The General Data Protection Regulation applies to every application that processes personal data belonging to EU residents. It doesn't matter where your company is incorporated or where your servers sit. If someone in Germany creates an account, the GDPR governs that data.
For developers, the most consequential compliance decision is where your infrastructure runs. Hosting in Europe eliminates an entire category of legal risk: cross-border data transfers. It simplifies your Data Processing Agreements, reduces the number of regulatory touchpoints, and makes your privacy posture easier to explain to enterprise buyers and regulators alike.
This guide covers what developers need to know about GDPR-compliant cloud hosting: what the regulation actually requires, how to evaluate providers, and what to implement at the application layer.
GDPR Basics for Developers
The General Data Protection Regulation is the EU's data protection law, in force since May 2018. It governs how organizations collect, process, and store personal data belonging to EU residents. The regulation applies regardless of where the processing organization is based. A startup in Singapore serving users in France is subject to GDPR.
Before evaluating hosting options, it helps to understand the core regulatory concepts.
Data controllers and data processors. The controller determines the purposes and means of processing personal data. That's usually your company. The processor acts on the controller's instructions. That's your hosting provider. Both parties have compliance obligations. Controllers must sign Data Processing Agreements (DPAs) with every processor they use.
What counts as personal data. GDPR defines personal data broadly: any information that relates to an identified or identifiable individual. This includes the obvious items like name, email, and phone number. It also includes IP addresses, device identifiers, cookie values, location data, and behavioral data. If your application logs HTTP requests, those logs likely contain personal data.
The cost of getting it wrong. GDPR penalties reach up to €20 million or 4% of global annual revenue, whichever is higher. Regulators have issued significant fines: Meta received a €1.2 billion fine in 2023 for unlawful data transfers. Enforcement has increased year over year since the regulation took effect.
The core principles. GDPR compliance follows six data processing principles:
- Lawfulness: You need a legal basis for each processing activity (consent, legitimate interest, contractual necessity, legal obligation, vital interests, or public task)
- Purpose limitation: Data collected for one purpose cannot be repurposed without a new legal basis
- Data minimization: Collect only the data you actually need
- Accuracy: Keep personal data correct and up to date
- Storage limitation: Don't retain data longer than necessary
- Integrity and confidentiality: Protect data with appropriate technical and organizational measures
The technical controls you build into your application should directly implement these principles.
Why Hosting Location Matters
GDPR data residency and data sovereignty are related but distinct concepts. Data residency means your data is stored in a specific geographic location. Data sovereignty means your data is subject to the laws of a specific jurisdiction and that you retain control over it.
The EU-US transfer problem. GDPR restricts transferring personal data to countries outside the European Economic Area unless adequate protections exist. The United States does not have an adequacy decision from the European Commission covering all transfers. Transferring EU personal data to US-based infrastructure requires either Standard Contractual Clauses (SCCs), Binding Corporate Rules, or reliance on the EU-US Data Privacy Framework.
The history here is important. The Schrems II ruling in 2020 invalidated the Privacy Shield framework that many US cloud providers relied upon. The EU-US Data Privacy Framework (DPF), adopted in 2023, provides a replacement mechanism, but it remains subject to legal challenge. Relying solely on the DPF carries legal uncertainty.
Hosting in the EU eliminates this complexity. When your data never leaves EU territory, cross-border transfer restrictions don't apply. You avoid dependency on legal frameworks that have already been challenged twice. Your compliance posture is simpler, your DPAs are shorter, and your legal team has less to worry about.
Sub-processor chains create exposure. Even if your primary hosting provider is EU-based, their sub-processors may not be. A US-based CDN, a monitoring service that streams logs to US infrastructure, or a US-based backup provider can all create transfer obligations. Choosing an EU-native hosting provider with EU-based sub-processors reduces this surface area significantly.
The simplest way to handle GDPR data residency is to host in the EU. It doesn't solve everything, but it eliminates one of the most complex compliance problems developers face.
What Makes Hosting GDPR-Compliant?
