GDPR-Compliant Hosting: Requirements and Checklist
'GDPR-compliant' appears on countless hosting pages — but what does it actually mean? This guide explains what the General Data Protection Regulation requires from your host: a data processing agreement (DPA) , an EU data location, transparent subprocessors and protection from the US CLOUD Act. It ends with a checklist for choosing a GDPR-compliant cloud server .
See GDPR-compliant cloud serversIf you run a website, app or database that processes third parties' personal data, you are the controller under GDPR. Your host becomes a processor — and must meet a set of obligations of its own so that your operation stays lawful. Where the data sits and who can legally access it often matters more than any single security feature.
What GDPR requires from a host
- DPA: mandatory under Art. 28 GDPR once a host processes personal data on your behalf. Operating without a data processing agreement is unlawful.
- Data location: servers and backups should sit in the EU/EEA so no third-country transfer is needed.
- Transparent subprocessors: the host must disclose which sub-processors (backup, monitoring, etc.) it uses.
- Technical and organisational measures (TOMs): documented controls such as access control, encryption and orderly snapshots and backups .
- Deletion and portability: commitments to fully delete or export data on request.
EU host vs US CLOUD Act
The US CLOUD Act obliges US companies to hand over stored data on order from US authorities — even when the servers physically sit in the EU. A European subsidiary of a US group can be caught by it too. That is precisely what the Schrems II ruling addressed: simply picking an EU region is not enough if the provider is fundamentally subject to US law.
| Criterion | EU host (e.g. Frankfurt) | US hyperscaler / US subsidiary |
|---|---|---|
| Applicable law | EU/DE law, GDPR | Also US law (CLOUD Act) |
| Government access | Only under EU law | US authorities can compel disclosure |
| Third-country transfer | Not required | Legally possible, Schrems II risk |
| DPA | EU-standard | Often with standard contractual clauses |
| Data-location guarantee | Explicitly EU/EEA | Region selectable, group is global |
Frankfurt and EU data residency
Bthorio is an independent, European company with a data center in Frankfurt am Main. Your data stays in the EU and is out of reach of the US CLOUD Act. We provide a DPA on request, the data center is carbon-neutral, and support replies in German and English in your timezone.
GDPR hosting checklist
- Is a DPA under Art. 28 GDPR available before you start?
- Are servers and backups verifiably in the EU/EEA?
- Is the provider an EU company not bound by the US CLOUD Act?
- Are all subprocessors transparently listed?
- Are TOMs and a deletion concept documented?
- Is support reachable in your language and timezone?