Changelog
Full version-by-version changelog of the Digital Sovereignty Heatmap.
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[Unreleased]
Vendor-database — 2026-06 to 2026-07
Net result: 1700 → 1771 vendor records across six discrete review rounds plus one new category. Source of truth: apps/web/data/vendors.seed.json.
Added — new category
- Digital Asset Management (
digital-asset-management) — new category with 20 vendors: OpenText (CA), Adobe Experience Manager Assets, Cloudinary, Acquia DAM (Widen), Sitecore Content Hub, Canto, Aprimo, Brandfolder (all US) as non-EU anchors, plus EU alternatives WoodWing (NL), Bynder (NL, US-PE parent disclosed), CELUM (AT), censhare (DE), 4ALLPORTAL (DE), Wedia (FR), QBank (SE), Fotoware (NO), Papirfly (NO), Frontify (CH), Pimcore (AT) and ResourceSpace (GB, open source).
Added — gap analysis, round 1 (2026-07-01)
Targeted scan of the twelve categories with the fewest EU alternatives. 21 new EU vendors including:
- AI Cowork: Delos (FR, sovereign French AI workspace), nexos.ai (LT, founded by Nord Security founders), Nextcloud Assistant (DE, open source).
- Writing tools: DeepL Write (DE), Writefull (NL), ProWritingAid (GB), Surfer SEO (PL), CKEditor (PL, open source).
- API Management: Frends (FI), Locoia (DE), STOA (FR, open source).
- CAPTCHA: Private Captcha (EE), Myra EU CAPTCHA (DE), Captcha.eu (AT) — all GDPR-compliant and cookieless.
- Transactional Email: AhaSend (NL), MessageFlow (PL).
- ITSM: Otobo (DE, second active OTRS fork alongside Znuny).
- Misc: tyntec (DE, SMS API), ScreenCom (NL, digital signage), Cookie Information (DK, consent), Lurus Code (DE, AI coding).
Added — gap analysis, round 2 (2026-07-02)
Systematic scan of the remaining 40 business categories in two blocks of 20, using Haiku 4.5 finder + Sonnet 4.6 verify. 75 new EU vendors including:
- Databases/data: Elastic (NL, AGPLv3-restored — previously never recorded), Kestra (FR, Apache-2.0 workflow orchestrator).
- VoIP/remote desktop: TSplus (FR), RealVNC (GB), Snom (DE), Equada (DE), Nomado (BE), Voiped Telecom (NL).
- GIS/CAD: Oslandia (FR, open source), OPENGIS.ch (CH), Coexya (FR), Pix4D (CH), Graphisoft ArchiCAD (HU), Graebert ARES (DE), ELITECAD (AT), Cadwork (CH), Leica Geosystems (CH), Eurosense (BE), Lutra Consulting (GB).
- Compliance/HR: DataGuard (DE), Orbiq (DE), EuroComply (PT), Talentech (NO), Vouch (NO), Eploy (GB), Breathe HR (GB), Ubisecure (FI).
- Time-tracking/low-code: solidtime (AT, open source), Time Cockpit (AT), timeBuzzer (DE), Calenso (CH), Cronofy (GB), Reservio (CZ), Agendize (FR), WeWeb (FR), Cerberus Testing (FR, open source).
- AI/design: Lovable (SE), Haystack/deepset (DE, open source), Rebelle (SK), ArtFlow (PL).
- Backup/translation: Bacula Systems (CH, AGPLv3), Xopero (PL), Locize (CH), Apertium (ES, open source), Protemos (UA).
- Forms/surveys (chronically under-supplied): AidaForm (DE), Edkimo (DE), empirio.ai (DE), easyfeedback (DE), QUESTIONSTAR (DE), Crowdtech (NL), SmartSurvey (GB).
- Marketing/esign/CMS: Omnisend (LT), AGNITAS (DE, open source), Membrain (SE), Quarticon (PL), sproof (AT), Commfides (NO), Penneo (DK), Buypass (NO), Jahia (CH), Microweber (BG, open source), Roadiz (FR, open source).
