Serverless computing promises simplicity: deploy your code, pay only for what you use, and let the provider handle the rest. But for European businesses processing personal data, that simplicity comes with a hidden cost. When your serverless functions run on AWS Lambda in Frankfurt or Google Cloud Run in Belgium, your data still flows through US-owned infrastructure subject to American surveillance laws.
This is not a theoretical risk. Since the Schrems II ruling invalidated the EU-US Privacy Shield in 2020, European companies using US cloud providers for personal data processing operate in a legal gray area. The EU-US Data Privacy Framework (DPF) adopted in 2023 attempts to address this, but legal experts widely expect it to face a challenge similar to its predecessors.
This guide explains why data residency matters specifically for serverless workloads, what risks you face with US providers, and how EU-hosted serverless platforms provide genuine GDPR compliance by design.
Why Serverless Makes GDPR Harder, Not Easier
Traditional hosting gives you clear visibility into where your data lives. You provision a server in Frankfurt, your data stays in Frankfurt. Serverless abstracts away that control, which creates unique compliance challenges.
You Don't Control the Runtime Environment
When you deploy a function to AWS Lambda or Google Cloud Functions, you have no visibility into:
- Which physical server executes your code
- Where temporary data is cached during execution
- How logs containing personal data are stored and routed
- Whether cold start data is replicated across regions
- What monitoring and debugging tools the provider runs on your execution environment
Under GDPR Article 28, you as the data controller must know exactly where personal data is processed. Serverless makes this difficult when the provider controls the entire execution layer.
Logs and Metrics Contain Personal Data
Serverless platforms automatically generate logs, traces, and metrics. These often contain IP addresses, user identifiers, request parameters, and error messages that include personal data. On US-owned platforms, these observability streams are subject to US jurisdiction regardless of where the compute region is located.
Cold Storage and Caching Are Opaque
Serverless providers optimize performance through caching, connection pooling, and warm instance reuse. Data from one invocation may persist in memory for the next. The provider's internal caching and optimization layers are not transparent to you, making it impossible to guarantee data isolation.
The Legal Landscape: Schrems II, CLOUD Act, and the DPF
Schrems II (2020)
The Court of Justice of the European Union invalidated the EU-US Privacy Shield because US surveillance laws (FISA Section 702 and Executive Order 12333) do not provide adequate protection for EU citizens' data. The ruling established that:
- US law allows mass surveillance of non-US persons' data
- EU citizens have no effective legal remedy against US surveillance
- Standard Contractual Clauses (SCCs) alone are insufficient without supplementary measures
The US CLOUD Act (2018)
The Clarifying Lawful Overseas Use of Data Act requires US companies to provide data stored anywhere in the world when served with a valid US legal order. This means:
Even if your AWS Lambda runs in eu-central-1 (Frankfurt), Amazon as a US company must comply with US government data requests for that data.
The CLOUD Act directly conflicts with GDPR Article 48, which prohibits transfers of personal data based on foreign court orders unless there is an international agreement in place.
EU-US Data Privacy Framework (2023)
The DPF is the third attempt at a transatlantic data transfer agreement. While it provides a legal basis for transfers today, it faces significant uncertainty:
- Max Schrems and noyb have signaled they will challenge it
- The underlying US surveillance laws have not changed
- The previous two frameworks (Safe Harbor and Privacy Shield) were both struck down
- Building your compliance strategy on a framework that may be invalidated is a business risk
What This Means for Serverless
| Risk Factor | US Provider (AWS, GCP, Azure) | EU Provider (e.g., DanubeData) |
|---|---|---|
| CLOUD Act exposure | Yes - US parent company | No - EU jurisdiction only |
| FISA 702 surveillance | Yes - US company | Not applicable |
| Data residency guarantee | Region-level only | Full - data center in EU |
| DPF dependency | Required for compliance | Not needed |
| Transfer Impact Assessment | Required (complex) | Not needed |
| Logs/metrics jurisdiction | US jurisdiction | EU jurisdiction |
European Serverless Options Compared
If you want genuinely EU-resident serverless hosting, your options are more limited than you might think. Many providers offer "EU regions" but are still US companies subject to the CLOUD Act.
Truly European Serverless Providers
| Provider | Country | Serverless Type | Scale to Zero | Standard Containers | Managed DB Integration |
|---|---|---|---|---|---|
| DanubeData Rapids | Germany | Containers (Knative) | Yes | Yes (Docker) | Yes (same datacenter) |
| Scaleway Serverless Containers | France | Containers | Yes | Yes (Docker) | Separate service |
| Scaleway Serverless Functions | France | Functions | Yes | No (proprietary runtime) | Separate service |
Most European cloud providers (Hetzner, OVH, IONOS) do not offer serverless container hosting at all. And US providers with EU regions (AWS Lambda eu-central-1, Google Cloud Run europe-west1) are still US companies under the CLOUD Act.
