SaaS founders, where do you host your customer data?
Hello folks,
Help me compliance with GDPR...
Running a B2B SaaS and our EU customers are asking about our data center location which is USA right now.
They're saying they can't use our service unless we use EU server because they can't host their client data outside of EU.
Should we move to EU data center or any workaround?
Trending on Indie Hackers
Postgres sql in aws
Looks like a good hard problem to solve for someone with deep tech chops, anyone?
Other than that, on the surface, this regulation looks radiculous given many big cloud providers have data centers in multiple locations around the globe, also the Internet is global, why does matter where it is stored if you can access it from any place? But I am not an expert.
Why not just set up a server hosting your service & data in EU data centers? Shouldn't be very hard, right?
Not plain and simple is that. We run on micro service architecture and replicating them all for EU/US is a bit problem specially with DB sharding..
I thought it would be easier with DB sharding. You mean you are not doing DB sharding at the moment?
spinning up a EU version of the product is a good way with a EU data center/cloud could be the way to go
This is something you'll run into if you're targeting any company in the EU, especially the larger the company gets the more strict they'll be on this. We sold to some bigger customers and had to complete complex security questionnaires that were extremely strict on data location etc and it would be a no-op for them if we didn't comply. Even things like vendors, if their data left the EU then they wouldn't use us.
So definitely, if possible I'd recommend either deciding if the EU market is something you want to target right now, and if it is then spinning up a EU version of the product (possibly even hosted on a different domain). I wouldn't move the whole app to an EU datacenter because no doubt you'll have US customers who want to make sure you only store data in the US as well
All good advice, and I'd add that depending on your product, performance might be another good reason to split your hosting regionally. With modern cloud hosting it's easier than ever to put the data where the people are and I think in most cases we should.
Completely joining you on that. To give you more context, recent legislative changes in the EU declared illegal transfers of EU residents' personal data to the US because of FISA and Cloud Act allowing surveillance agencies to have access to it on demand. Of course, there are ways to secure data during transfers and make them unaccessible by surveillance agencies (encryption, anonymisation, etc.) but the best way (and often the less costly) is to host personal data on EU soil and in the hands of an European hosting provider, which prevents any risk of interference from US intelligence agencies.
When auditing SaaS on GDPR for privacyboard.co/privacyscore, I noticed most use Hetzner when offering an EU version of their product.