- Other: Beckhoff Automation (DE, IoT), KEBA (AT, IoT), Joker.com (DE, registrar), Tine 2.0 (DE, groupware), APPUiO (CH, virtualization), Keelearning (DE, LMS), Hornbill (GB, ITSM), Linphone (FR, open source), SendRec (RO, open source), Elestio (IE, DevOps), World4You (AT, webhosting), Coolhousing (CZ, webhosting).
Changed — vendor audits
Round 1 (2026-06-12/13): deep audit of the full catalogue via multi-agent workflow. 320 corrections applied across 349 vendors, including 153 ownership updates, 73 HQ corrections, 26 rebrands, 17 licence-classification fixes and 39 removals of discontinued/absorbed products.
Round 2 (2026-06-30): cheaper overnight loop (Sonnet 4.6 across six ticks) covering the 1223 vendors that were not touched in round 1. 78 confirmed findings, 67 changes applied. Highlights: Harvest → Bending Spoons (IT), MailerLite → Vercom (PL), Fondy → TBC Bank (GB), MariaDB commercial arm → K1 Investment (US), PAYONE under Worldline (FR), Paytrail → Nexi (IT), Magnolia CMS → GENUI (DE), Roundcube → mailbox.org (DE), Signaturit → Namirial (IT), Nmbrs → Visma (NO). Licence rug-pulls: CapRover, Chatwoot, Invoice Ninja, OpenKM, Planka, Rasa, TheHive. Removals: legacy SchildiChat Desktop, standalone Sofort, Juke, iRedMail Easy.
Site & UX — 2026-06 to 2026-07
Added
- User-facing changelog entries for every vendor-database change round, so the footer "Bijgewerkt" badge stays honest.
- Live vendor count in the About-page FAQ, driven by
computeCatalogueStats().totalVendors— no more stale "1.700 vendors" copy after every audit. - Auto-scroll to results on
/mapwhen the user selects a category (previously the results block was below the fold on desktop). - Auto-scroll to results on
/alternativeswhen the user picks a category, OR when they press Enter in the search box. Typing alone no longer scrolls — the debounce triggers filtering but leaves the viewport still.
Fixed
- Telemetry: batched client events to stop 429s on the assessment result step.
[0.2.0] - 2026-05-26
On-site changelog
- New
/[locale]/changelogpage (NL + EN) rendering the user-facing update history. Source of truth:apps/web/src/lib/changelog.ts(typed, kept separate from this technical CHANGELOG.md). - Footer badge "Bijgewerkt:
" / "Updated: " on every page, sourced from the latest changelog entry, linking to /changelog. /changelogadded tositemap.xmlwith NL/EN hreflang alternates.
Vendor-database review — 2026-05-26
Net result: 1679 → 1700 vendor records. Source of truth: apps/web/data/vendors.seed.json. One-shot migration script: apps/web/scripts/migrate-vendors-2026-05.ts.
Added
- Schema fields on
Vendor(additive, non-breaking):ultimate_parent_country(optional ISO-2),sovereignty_mode(vendor-hosted-eu/self-host/oss-distributed/vendor-hosted-non-eu),eu_classification(eu-strict/eea/efta/eu-adjacent). Back-filled for all existing records. - 27 new EU vendors: CMP (Didomi, Axeptio, consentmanager.net) — SMS (TextMagic, SMSAPI) — Monitoring (Dynatrace, Pandora FMS) — Time tracking (TimeCamp, TimeTac) — Low-code (Make.com, Ninox, SeaTable) — Marketing (MailerLite) — CMS (Hygraph) — Translation (memoQ, Phrase TMS, Wordbee, Across) — Fintech (Trade Republic) — Helpdesk (Aircall) — Healthcare (Nedap Healthcare) — AI coding (JetBrains AI Assistant) — Notes (Bear) — Scheduling (Pretix, Bookingkit) — Enterprise social (LumApps, Talkspirit).