Why "EU Region" on a US Provider Is Not Enough
A common misconception is that selecting an EU region on AWS, Google Cloud, or Azure solves GDPR concerns. It does not, for several reasons:
- Corporate jurisdiction trumps data location. AWS is a US company. A US court order under the CLOUD Act applies to AWS regardless of where data is physically stored.
- Support and operations staff may be outside the EU. When you open a support ticket, engineers in the US may access your environment.
- Internal tooling crosses borders. Monitoring, debugging, and analytics systems may route data through non-EU infrastructure.
- The DPF may be invalidated. If a "Schrems III" ruling strikes down the DPF, you'll need to stop transfers immediately or implement supplementary measures.
How DanubeData Rapids Solves Serverless GDPR Compliance
DanubeData Rapids is a serverless container platform built on Knative, running entirely on dedicated hardware in Falkenstein, Germany. It is designed to eliminate GDPR compliance uncertainty for serverless workloads.
Complete EU Data Residency
- Compute: Your containers run on dedicated servers in Falkenstein, Germany
- Code and images: Container images are stored in the same German datacenter
- Logs and metrics: All observability data stays in the EU
- Traffic: Ingress and egress through EU network infrastructure
- Backups: All backup data stored in EU
No data leaves the European Union at any point in the request lifecycle.
EU Corporate Jurisdiction
DanubeData is a European company subject only to EU law. There is no US parent company, no CLOUD Act exposure, and no dependency on transatlantic data transfer frameworks. Your compliance position does not change if the DPF is invalidated.
Standard Docker Containers, Not Proprietary Runtimes
Unlike AWS Lambda or Google Cloud Functions, DanubeData Rapids runs standard Docker containers. This means:
- No vendor lock-in to proprietary function formats
- Port your workloads to any container platform without rewriting
- Use any language, framework, or runtime
- Test locally with the same container that runs in production
Integrated EU-Hosted Data Services
GDPR compliance is not just about where your compute runs. Your database, cache, and storage also need to be EU-resident. DanubeData Rapids containers connect directly to other DanubeData services in the same datacenter:
- Managed PostgreSQL and MySQL in Falkenstein, Germany
- Managed Redis, Valkey, and Dragonfly caches in the same datacenter
- S3-compatible object storage hosted in the EU
Internal networking between your serverless containers and databases means data never traverses the public internet, reducing both latency and attack surface.
Three Deployment Methods
DanubeData Rapids supports three ways to deploy serverless containers:
- Docker image: Push any Docker image and deploy it directly
- Git repository: Connect a Git repo and auto-deploy on push with webhooks
- ZIP upload: Upload source code directly for quick deployments
Source deployments use Buildpacks or your own Dockerfile for building, giving you full control over the build process.
Security Hardened by Default
- Non-root container execution
- Read-only filesystem
- Automatic TLS on custom domains
- Network isolation between tenants
Pricing: EU Serverless Does Not Have to Be Expensive
A common concern with EU-hosted alternatives is cost. DanubeData Rapids is priced competitively with US hyperscaler serverless offerings:
| Metric | DanubeData Rapids | AWS Lambda (eu-central-1) | Google Cloud Run (europe-west1) |
|---|---|---|---|
| vCPU-second | €0.000012 | ~€0.000017 | ~€0.000024 |
| GiB-second | €0.000002 | ~€0.000002 | ~€0.000003 |
| Per million requests | €0.12 | ~€0.18 | ~€0.40 |
| Scale to zero | Yes | Yes | Yes |
| CLOUD Act exposure | None | Yes | Yes |
Free Tier
DanubeData Rapids includes a generous free tier every month:
- 2 million requests
- 250,000 vCPU-seconds
- 500,000 GiB-seconds
- 5 GB egress traffic
For many applications, especially internal tools, webhooks, and low-traffic APIs, the free tier covers the entire workload.
Real-World Example: GDPR-Compliant API Stack
Here is what a complete GDPR-compliant serverless stack looks like on DanubeData:
| Component | Service | Monthly Cost | Data Residency |
|---|---|---|---|
| API backend | DanubeData Rapids | Pay per use (free tier available) | Falkenstein, DE |
| Database | Managed PostgreSQL | €19.99 | Falkenstein, DE |
| Session cache | Managed Redis | €4.99 | Falkenstein, DE |
| File uploads | Object Storage | €3.99 | Falkenstein, DE |
| Total | From €28.97/month | 100% EU |
Every component in this stack is hosted on EU-owned infrastructure in Germany. No data crosses borders, no US company has jurisdiction over any layer, and no transatlantic transfer framework is required.
