CONFIGURABILE active definition
← back to the SOV system

Chosen by the client

The sovereignty level is chosen during contracting among SOV-IT, SOV-EU or SOV-EXTRA.

// What it means

CONFIGURABLE is not a standalone sovereignty level: it is a promise of flexibility. The service or package can be deployed in SOV-IT, SOV-EU or SOV-EXTRA depending on the client's choice, made during contractual onboarding.

This tag typically appears on modular products and packages where the application architecture is the same, but the deployment plan changes: same code, different infrastructure. It avoids forcing the client into a predefined choice. One important caveat must however be made clear: for public clients (public administration, in-house entities, tenders with PSN/AgID requirements) or for regulated sectors (healthcare, finance with DORA, critical infrastructure with NIS2), the SOV must be locked in from the very start of the project. Keeping CONFIGURABLE beyond the scoping phase in these contexts can create compliance problems during the tender, the regulatory authorization or the audit.

The choice of sovereignty level is formalized in the contract and in the Data Processing Agreement. Once selected, the SOV becomes binding for the entire duration of the service unless an agreed migration takes place: the configuration is final. The technical documentation (DPA, DPIA, register of processing activities, audit logs, any security certifications) must be produced or regenerated in line with the final chosen SOV, not with the hypothetical regime.

Migrating between levels after deployment is technically possible but is a dedicated formal project: it can be costly, require production stop-and-go, and in the most delicate cases (e.g. SOV-EXTRA to SOV-IT migration for public administration projects) it can entail new ACN/AgID authorizations, redoing the DPIA and re-validating the clauses with the data protection officer.

// Where the data resides

Where the data resides

Decision
During contracting, before deployment
Suggested default
SOV-EU for EU commercial projects
Documentation
DPA updated to the SOV actually chosen
Audit
Operational logs track the active SOV
Migration
Possible via a dedicated formal project · costly and with possible ACN/AgID re-authorizations for public administration

// When to choose it / when not to

Choose it when

  • Standard packages serving different markets (public administration, EU private sector, multinationals)
  • Clients who want to evaluate options before committing to a jurisdiction
  • Multi-tenant architectures where each tenant may have different sovereignty requirements
  • White-label products where the reseller decides the SOV for its own clients

Avoid it when

  • Systems with rigid single-SOV requirements defined by law (e.g. PSN for public administration, DORA for critical finance, NIS2 for essential entities)
  • Public tenders where the SOV must already be declared at the bidding stage
  • Projects where the client already has a clear corporate policy: better to assign the final SOV
  • Critical workloads where flexibility adds complexity without value

// Compliance and standards

Regulatory references and standards applicable to the CONFIGURABILE sovereignty level.

Tutti gli standard
The applicable requirements depend on the SOV chosen at deployment
DPA aggiornato
The Data Processing Agreement reflects the actual SOV, not the hypothetical one
DPIA · audit · certificazioni
All technical documentation must be produced or regenerated in line with the final SOV
TIA condizionato
Transfer Impact Assessment needed only if SOV-EXTRA is chosen
Vincoli settoriali
For public administration, healthcare, finance (DORA) and NIS2 the SOV must be locked in from the contract

// Specific FAQ

Can I change the SOV after deployment?

+
Technically yes, but it is a formal migration project with production stop-and-go. For public administration or regulated projects, a migration (e.g. from SOV-EXTRA to SOV-IT) can require new ACN/AgID authorizations, redoing the DPIA and re-validating the contractual clauses with the DPO. The initial choice must be made consciously.

Does a CONFIGURABLE service cost more?

+
No. The standard pricing covers any one of the available SOVs. Only any on-premise hardware requirements (typical of SOV-IT) generate specific additional line items.

What happens if I don't choose?

+
We apply SOV-EU as the default. It is the most balanced choice for the majority of European commercial use cases.

// Other sovereignty levels

SOV-IT IT
Italian sovereignty
Data, infrastructure and operations entirely within Italian territory.
SOV-EU EU
European sovereignty
Data and infrastructure within the European Union, guaranteed GDPR compliance.
SOV-EXTRA WW
Non-EU sovereignty
Data on platforms outside the EU, governed by Standard Contractual Clauses.
SOV-CHAIN
Public blockchain
On-chain data on public decentralized networks, immutable and global.

Want to understand which sovereignty level is right for your project? Let's talk.

$ Let's talk