GDPR compliance isn't a certification that providers achieve once. It's an ongoing set of practices. When evaluating a hosting provider, verify these specific capabilities.
Data storage in EU data centers. The provider must guarantee that your data is stored within the EEA. "EU available" doesn't mean "EU only." Confirm the specific data center locations and verify that data doesn't replicate to non-EU regions by default.
Encryption at rest and in transit. GDPR's Article 32 requires appropriate technical measures to protect personal data. Encryption is explicitly mentioned as an appropriate measure. Verify your provider encrypts stored data (AES-256 or equivalent) and enforces TLS for all data in transit.
Access controls and audit logging. You need to control who can access personal data and maintain records of that access. At the infrastructure level, this means the provider restricts physical and logical access to your data. At the platform level, this means audit logs showing which team members accessed which resources and when.
Data Processing Agreement availability. Signing a DPA with your hosting provider is a legal requirement under GDPR Article 28. Providers who won't sign a DPA are not suitable for processing EU personal data. Most major providers offer standard DPAs. Review the sub-processor list included in the DPA, as each sub-processor represents a transfer point.
Right to erasure support. Article 17 gives individuals the right to have their personal data deleted. Your infrastructure must support complete data deletion, including backups. Confirm that your provider can delete data from backup systems within a reasonable timeframe and that this process is documented.
Breach notification procedures. GDPR requires notification to supervisory authorities within 72 hours of becoming aware of a personal data breach. Your hosting provider must have documented procedures for detecting breaches and notifying customers promptly. Ask for their incident response policy.
Sub-processor transparency. Your DPA should include a complete list of sub-processors the provider uses. You have the right to object to new sub-processors before they are onboarded. Providers should maintain this list and notify you of changes.
Choosing a GDPR-Compliant Hosting Provider
What to Look For
When comparing European hosting providers, prioritize these criteria:
- EU data center locations: Verify specific facilities, not just "EU availability"
- DPA availability and quality: Does the provider offer a standard DPA? Are sub-processors listed?
- Security certifications: SOC 2 Type II and ISO 27001 demonstrate third-party audited security controls
- Encryption standards: AES-256 at rest, TLS 1.2+ in transit as a minimum
- Audit logging capabilities: Can you produce access records for a regulatory investigation?
- Data processing location: Does the platform process data exclusively within the EU?
Provider Comparison
| Provider | EU Regions | GDPR DPA | Managed Database |
|---|---|---|---|
| Out Plane | Nuremberg | Yes | Managed PostgreSQL |
| AWS | Frankfurt, Ireland, Stockholm, Milan, Paris | Yes | RDS (complex setup) |
| Hetzner | Nuremberg, Falkenstein, Helsinki | Yes | N/A (IaaS) |
| Render | Frankfurt | Yes | Managed PostgreSQL |
| Railway | EU (limited) | Yes | Managed PostgreSQL |
Out Plane's default region is Nuremberg, Germany. Both compute and managed PostgreSQL databases run in the EU by default. The platform provides automatic HTTPS, encrypted database connections, and EU-based data processing without additional configuration.
Hetzner provides excellent EU infrastructure at competitive prices but operates as IaaS. You manage the operating system, runtime, and application yourself.
AWS covers EU compliance requirements but introduces complexity through scale. Your specific configuration must keep data in EU regions. Default settings on some AWS services replicate data globally. Engineering time spent on AWS compliance configuration adds up.
For most teams deploying web applications and APIs, a PaaS provider with EU-native infrastructure and a signed DPA is the right balance of compliance and operational simplicity.
Implementing GDPR Compliance in Your Application
Choosing a compliant hosting provider is necessary but not sufficient. The GDPR compliance requirement extends to your application layer. These are the technical controls developers need to implement.
Data Minimization
Collect only the data your application needs to function. Before adding any new data field to a form or database schema, ask whether you have a documented legal basis for collecting it and a clear use case.
Define retention periods for each data category. User session data might have a 30-day retention. Marketing analytics might be retained for 24 months. Payment records may have a 7-year retention requirement under financial regulations. Implement automated deletion jobs that enforce these periods.
