Where does US jurisdiction touch your stack?
Enter any domain. We resolve DNS, fetch the HTTP response, parse the HTML and match against a database of US-jurisdiction vendors. The result tells you which CLOUD Act–exposed providers your visitors hit — and what the EU equivalent looks like.
Free · public-surface only · no email required
Detected US-jurisdiction vendors
Want a deeper audit including internal data flows?
This scan is public-surface only. A real audit also covers backend service-to-service calls, server-side SDKs, log shipping and secrets management — the places where sovereignty leaks invisibly.
Request a sovereignty auditWhat this scan actually checks
The scan is intentionally limited to what a non-authenticated visitor can see. We resolve MX, NS and TXT records via DNS, fetch the homepage over HTTPS, parse the response headers, and extract every script, iframe and link element from the first 200 KB of HTML.
We then match those signals against a fingerprint database of 40+ US-jurisdiction SaaS and infrastructure vendors across CDN, hosting, DNS, email, analytics, marketing, error tracking, customer support and payments.
What the scan cannot see: backend-to-backend calls (your application calling Stripe webhooks, log shipping to Datadog, server-side push notifications, internal SaaS integrations). Those require an internal architecture review and are where most real US exposure lives.
Results are cached for 24 hours per domain. Rate limited to 10 scans per IP per hour.