Hetzner versus the hyperscalers. The trade-offs we made, the audit trail we kept, and what we tell procurement teams when they ask.
When a procurement team at a mid-sized European company asks about data residency, they are usually asking three separate questions at once. Where does the data physically sit? Who has legal access to it? And what happens if something goes wrong? We get this question on most discovery calls that involve a finance or operations lead at a company with any kind of compliance exposure. Here is the honest answer.
Hetzner, not AWS
All customer data processes through servers hosted at Hetzner in Nuremberg, Germany. Hetzner is a European data centre operator, founded in 1997, headquartered in Gunzenhausen, Bavaria. They are not a hyperscaler. They do not have a presence in Virginia or Oregon. Their business model is renting physical infrastructure to European companies who want European infrastructure.
The decision to use Hetzner instead of AWS, GCP, or Azure was not primarily about cost, though the cost difference is real, roughly a third of what equivalent compute costs on AWS in eu-west-1. The primary reason was jurisdiction clarity. When your data sits on a Hetzner server in Germany, the applicable law is German law and EU law. There is no ambiguity about whether a US government agency could compel disclosure under the CLOUD Act. There is no subsidiary relationship that routes your data through a US parent entity. The legal chain from your data to the jurisdiction it falls under is short and unambiguous.
That matters for European companies in two practical ways. First, it makes GDPR compliance simpler to document. You can state, accurately, that personal data does not leave the EU and that the processor operating it is subject to EU law. Second, it removes a category of risk that shows up in procurement questionnaires and DPA reviews: the risk that a third-country transfer could expose personal data to disclosure requests from non-EU authorities.
What actually sits on those servers
Understanding the data residency question requires understanding what data a dashboard build actually involves. The answer is less than most people assume.
A datareaches dashboard connects to your source systems, ERP, CRM, time-tracking tool, logistics platform, and reads specific fields from them. It does not mirror your entire database. It reads the fields needed to answer the questions the dashboard was built to answer: pipeline stage and close date from your CRM, hours logged and budget consumed from your PSA, stock on hand and incoming orders from your WMS. Exactly those fields, nothing else.
The data that passes through our infrastructure is the subset used to compute and cache the dashboard tiles. It is stored in an encrypted database on the Hetzner infrastructure, with access restricted to the pipeline processes that need to read and update it. The data your source systems hold, full customer records, employee files, transaction histories, stays in your source systems. We never request access to more than we need to build what was scoped.
The audit trail
Every action on a datareaches instance produces an immutable log entry: who accessed the dashboard, when, from which IP, and what they saw. Every pipeline run that reads from a source system produces a log entry with the timestamp, the source, the fields read, and whether the run succeeded. Configuration changes, adding a data source, modifying a tile, changing access permissions, are logged with the timestamp and the identity of the person who made the change.
This log is not accessible to us except under explicit customer request or in the course of diagnosing a problem the customer has reported. It is not used for product analytics, not mined for usage patterns, and not shared with third parties. Its purpose is to give you a complete record of what happened, when, and who was involved, so that if a question arises in a compliance review or an internal audit, the answer is retrievable.
We keep logs for 90 days by default. If your data retention policy requires a different period, longer for audit purposes, shorter for privacy reasons, that is configurable at the start of the engagement.
Role-based access
Every datareaches instance has explicit access control. The person who books the discovery call is not automatically the person who should see every dashboard tile. A logistics dashboard that shows margin by route should be visible to the operations director and the CFO, not the warehouse team. A pipeline dashboard that shows deal values and close probabilities should be visible to the sales lead and the CEO, not everyone with a company email address.
We configure access roles during the build. Typically there are two or three: a full-access role for the primary user and whoever is responsible for the data, a read-only role for stakeholders who need to see the numbers but should not be able to change the configuration, and optionally a restricted role that sees a subset of tiles. These roles are set in the dashboard configuration, documented in the handover pack, and modifiable by the primary user after delivery without needing to come back to us.
What we tell procurement teams
Procurement questionnaires for data processing agreements tend to ask the same things. Here is how we answer the standard ones.
Where is data processed and stored? Germany (Hetzner, Nuremberg). No transfers to third countries. No hyperscaler sub-processors with US parent entities in the data path.
What personal data do you process? We process only the fields explicitly scoped in the build agreement. For most operational dashboards this means no personal data at all, the fields are metrics, counts, and aggregates. Where a dashboard does involve personal data (a sales pipeline that includes deal contact names, for example), those fields are listed explicitly in the DPA.
What is your sub-processor list? Hetzner for infrastructure. No analytics platforms, no third-party monitoring tools with access to customer data, no advertising networks. The list is short because the architecture is simple.
What are your security certifications? We do not hold ISO 27001 or SOC 2 certifications. We are a small engineering team, not an enterprise SaaS vendor, and pursuing those certifications would require budget and overhead that would raise our price without changing the underlying security posture. What we can provide instead is a technical description of the controls in place, encryption at rest and in transit, access control, audit logging, backup policy, and references from existing clients who have completed their own DPA review with us. If your procurement process requires a specific certification, tell us early. That is a genuine constraint and it is better to know it before the scoping call than after.
What is your data retention and deletion policy? Cached dashboard data is retained for 90 days by default. On contract termination, all data is deleted within 30 days and we provide written confirmation. Source system access credentials are revoked on the same day. If you need a different retention period or a specific deletion timeline, name it in the scoping call.
If your procurement team needs to understand what the GDPR actually requires from a data processor, the Article 28 clauses, how to evaluate sub-processor lists, what a proper breach notification clause looks like, and the questions that separate genuine compliance from a vendor who just claims it, we have written a fuller guide: GDPR and data residency for European SMEs.
The trade-off we made and why
Choosing Hetzner over a hyperscaler means we do not get the same managed services, the same global edge network, or the same SLA guarantees a large cloud provider offers. The dashboards we build are not latency- sensitive in a way that requires global edge distribution. The source systems we connect to are almost always internal to a single company, usually hosted in one European region. A server in Nuremberg is close enough.
What we gain is jurisdiction clarity, cost simplicity, and an architecture with a short supply chain. When a customer asks where their data is, the answer is a single city in Germany, governed by a single legal framework, with no dependent relationships that complicate the picture. For European companies with procurement processes or data protection obligations, that clarity has value that a cheaper hyperscaler tier in Ireland would not provide in the same way.
If your procurement team has questions that are not covered here, book a call. Bring your standard data processing questionnaire. We will go through it line by line on the call and give you the answers in writing afterwards.