GDPR-native infrastructure
EU data residency, done properly
Every HostStack app, database, and backup lives in Germany or Finland — run by a Danish company, with no US CLOUD Act exposure. Here is what EU data residency actually requires, and why an EU region from a US provider is not the same thing.
EU data residency means your data is stored and processed on servers inside the European Union. On HostStack that is Nuremberg (Germany) and Helsinki (Finland), on Hetzner infrastructure. But residency alone does not make you GDPR-safe. The harder question — the one a procurement reviewer actually asks — is who can be legally compelled to hand the data over. That depends on where the provider is incorporated, not just where the servers are.
Location is not the same as sovereignty
Data location (necessary)
The physical region your data sits in. Most US providers now offer an EU region — AWS Frankfurt, Render EU, Heroku Dublin — which fixes latency and storage location. It is necessary, but on its own it is not sufficient for a clean GDPR answer.
Legal incorporation (decisive)
The jurisdiction the company itself answers to. A US-incorporated company is reachable by the US CLOUD Act anywhere on earth, EU region included. An EU-incorporated company is not. This is the factor Schrems II actually turns on.
The US CLOUD Act and Schrems II
The US CLOUD Act (2018) lets US authorities compel any US-incorporated company to disclose data it controls — even when that data is held on servers outside the United States. The Schrems II ruling (CJEU, 2020) found that this exposure means an EU data subject's personal data is at risk when it is controlled by a US company, regardless of storage location. For a European controller, that is the core problem: with a US provider, the honest answer to “can a foreign government compel access to our customers' data?” is we cannot guarantee that it cannot. With an EU-incorporated provider, there is no US legal pathway to reach.
Who is actually an EU company?
Most platforms have an EU region. Almost none are EU companies. The CLOUD Act turns on the second column, not the third.
| Provider | Incorporated in | EU-incorporated? | EU region |
|---|---|---|---|
| HostStack | Denmark 🇩🇰 | DE, FI | |
| Scaleway | France 🇫🇷 | FR, NL, PL | |
| Aiven | Finland 🇫🇮 | Many EU | |
| Render | USA 🇺🇸 | Frankfurt | |
| Railway | USA 🇺🇸 | EU (limited) | |
| Fly.io | USA 🇺🇸 | Region-pinned | |
| Vercel | USA 🇺🇸 | Edge / region | |
| Heroku (Salesforce) | USA 🇺🇸 | Dublin | |
| Supabase | USA 🇺🇸 | EU regions | |
| Neon | USA 🇺🇸 | EU regions | |
| AWS RDS | USA 🇺🇸 | Frankfurt etc. |
Incorporation reflects public corporate records; EU-region availability is from each provider's documentation. Verify current details against the provider before a compliance sign-off.
How HostStack keeps your data in the EU
More detail lives in our Data Processing Agreement, sub-processor list, and Trust Center.
Further reading
Frequently asked questions
What does EU data residency mean?
EU data residency means your data is physically stored and processed on servers located inside the European Union. On HostStack, every service, database, and backup lives in Germany (Nuremberg) or Finland (Helsinki) on Hetzner infrastructure. Data residency on its own, however, is not the same as data sovereignty — a US-owned provider can store data in the EU and still be compelled to hand it over under the US CLOUD Act. Full protection requires both EU location and EU legal incorporation.
Is hosting data in an EU region enough for GDPR compliance?
Not by itself. The Schrems II ruling found that data held by a US-incorporated company is at risk of US government access regardless of where the servers sit, because the US CLOUD Act reaches any US company globally. An EU region from a US provider (AWS Frankfurt, Render EU, Vercel) reduces latency and addresses storage location, but the controller still cannot guarantee that US authorities cannot compel access. The cleanest GDPR posture is a provider that is itself incorporated in the EU.
What is the US CLOUD Act and why does it matter for European companies?
The US CLOUD Act (2018) lets US authorities compel any US-incorporated company to disclose data it controls, even when that data is stored on servers outside the United States. For a European company, this means using a US cloud provider — even in an EU region — leaves a legal pathway for US access to personal data, which can conflict with GDPR Articles 44–50 on international transfers. Choosing an EU-incorporated provider removes that pathway.
Which PaaS and database providers are actually incorporated in the EU?
Very few. Among managed application and database platforms, HostStack (Denmark), Scaleway (France), and Aiven (Finland) are EU-incorporated. Render, Railway, Fly.io, Vercel, Heroku, Supabase, Neon, and AWS RDS are all US-incorporated and offer an EU region but remain subject to the US CLOUD Act.
Where is HostStack data stored, and who is the legal entity?
HostStack is operated by MICCI, a company registered in Denmark (CVR 45587452). All compute, databases, and backups are hosted on Hetzner infrastructure in Germany and Finland — both EU member states. A Data Processing Agreement is available to every customer at signup, and the full sub-processor list is published in the DPA.
Does HostStack provide a DPA (Data Processing Agreement)?
Yes — to every customer, on every plan, at signup, not just on Enterprise contracts. The DPA names the controller-to-processor relationship, the EEA sub-processors (Hetzner DE/FI for compute and storage, Stripe IE for billing, plus EU registrars and ACME for TLS), and the incident-notification path. That makes a Schrems II / GDPR procurement review short.
Deploy on EU soil, under an EU company
Start for free — no card. Your data never leaves Germany or Finland.