OPEN BENCHMARK · v1

The Sovereignty Test

Three questions any UK cloud or AI contract can be scored against, without the author's permission. Published April 2026. Apply it to your own procurement; cite the test; don't ask.
Creative Commons Attribution-only licence · v1 · updated 21 April 2026

Data sovereignty remains, in DSIT's own February 2026 assessment, "a complex and evolving policy area" with no settled definition. In the absence of a settled definition, contract decisions worth hundreds of millions are still being made. Buyers need a test they can apply now, before the policy vocabulary catches up. This is that test.

Three questions, in order. Any UK cloud, AI, or data contract can be scored against them. Amber or red on any question flags a decision a buyer should be able to defend in writing. Green on all three is rare.

The three questions

1 · Location

Where does the data physically sit?
Look for:
  • Named data centre locations (not "region" or "zone")
  • UK-resident for NHS-commercial or defence-adjacent corpora
  • No cross-border replication clauses that cannot be disabled
  • Backup jurisdictions explicitly named

2 · Operation

Who holds the keys and can pull the plug?
Look for:
  • Key-management architecture (customer-managed, vendor-managed, or split)
  • Administrative access controls: who in the vendor organisation can access data
  • Service-termination rights and data-portability obligations
  • Air-gap architecture if NHS or defence-adjacent

3 · Evidence

What law governs compelled access, and where is the audit?
Look for:
  • US CLOUD Act exposure (any US-parent vendor, even with UK subsidiary)
  • UK GDPR + Data Protection Act 2018 compliance in writing
  • Audit logs retained and accessible to the customer
  • Published transparency report or breach-disclosure obligation

How to apply

  1. Identify the contract vendor. Parent company, subsidiary structure, cap-table ownership, not just the trading name.
  2. Answer each of the three questions against published evidence. Official documentation, parliamentary records, press releases, DSAR responses. Undocumented commitments do not count.
  3. Score traffic-light per dimension: green (fully addressed and verifiable), amber (partially addressed or mixed), red (unaddressed or incompatible).
  4. Publish the scoring internally. In the commissioning decision record, in the board paper, in the procurement justification. The audit is the point.

Example scoring: three public UK contracts

Illustrative application of the test to three publicly-disclosed UK contracts. Every claim sourced below.

MOD Google Distributed Cloud · £400M (September 2025; NATO extension March 2026)

LocationUK-resident · air-gapped · explicitly named sites
OperationAir-gap architecture gives MOD full operational control
EvidenceUS CLOUD Act exposure mitigated by air-gap but not eliminated; Google remains a US parent
Sources: MOD press release Sep 2025; NATO announcement Mar 2026. Overall: green × 2, amber × 1. The architecture the rest of UK public-sector cloud contracts aspire to.

NHS Palantir Federated Data Platform · £330M (signed 2023; break-clause debate Apr 2026)

LocationUK-resident compute but backup data-paths not fully disclosed
OperationNHS retains administrative access but Palantir key-management contested
EvidenceUS CLOUD Act exposure not mitigated · break clause under parliamentary review Apr 2026
Sources: Westminster Hall debate 16 April 2026; Foxglove legal commentary; BMA public position; Digital Health coverage. Overall: amber × 2, red × 1. The architecture currently under break-clause consideration.

Isambard-AI · Bristol (operational 2025)

LocationUK-resident · University of Bristol / EPCC operational
OperationUKRI-governed · UK academic and public-sector key control
EvidenceUK Research & Innovation regulatory frame · no US parent
Sources: UKRI Isambard-AI launch documentation; UK Compute Roadmap. Overall: green × 3. The reference point for what UK-sovereign public compute looks like.

Licence and contribution

Creative Commons Attribution 4.0 International (CC BY 4.0). Use this test in your own procurement decisions, board papers, ICS commissioning documents, and public commentary without permission. Attribute with: "The Sovereignty Test v1 · RiDraw Sovereign Meridian · insights.ridraw.com/tools/sovereignty-test/". The test is designed to be used, cited, and extended, not gate-kept.
Contribute a scoring. Email santosh@ridraw.com with any public UK contract you've scored using the test. We publish the best contributions in future weekly issues, with attribution to you (or anonymised on request). Over time the test becomes a public library of UK sovereignty benchmarking decisions. That is the point.