Document your data inventory in a Record of Processing Activities (RoPA). GDPR Article 30 requires this for most organizations. The RoPA maps each processing activity to its legal basis, data categories, recipients, and retention period.
Right to Erasure
Article 17 requires you to delete personal data when a user requests it, when the data is no longer necessary, when consent is withdrawn, or when you have no other legal basis for retention.
Implement a user data deletion API endpoint. When triggered, it should:
- Delete the user's account and profile data
- Anonymize or delete data in related tables (orders, sessions, activity logs)
- Remove data from caches and search indexes
- Trigger deletion from analytics systems
- Confirm deletion with a timestamp log (for audit purposes, you may retain proof-of-deletion metadata without the personal data itself)
Consider whether soft-delete patterns are compatible with your erasure obligations. A soft-deleted record with personal data fields populated is still personal data. If you use soft-delete for audit trail purposes, ensure the personal data fields are overwritten at deletion time.
Consent Management
If your legal basis for processing is consent, you must capture it in a way that is freely given, specific, informed, and unambiguous. Cookie consent is the most visible implementation of this requirement.
Implement a cookie consent banner that:
- Lists specific cookie categories (functional, analytics, marketing)
- Defaults to rejected for non-essential categories
- Records consent decisions with timestamps and versions
- Provides a mechanism to withdraw consent
- Does not use dark patterns to nudge acceptance
For consent outside of cookies, capture the specific purpose at the point of collection. Store consent records with the user ID, purpose, timestamp, and consent text version. Users must be able to withdraw consent as easily as they gave it.
Data Encryption
HTTPS is table stakes. Out Plane enables HTTPS automatically for every deployed application. Beyond transport encryption, consider:
Database encryption at rest. Managed databases on Out Plane use encrypted storage. Verify this is enabled and understand the key management model.
Application-level encryption for sensitive fields. Fields like healthcare data, financial identifiers, or government IDs benefit from encryption at the application layer. This protects the data even if database access controls fail. See the environment variables and secrets guide for secure key management patterns.
Backup encryption. Backups contain the same personal data as primary storage. Confirm they are encrypted using the same standards.
Audit Logging
GDPR enforcement investigations require evidence of who accessed what, when. Implement application-level audit logging for:
- User data access (which user records were read, by whom)
- Data modifications (what changed, when, by which user or process)
- Data deletion events (confirmation that erasure requests were completed)
- Administrative actions (configuration changes, privilege grants)
Out Plane provides activity logging for team actions at the infrastructure level: who deployed, who changed environment variables, who accessed logs. Complement this with application-level audit logs stored in your own database.
Database Considerations for EU Data Hosting
Database placement is as important as application hosting. If your application runs in Frankfurt but your database is in US-East-1, your personal data is still subject to US jurisdiction.
Out Plane's managed PostgreSQL runs in Nuremberg, Germany by default — the same region as your application. This ensures both compute and data storage remain within the EU without additional configuration.
Verify these additional database-level controls:
- Connection encryption: PostgreSQL connections should require SSL/TLS. Out Plane enforces this by default.
- Backup region: Automated backups must stay in the same region as primary storage. Confirm this with your provider.
- Read replicas: If you use read replicas for performance, ensure they are provisioned in EU regions only.
- Access logging: Enable database-level access logging if your compliance requirements demand it.
The PostgreSQL production guide covers connection pooling, performance tuning, and backup configuration for production deployments.
Choosing Between Managed PaaS and Self-Hosted Infrastructure
Some organizations cannot use shared cloud infrastructure regardless of GDPR posture. Government entities, certain financial services firms, and organizations with strict contractual requirements may need complete control over where their data resides and who can physically access it.
For these cases, self-hosted PaaS tools like Coolify or CapRover running on EU-based servers (such as Hetzner) provide one option. The trade-off is operational overhead: your team maintains the underlying infrastructure, manages upgrades, applies security patches, and operates monitoring systems.
