Frequently asked questions.

NextHop is an independent initiative funded by its team's audit and consulting activity. No cloud provider sponsors the platform. Our economic model and governance are described on the Independence charter page.

No. No cloud provider, hyperscaler or sovereign editor pays us to feature in the observatory or to influence a score. Revenues come exclusively from audit missions for end clients and from consulting for organisations that wish to steer their cloud strategy.

A provider, a client or a journalist can email contact@nexthop.fr indicating the contested criterion and the public source justifying the revision. The full procedure (acknowledgement within 5 working days, reasoned decision within 30 days, publication in the changelog) is described on the Methodology page.

A portion of our infrastructure and open datasets is progressively published on GitHub. The main repository groups the observatory components and the public API. [TO BE COMPLETED: public repository link]

The score is a direct weighted sum of 6 criteria: jurisdiction (20), extraterritorial immunity (20), technology (15), data (20), certifications (15), openness (10). No hidden normalisation, no secondary weighting. The Methodology page details the points attribution scale.

Jurisdiction (law applicable to the operating entity), Extraterritorial immunity (ability to resist the CLOUD Act, FISA 702, NSL), Technology (stack autonomy), Data (effective location of data, metadata and keys), Certifications (SecNumCloud, HDS, ISO 27001), Openness (reversibility and open standards).

Scores are reviewed every month and on each structural change at a provider (acquisition, qualification, loss of certification, governance evolution). Any modification is recorded in the score changelog with its source.

The change is reviewed against public sources, the score is revised if necessary and the entry is added to the score changelog with date, previous value, new value, reason and link to the source.

It is a benchmark that is comparable across providers, not an absolute quality grade. Two providers with the same score are not necessarily equivalent: the per-criterion profile and the use context (sensitive data or not, business dependencies) remain decisive.

Not necessarily. The cloud region indicates physical location but does not change the provider's jurisdiction. If the provider or its parent is under US law, the CLOUD Act can apply to your data. The CLOUD Act page details the mitigation mechanisms.

No. GDPR governs the processing of personal data but does not neutralise a foreign injunction. On the contrary, a data transfer under the CLOUD Act may create a conflict with the GDPR, exposing the organisation to CNIL sanctions. This is one of the arguments in the Schrems II debate.

The CLOUD Act stems from criminal and civil law and authorises an injunction on data stored abroad by a provider subject to US jurisdiction. FISA 702 stems from intelligence law and targets non-US persons located abroad. Both can concern the same provider but under different rules.

Ruling of the Court of Justice of the European Union (July 2020) which invalidates the Privacy Shield, the EU-US data transfer framework. The Court explicitly cites FISA 702 and Executive Order 12333 as problematic. Since then, any transfer to the USA must be subject to a Transfer Impact Assessment.

Examine the nationality of the contracting entity and its parent company, as well as the presence of a SecNumCloud qualification. The NextHop observatory indicates for each provider its jurisdiction, its extraterritorial immunity score and its certifications.

The price depends on the perimeter (number of services, complexity, level of depth expected). The standard packages (Diagnostic, Mapping, Strategy) are described on the Audit page with an indicative range. A precise quote is established after an initial scoping exchange, which is free.

The Diagnostic package is delivered in 2 to 3 weeks. The complete Mapping and the Strategy mission generally require 6 to 12 weeks depending on the size of the cloud estate and the availability of stakeholders.

The missions are led by our team of cloud, digital law and architecture experts. The methodology is public and identical for all clients. No hyperscaler subcontractor intervenes on the sovereignty missions.

Final reports are confidential and covered by an NDA. During the initial scoping, we share an anonymised template that shows the structure, the sections and the level of detail. Contact us to receive it.

The NextHop public API exposes providers, scores and CSV/JSON exports via /api/v1. No authentication required for reading, rate limit of 60 requests per minute per IP. The Public API page lists endpoints and provides the OpenAPI specification.

The exports published on /data are distributed under the Creative Commons CC BY-SA 4.0 licence. Free reuse, including commercial, subject to citing NextHop as the source and sharing any derivative work under the same conditions.

Yes: 60 requests per minute per IP address on the public endpoints, in addition to the global 100/min limiter applied to all /api routes. The standard headers RateLimit-Limit, RateLimit-Remaining and RateLimit-Reset are returned with each response.

For high-volume usage (synchronisation, product integration, academic research), authenticated access with a dedicated quota is possible. Contact us to describe your use case and obtain an API token.