- Invariant test suite vendor-invariants.test.ts — 9 tests pinning: no
EUsentinel HQ without explicitsovereignty_mode, no >2 categories without allow-list, no duplicate(name, category)pairs, no Dutch' or 'translation-bug pattern indescription_en, ISO-3166-1 alpha-2 country codes, HTTPS-only websites, and the May-2026 problem-record outcomes. - ADR-001 — policy for borderline EU-provenance vendors (Optimizely, Sitecore, Talkdesk, Dashlane, Revolut, Yubico).
Changed (corrected HQs)
- Hologic, Carestream Health, Wrike, WordPress (self-host) reclassified EU → US. Wrike now carries
ultimate_parent_country=US(Symphony Industrial). - RustDesk → CN with
sovereignty_mode=oss-distributed. Logseq → SG,oss-distributed. Synology Drive (on-prem) → TW,self-host. - Bitrix24 → CY with
ultimate_parent_country=RUdisclosed in description. - Wire (both collaboration + messaging records) corrected to CH,
eu_classification=efta. - Directus → US (
ultimate_parent_country=US,sovereignty_mode=self-host); the duplicate cms-categorised record was removed in favour of the low-code entry. - SumUp → GB with
eu_classification=eu-adjacent; the duplicatesumup-paymentsrecord removed. - European-classification tags rolled out: 57 Swiss vendors →
efta, 29 Norwegian/Icelandic →eea, 4 Ukrainian →eu-adjacent, 1159 EU-27 →eu-strict.headquarters_regionleft atEUdeliberately so the scoring engine (10+=== "EU"checks across dimensions, drivers, migration, suggestions) keeps its current behaviour.
Removed
epic-eu(real HQ Verona WI —epic-ehrUS incumbent retained)sumup-payments(merged intosumup)directuscms-variant (merged intodirectus-lowcode)soffos-office(duplicate ofsoftmaker-officein the same category)adyenandmolliefromerp-finance— payments processors, not ERPs. Both still listed underpayments(ande-commercefor Adyen).
Earlier under [Unreleased]
Added
- New category: writing-tools (Schrijfhulp & Grammatica) with LanguageTool as EU alternative
- New vendors: Backblaze (storage-backup), Grammarly (writing-tools), Luminar Neo (design)
- EU alternative mappings for Backblaze, Grammarly, and Luminar Neo
Fixed
- Pinned
aquasecurity/trivy-actionto@0.30.0(was@master— supply chain risk) - Dockerfile: resilient native addon copy handles pnpm hoisting variations
- Defensive JSON parsing in
mapVendorRow(try/catch instead of bareJSON.parse) - Map and Alternatives pages: added error state with retry button (was silent failure)
- Accessibility: added
aria-labelto map country panel close button - Copy: consistent Dutch wording in map disclaimer
Security
- Red-team review completed: PASS across all 5 perspectives (architecture, security, test quality, devops, UX)
- No blockers found; 4 majors identified and remediated
- Full findings documented in REVIEW.md
[0.1.0] — Unreleased
Added
- Vendor expansion: ~130 vendors across 20 categories (was ~105 in 16)
- 4 new categories: Projectmanagement (business), Muziek streaming, Video streaming, Notities & taken (personal)
- ~24 new vendors: project management (OpenProject, Taiga, Plane, Jira, Confluence, Notion, Linear, Asana), music streaming (Deezer, Spotify, Tidal, Apple Music, YouTube Music), video streaming (NLZIET, NPO Start, Netflix, YouTube, Disney+), notes & tasks (Joplin, Standard Notes, Obsidian, Apple Notes, Google Keep), plus LinkedIn, Instagram, TikTok (social media) and Safari (browser)
- Direct vendor recommendations: concrete "Gmail → Stap over naar Tuta" suggestions with specific Dutch-language reasons per vendor
VendorRecommendationinterface andgenerateVendorRecommendations()in@ds-heatmap/coreRecommendationListcomponent for rendering recommendations in results- Personal block: 8 new personal categories (E-mail, Messaging, Cloud Storage, VPN, Password Manager, Browser, Social Media, Desktop OS)
