Why Digital Sovereignty Starts with Your Application Stack

When organizations discuss digital sovereignty, the focus often stays at the infrastructure or cloud level. But to truly regain control, the stack must extend all the way to the applications. That includes the design tools your teams use every day.

Let’s unpack how this works in practice, using Penpot, an open source design tool as an example, and mapping it to key dimensions of digital sovereignty: operational, data and technological.

Technological Sovereignty: Owning the Full Stack

Most SaaS tools, while convenient, leave you dependent on upstream vendors, proprietary interfaces and third-party data hosting. If you’re serious about sovereignty, this isn’t enough.

Here’s what implementing technological control looks like:

• Run Penpot on SUSE Linux Enterprise: You start with a hardened OS certified for EAL4+ environments. This gives you control over the base layer, including kernel-level configurations and lifecycle.
• Orchestrate with SUSE Rancher Prime: Rancher enables you to deploy, upgrade and scale Kubernetes-based applications like Penpot, across environments even fully air-gapped.
• Package via SUSE Application Collection: Penpot is part of a curated set of Helm charts. These are pre-tested and version-pinned, helping you avoid supply chain risk and making the software lifecycle predictable.

Implementation Tip: Use Rancher’s private chart repositories in air-gapped setups. The full Helm chart for Penpot is available in the SUSE Application Collection docs, ready for offline deployment.

SUSE Application Collection Penpot overview

Data Sovereignty: Keep Design Files in Your Domain

Design files contain sensitive business logic and IP. SaaS-based design tools often store that in third-party data centers outside your legal jurisdiction.

By self-hosting Penpot:

• You ensure data residency within your own infrastructure (or localized cloud region).
• You retain access control and integrate Penpot with internal LDAP or OIDC.
• You enable full auditability, critical for regulated industries like the public sector, finance, or defense.

Implementation Tip: Use Rancher’s built-in RBAC and access policies to limit who can access and manage Penpot across namespaces. For identity, integrate Rancher and Penpot with a shared IDP to enforce consistent policies.

Operational Sovereignty: Stay Resilient and Self-Sufficient

Downtime in critical applications: Even creative tools can slow down innovation. A sovereign approach means you can operate independently, even when disconnected.

• Penpot is deployed inside your own Kubernetes cluster, maintained via Rancher.
• Updates are under your control. No auto-pushes or forced migrations.
• With air-gapped support, you stay productive even in disconnected or high-security environments.

Implementation Tip: Schedule your own update cycles using Rancher’s GitOps tooling (like Fleet or ArgoCD). Mirror the Helm chart registry locally using helm pull and helm install –version commands to maintain control.

Why This Matters

Digital sovereignty is not abstract, it’s practical. It touches everything from where your data resides, to who controls the code, to how your teams work.

Running something like Penpot may seem small, but it reflects a larger truth: you can regain control over your tools without compromising on usability or collaboration.

And with a complete stack like:

• SUSE Linux Enterprise (OS level)

• SUSE Rancher Prime (Runtime and Control plane level)

• SUSE Application Collection (Workload level)

You’re not just using open source. You’re deploying it with purpose.

Final Thoughts

Choosing to self-host modern tools like Penpot is a small step that delivers outsized sovereignty gains. And it scales whether it’s dev tools, observability stacks or AI runtimes.

Digital sovereignty starts with the apps your teams use daily.

📘 Learn more: docs.apps.rancher.io/reference-guides/penpot

🔒 Explore SUSE’s Digital Sovereignty Strategy: www.suse.com/digitalsovereignty