Introducing StackCheck.eu
A side project born from a simple question: where does my data actually go? StackCheck scans any website's infrastructure to reveal the real data sovereignty picture — beyond marketing claims.
Published February 2026 · 6 min read
The problem
While building EmailConnect, I kept running into the same question when evaluating services: where does my data, and my users' data, actually go?
Privacy policies will tell you they "take data protection seriously." Marketing pages will say "GDPR compliant." But none of that tells you whether the service runs on AWS in Virginia, uses Cloudflare for DNS, or sends your support tickets through a US-headquartered helpdesk.
Physical location doesn't equal legal jurisdiction. A company can host in Frankfurt on AWS and still be subject to the US CLOUD Act. The only way to know is to look at the actual infrastructure — and that's what StackCheck does.
What StackCheck does
StackCheck is a data sovereignty scanner. Enter any domain, and it performs automated infrastructure analysis across three phases to map where data actually flows.
Phase 1: DNS analysis
StackCheck starts with DNS — the foundation of any online service. It analyzes DNS records, detects SPF includes to identify email infrastructure, parses verification records, and maps out the services disclosed through DNS configuration.
Phase 2: Infrastructure analysis
Next, it performs IP geolocation, maps IP addresses to Autonomous System Numbers (ASNs) to determine hosting ownership, detects CDN services, analyzes SSL certificate information and issuer location, and enumerates subdomains. This reveals the actual hosting infrastructure — not what the marketing page claims, but what the server actually reports.
Phase 3: Content analysis
Finally, StackCheck scans the homepage for third-party scripts and tracking pixels, automatically locates and parses privacy policies, and discovers sub-processor disclosure pages. This catches the services that don't show up in DNS or IP analysis — analytics tools, chat widgets, payment processors, and other embedded third-party code.
Recursive dependency scanning
Here's where it gets interesting. For every third-party service detected, StackCheck performs a full infrastructure scan of that service too. This reveals whether a third-party service, despite being EU-based, secretly runs on non-EU cloud infrastructure. A chain is only as strong as its weakest link.
The scoring model
StackCheck categorizes every detected service into one of four layers, weighted by data sensitivity:
| Layer | Weight | Examples |
|---|---|---|
| Infrastructure | 3x | Hosting, servers, CDN, SSL certificates |
| Backend services | 2x | Email, payments, auth, databases, monitoring |
| Frontend & third-party | 1x | Analytics, tracking, widgets, embedded content |
| Disclosed services | - | Services mentioned in privacy policies |
Each service receives an EU status: EU (company and infrastructure both in EU), EU Hosted (non-EU company using EU infrastructure), or Non-EU. The scoring uses a "worst-per-layer" approach — one non-EU service in a critical layer can't be averaged away by five EU services in the same layer.
Why "EU Hosted" isn't the same as "EU"
A US company can run servers in Frankfurt — your data sits in the EU physically. But the company is still subject to US law. Under the CLOUD Act, US authorities can compel a US-headquartered company to hand over data regardless of where it's stored. StackCheck distinguishes between these scenarios because the legal exposure is fundamentally different.
Grades and verification
StackCheck assigns letter grades from A++ to F. The highest grades (A+ and A++) are only available to verified listings — site owners who have confirmed or corrected the automated scan results. This creates an incentive for transparency: if you want to prove your EU compliance, verify your StackCheck listing.
| Grade | Score | Meaning |
|---|---|---|
| A++ | 95-100 | Verified EU-sovereign (verified listings only) |
| A+ | 90-94 | EU-sovereign (verified listings only) |
| A | 80-89 | Strong EU posture (max for unverified) |
| B | 70-79 | Mostly EU, some concerns |
| C-D | 40-69 | Mixed, significant non-EU dependencies |
| F | 0-39 | Non-EU infrastructure at critical layers |
The grading has hard caps: any non-EU infrastructure immediately caps the score at 35 (F), non-EU backend services cap at 55 (D), and non-EU frontend services cap at 75 (B). You can't offset a fundamental infrastructure problem with good scores elsewhere.
Open source detection signatures
StackCheck's detection signatures — the patterns used to identify services from DNS records, HTML content, and network analysis — are licensed under CC0 (public domain) and hosted on Codeberg, a privacy-friendly alternative to GitHub. Anyone can contribute new patterns for services that StackCheck doesn't yet detect.
Why I built it
StackCheck started as a personal tool. When I was selecting services for EmailConnect's infrastructure, I needed to verify that my entire stack — not just my own servers, but every third-party dependency — met the EU sovereignty standard I was promising to customers.
Reading privacy policies and marketing pages wasn't enough. I needed actual infrastructure analysis. So I built it for myself, and then realized others might find it useful too.
The tagline — "Data sovereignty starts with transparency" — captures the core belief: you can't make informed decisions about data residency without knowing where your data actually flows. StackCheck makes that visible.
Try it yourself
Scan any domain at stackcheck.eu and see where data actually flows. If you own the site, verify your listing to get the most accurate score.
Related
StackCheck is a side project by the founder of EmailConnect. It's built independently and doesn't share any data with EmailConnect or any other service.