- Separate scoring: business and personal assessments computed and displayed independently
- 2 new personal scenarios: Privé Soeverein, Privé Hybride
blockfield on Category schema ("business"|"personal")DEFAULT_PERSONAL_CATEGORY_WEIGHTSandCRITICAL_PERSONAL_CATEGORIES- Database migration for existing DBs (adds
blockcolumn)
Changed
- Recommendation system: replaced abstract driver-level suggestions with direct per-vendor recommendations
- Removed
DriverSuggestiontype,suggestionsfield onDriver, andenrichDriversWithSuggestions() - Business category weights renormalised for 9 categories (added project-management at 0.066)
- Personal category weights redistributed for 11 categories (equal ~0.0909 each)
notes-tasksadded toCRITICAL_PERSONAL_CATEGORIES- Wizard vendor selection split into "Zakelijk" and "Privé" sections
- Results page shows separate score panels per block with recommendation section
- Existing business scenarios updated with new vendors
- Telemetry allowlist expanded with all new vendor and category slugs
[0.1.0] - 2026-02-27
Added
- Three-step assessment wizard: vendor selection → context → results with animated transitions
- Deterministic scoring engine: 5 sovereignty dimensions (JES, DRS, CKS, PLS, SRS), category-weighted aggregation, risk drivers
- Vendor knowledgebase with SQLite (better-sqlite3) — 32 vendors, 8 categories, 3 scenarios
- Zod schemas for Category, Vendor, and Scenario in
@ds-heatmap/core - API routes:
GET /api/vendors,GET /api/categories,GET /api/scenarios,GET /api/health - Vendor filtering by category (
?category=) and search (?q=) - Auto-seeding: database is seeded from JSON on first access
- CLI seed script:
pnpm seed/pnpm seed --force - Board memo generation: "Genereer bestuursmemo" button on results page → POST
/api/memo→ print-friendly/memopage - Dutch-language deterministic template with score-dependent executive summary, risk drivers, and recommendations
- Optional Claude AI integration (
CLAUDE_ENABLED=true) with automatic fallback to template - In-memory token-bucket rate limiter for
/api/memo(5 burst, 1/10s refill per IP) - Print/PDF-friendly layout with
@media printstyles (A4) - Privacy-preserving telemetry: aggregated counters only, no raw events or PII stored
- Telemetry disabled by default (
TELEMETRY_ENABLED=false); double opt-in (server + user) - Strict allowlist validation: event names, vendor/category slugs, context enums, score bands (0-33/34-66/67-100)
/trendspage with k-anonymous community data (buckets < K_ANON_THRESHOLD grouped as "Other")- Footer telemetry toggle with clear privacy copy
POST /api/telemetryendpoint with rate limiting and Zod validationGET /api/trendsendpoint with k-anonymity filtermetrics_countersSQLite table for aggregated counter storage- Release workflow: tag → build + Trivy scan → push to GHCR → GitHub Release with CHANGELOG notes
- Structured JSON logger for server-side components
- Initial project scaffold: Next.js 15 (App Router) + TypeScript + Tailwind CSS + shadcn/ui
- pnpm monorepo with
apps/webandpackages/core - Multi-stage Dockerfile with non-root runtime user
- Docker Compose with Caddy reverse proxy (auto-HTTPS capable)
- GitHub Actions CI: lint, typecheck, test, build, Trivy scan, gitleaks, dependency audit
Security
- Next.js middleware with security headers: CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy
- Request body size limits on all POST endpoints (16 KB for memo, 2 KB for telemetry)
- Rate limiting per client IP on POST endpoints (in-memory token bucket)
- Zod schema validation on all POST request bodies
- Docker: read-only filesystem, resource limits (512 MB / 1 CPU), restrictive data directory permissions (750)
- OCI image labels for GHCR metadata
- No prompt payloads logged in Claude integration
- No PII stored in telemetry (counters only, no IPs, no sessions)