GDPR Compliance Checklist for Serverless Deployments
Use this checklist to evaluate whether your serverless hosting meets GDPR requirements:
Data Residency
- All compute runs in EU/EEA data centers
- Container images stored in the EU
- Logs, metrics, and traces stay in the EU
- Backups stored in EU locations
- No automatic replication to non-EU regions
Corporate Jurisdiction
- Hosting provider is an EU-registered company
- Not subject to US CLOUD Act or FISA 702
- No dependency on EU-US Data Privacy Framework
- Data Processing Agreement (DPA) available under EU law
Technical Controls
- TLS encryption for all traffic in transit
- Encryption at rest for stored data
- Tenant isolation between customers
- Non-root container execution
- Audit logging for access and changes
Connected Services
- Database hosted in EU (same provider or EU-owned)
- Cache/session storage hosted in EU
- Object storage hosted in EU
- DNS and CDN services reviewed for compliance
- Third-party integrations assessed for data transfers
Operational
- Incident response procedures documented
- Data breach notification process in place (72-hour GDPR requirement)
- Data subject access request (DSAR) process established
- Data retention and deletion policies defined
Common Objections Addressed
"We use AWS eu-central-1, so we're already compliant"
Data location and corporate jurisdiction are different things. Your data may sit in Frankfurt, but Amazon is a US company obligated to comply with US government data requests under the CLOUD Act. An EU data protection authority could take the position that this constitutes an unauthorized transfer.
"The EU-US Data Privacy Framework covers us"
It covers you today. Safe Harbor covered you until 2015. Privacy Shield covered you until 2020. Building your compliance strategy on a framework with a track record of being invalidated is a business risk, not a compliance solution.
"EU providers lack the features we need"
If you need proprietary services like DynamoDB, SageMaker, or BigQuery, that is a valid concern. But if your serverless workloads use standard containers with PostgreSQL, Redis, and object storage, EU providers offer everything you need. DanubeData Rapids runs standard Docker containers, so there is no proprietary runtime to work around.
"Migration is too complex"
Because DanubeData Rapids uses standard Docker containers, migration is straightforward:
- Build your existing application into a Docker image (if not already containerized)
- Push the image to DanubeData or connect your Git repository
- Configure environment variables for your EU-hosted database and cache
- Update DNS to point to the new endpoint
No code changes are needed if your application already runs in a container.
When US Providers May Still Be Appropriate
To be fair, there are scenarios where US serverless providers remain the practical choice:
- No personal data processing: If your serverless functions process no personal data (e.g., public data aggregation, static asset processing), GDPR data transfer rules do not apply
- Proprietary service dependencies: If you rely heavily on AWS Step Functions, DynamoDB Streams, or other tightly integrated services, the migration cost may not be justified
- Global low-latency requirements: If you need serverless in 20+ regions worldwide, hyperscalers are the only option
- Your DPO has approved the risk: If your Data Protection Officer has performed a Transfer Impact Assessment and accepted the residual risk, that is a documented business decision
Getting Started with GDPR-Compliant Serverless
Moving to EU-hosted serverless does not require a large migration project. Start with new workloads:
- New projects: Deploy new APIs and services on DanubeData Rapids from the start
- Internal tools: Move internal APIs and admin tools first (lower risk, good learning experience)
- Webhook handlers: Deploy webhook receivers and background processors
- Gradual migration: Move production workloads one service at a time
DanubeData Rapids supports Git auto-deploy with webhooks, so your CI/CD workflow stays the same. Push to your repository and your serverless container updates automatically.
Conclusion
GDPR compliance for serverless hosting is not just about choosing an EU region on a US provider. It requires genuine EU data residency: EU-owned infrastructure, EU corporate jurisdiction, and no dependency on transatlantic data transfer frameworks that have been invalidated twice already.
DanubeData Rapids provides exactly this: Knative-based serverless containers running on dedicated hardware in Germany, operated by a European company, with integrated EU-hosted databases, caches, and storage. Standard Docker containers mean no vendor lock-in, and competitive pricing with a free tier means you do not pay more for compliance.
For European businesses building serverless applications that process personal data, the question is not whether to host in the EU, but how soon you can start.
Create your DanubeData account and deploy your first GDPR-compliant serverless container in minutes. New accounts receive €50 in signup credit.
Need help evaluating your serverless GDPR compliance? Contact our team for a free consultation.