloads)
While core LLM inference runs internally, some AI products (image and video generation) may use specialized third-party providers.
For these:
- processing is limited to the specific workload
- providers are disclosed on product pages
- core platform control and identity are not affected
Architectural Posture
WAYSCloud is designed to maintain control across:
- identity and authentication
- control plane and orchestration
- infrastructure and compute
- storage and data processing
- core AI workloads
Dependencies are:
- deliberately selected
- technically constrained
- continuously evaluated
The goal is to ensure customers understand:
- where data is processed
- who has access
- how dependencies are handled
Risk Management
Dependencies are continuously evaluated.
Open-Source Governance and Licensing
Key open-source components are monitored for:
- licensing changes
- governance shifts
- long-term sustainability
Alternative paths are evaluated where needed.
Open source is used as a control strategy — not just flexibility.
Single-Provider Risk
Single points of dependency are reduced through:
- architectural decoupling
- defined migration paths
- multi-provider strategies where relevant
Data Flow Verification
Data flows are continuously reviewed to ensure:
- processing remains within controlled infrastructure
- no unintended external processing occurs
- sensitive workloads remain internal unless explicitly defined
Ongoing Improvements
The platform continues to evolve through:
- reduction of external dependencies
- increased resilience for critical services
- continuous evaluation of open-source components
- strengthening of data flow control
Control is not a fixed state.
It’s something that has to be maintained.
A personal note
This is the part of cloud I’ve always felt was missing — not because it’s hidden, but because it’s rarely written down in a way that reflects how things actually work. So we did, not because it’s perfect, but because it’s real.
For a more formal overview, we’ve documented this in the WAYSCloud newsroom.