Guide

GDPR-Compliant Hosting: Requirements and Checklist

'GDPR-compliant' appears on countless hosting pages — but what does it actually mean? This guide explains what the General Data Protection Regulation requires from your host: a data processing agreement (DPA) , an EU data location, transparent subprocessors and protection from the US CLOUD Act. It ends with a checklist for choosing a GDPR-compliant cloud server .

See GDPR-compliant cloud servers

If you run a website, app or database that processes third parties' personal data, you are the controller under GDPR. Your host becomes a processor — and must meet a set of obligations of its own so that your operation stays lawful. Where the data sits and who can legally access it often matters more than any single security feature.

What GDPR requires from a host

  • DPA: mandatory under Art. 28 GDPR once a host processes personal data on your behalf. Operating without a data processing agreement is unlawful.
  • Data location: servers and backups should sit in the EU/EEA so no third-country transfer is needed.
  • Transparent subprocessors: the host must disclose which sub-processors (backup, monitoring, etc.) it uses.
  • Technical and organisational measures (TOMs): documented controls such as access control, encryption and orderly snapshots and backups .
  • Deletion and portability: commitments to fully delete or export data on request.

EU host vs US CLOUD Act

The US CLOUD Act obliges US companies to hand over stored data on order from US authorities — even when the servers physically sit in the EU. A European subsidiary of a US group can be caught by it too. That is precisely what the Schrems II ruling addressed: simply picking an EU region is not enough if the provider is fundamentally subject to US law.

EU host compared with US providers
CriterionEU host (e.g. Frankfurt)US hyperscaler / US subsidiary
Applicable lawEU/DE law, GDPRAlso US law (CLOUD Act)
Government accessOnly under EU lawUS authorities can compel disclosure
Third-country transferNot requiredLegally possible, Schrems II risk
DPAEU-standardOften with standard contractual clauses
Data-location guaranteeExplicitly EU/EEARegion selectable, group is global

Frankfurt and EU data residency

Bthorio is an independent, European company with a data center in Frankfurt am Main. Your data stays in the EU and is out of reach of the US CLOUD Act. We provide a DPA on request, the data center is carbon-neutral, and support replies in German and English in your timezone.

GDPR hosting checklist

  • Is a DPA under Art. 28 GDPR available before you start?
  • Are servers and backups verifiably in the EU/EEA?
  • Is the provider an EU company not bound by the US CLOUD Act?
  • Are all subprocessors transparently listed?
  • Are TOMs and a deletion concept documented?
  • Is support reachable in your language and timezone?

Frequently asked questions