EU residency is now a sales gate, not a checkbox.
After Schrems II (2020) the standard EU → US data transfer became legally fragile. Procurement teams in Germany, Austria, France and the Netherlands are blocking US-headquartered SaaS vendors regardless of where the data is “configured” to live. DataNostro removes that question entirely.
EU jurisdiction, full stop
Operator is a Czech VAT-registered entity, infrastructure provider is Hetzner GmbH (Germany). No US parent company, no FISA 702 exposure, no CLOUD Act foothold.
Single hosting region
Hetzner Falkenstein, Germany. Every customer container runs there. No multi-region replication that could spill data outside the EU during failover.
DPA + SCC included
Data Processing Agreement signed at signup, no extra paperwork. Standard Contractual Clauses for the very narrow set of EU → EU sub-processors (Cloudflare for the marketing-site CDN only).
No tracking traffic stored
DataNostro is a proxy — we forward your events to the platforms you configure (GA4, Meta, etc.) and don’t store the payload. Only debug captures (15-day retention, opt-in) and SLA monitoring.
LUKS-encrypted disks
Every data volume is LUKS/AES-256 encrypted at rest. Postgres backups encrypted with PGP, retained 30 days, restore drill tested monthly.
Compliance roadmap published
Hetzner ISO 27001 inherited at infrastructure layer; DataNostro’s own ISO 27001 audit scheduled for Q4 2026. Trust Center maintains live status of every claim.
Three. That’s it.
Compare with the typical SaaS vendor that lists 30+ third parties, half of them US-based.
| Sub-processor | Purpose | Country | EU/SCC |
|---|---|---|---|
| Hetzner Online GmbH | Compute, storage, network for sGTM containers + database | 🇩🇪 Germany (Falkenstein) | EU jurisdiction |
| Cloudflare, Inc. | CDN for the datanostro.com marketing site only — never for tracking traffic |
🇺🇸 USA (with EU edge) | SCC + DPA in place |
| Seznam.cz, a.s. | Transactional SMTP delivery | 🇨🇿 Czech Republic | EU jurisdiction |
Notably absent: AWS, GCP, Vercel, Supabase, Clerk, PostHog, Segment, Stripe data-pipeline. We don’t use them.
How a tracking event flows through DataNostro.
-
1
Browser hits your tracking subdomain
e.g.
track.your-shop.eu— CNAME points at*.sst.datanostro.comat Hetzner Falkenstein. TLS terminates on EU soil. -
2
Per-tenant sGTM container processes the event
Docker network namespace + iptables isolation per tenant. Container memory and CPU are quota’d so a noisy neighbour can’t starve yours. Power-ups (Anonymizer, Bot Detection, Click ID Restorer) run in this step.
-
3
Event forwarded to your configured ad / analytics platforms
GA4, Meta CAPI, Google Ads, TikTok Events API, Sklik, Heureka — whichever you configured. From this point the data is on the platform’s infrastructure under your existing platform DPAs. DataNostro doesn’t store the request body.
-
4
Optional: 15-day debug capture (opt-in)
For the first weeks of a deployment you typically want full payload visibility. Toggle Debug capture on; we store the full request + dispatch trace in EU Postgres for 15 days, then delete. Off by default.
Procurement-grade questions, plain-English answers.
Where is the data physically stored?
Hetzner Online GmbH datacenter in Falkenstein, Saxony, Germany. Single region. Backups stored on a different Hetzner volume in the same region. We don’t replicate to other regions.
Are you affected by Schrems II?
No — the data plane has zero US sub-processors. The marketing site (datanostro.com landing pages) goes through Cloudflare with EU edge + SCC, which is a known and limited exposure. Customer tracking data never touches Cloudflare.
Do you sign a DPA?
Yes. Standard DPA is auto-included on signup; for Enterprise we sign a customised DPA. See our DPA and Trust Center.
Who owns the company?
DataNostro is operated by Jan Malatinský, a Czech VAT-registered sole proprietor (IČO 19152361, registered seat in Karviná, CZ). Bootstrapped, no foreign investors, no US parent. We’re happy to provide registry confirmations on request for procurement files.
What about ISO 27001 / SOC 2?
Hetzner’s ISO 27001 covers the infrastructure layer, which we inherit. DataNostro’s own ISO 27001 audit is scheduled for Q4 2026 — see live status on the Trust Center. SOC 2 is not currently planned (US-flavoured, EU customers don’t request it).
Can I do a vendor risk assessment?
Yes — the Trust Center answers ~70 % of standard SIG-Lite questions out of the box. For everything else, email [email protected] with your questionnaire and we’ll respond in 3 business days.
Ready when procurement is.
14-day free trial, EU residency on day one. Start technical onboarding while your legal team reviews the DPA in parallel.