For most SaaS companies, a managed EU-hosted PaaS with a signed DPA provides sufficient data sovereignty. Out Plane's managed platform runs in Nuremberg, Germany by default, keeping both compute and database within the EU. The self-hosted vs. managed PaaS trade-offs are worth understanding before making this decision.
Common GDPR Pitfalls for Developers
These mistakes appear frequently in GDPR compliance reviews. Each is avoidable with deliberate technical choices.
Using US-only analytics. Google Analytics routes data through US infrastructure. This requires SCCs and introduces transfer risk. Switch to EU-hosted analytics alternatives: Plausible Analytics or Umami are both open-source, privacy-respecting, and can be self-hosted in the EU. Out Plane uses Umami internally.
Logging personal data in application logs. HTTP request logs often contain IP addresses, user IDs in URL paths, authentication tokens in headers, and query parameters with personal data. Audit your logging configuration. Redact or hash personal identifiers at the log collection layer before they reach storage.
Using third-party services without DPAs. Every service that processes personal data on your behalf requires a DPA. This includes error monitoring tools (Sentry, Datadog), email providers (SendGrid, Postmark), payment processors (Stripe), and customer support platforms (Intercom). Audit your entire stack and verify DPAs exist for each.
Not handling data deletion requests. Many teams build account creation flows carefully but don't implement deletion. GDPR requires the technical capability to delete a user's data across your entire stack, including backups, analytics systems, and third-party integrations. Build this from the start.
Ignoring sub-processor chains. Your DPA with your hosting provider lists their sub-processors. Each of those sub-processors may have their own. This chain represents your actual data exposure. Review your primary provider's sub-processor list and understand where your data actually flows.
Storing data longer than necessary. Applications accumulate data over time. Without active retention management, databases grow to contain years of data subject to erasure obligations. Implement scheduled cleanup jobs. Make retention periods visible in your data schema and documentation.
GDPR Compliance Checklist for Deployment
Use this checklist before deploying an application that processes EU personal data.
Infrastructure:
- Application hosted in EU data center (Nuremberg, Frankfurt, Helsinki, or equivalent)
- Database provisioned in EU region
- HTTPS enabled for all endpoints
- DPA signed with hosting provider
- DPA signed with all third-party sub-processors (analytics, email, monitoring, payment)
- Sub-processor list reviewed and approved
Application:
- User data deletion endpoint implemented and tested
- Cascading deletes handled for all related records
- Cookie consent banner implemented with granular categories
- Consent withdrawal mechanism available to users
- Data retention periods defined and enforced by automated jobs
- Sensitive fields encrypted at the application layer
Operations:
- Audit logging enabled for data access and modifications
- Application logs reviewed and personal data redacted
- Privacy policy published and accurate
- Record of Processing Activities (RoPA) documented
- Breach notification procedure documented and tested
- Data subject request (access, erasure, portability) workflow established
Provider verification:
- EU data center location confirmed with hosting provider
- DPA sub-processor list reviewed for non-EU entities
- Internal audit log export capability verified
Summary
GDPR compliance for developers is a combination of infrastructure choices and application-level technical controls. Neither alone is sufficient.
Hosting in Europe is the most impactful infrastructure decision you can make. It eliminates cross-border transfer obligations, simplifies your DPAs, and reduces your regulatory exposure to the EU framework you're already subject to. Out Plane deploys to Nuremberg, Germany by default, keeping both compute and managed PostgreSQL databases within the EU.
At the application layer, implement data minimization from the start, build user data deletion into your core data model, manage consent explicitly, encrypt sensitive fields, and audit data access. These aren't optional compliance additions. They're technical practices that reduce your legal risk and build user trust.
GDPR compliance is not a one-time checklist. It requires ongoing review as your application evolves, your sub-processor list changes, and regulatory guidance updates. Build review into your engineering process the same way you build in security reviews.
Ready to deploy in the EU with GDPR-compliant infrastructure? Out Plane's default region is Nuremberg, Germany. Sign a DPA, enable HTTPS automatically, and deploy in 60 seconds from your git repository at console.outplane.com.