EU residency is an entry requirement today, not a checkbox.
After the Schrems II ruling (2020), standard EU → USA data transfers became legally uncertain. Procurement teams in Germany, Austria, France, and the Netherlands block SaaS vendors with a US parent regardless of where the data is „set". DataNostro removes this question entirely.
EU jurisdiction, no exceptions
The operator is a Czech VAT payer; the infrastructure is provided by a Tier III data center operator in Germany. No US parent company, no FISA 702 risk, no reach of the CLOUD Act.
A single hosting region
An EU Tier III data center (Germany). That's where every customer container runs. No multi-region replication that could spill data outside the EU on failover.
DPA + SCC included
The Data Processing Agreement (DPA) is signed at registration, no extra paperwork. Standard Contractual Clauses for a very narrow set of EU → EU sub-processors (Cloudflare only for the marketing site's CDN).
Tracking traffic isn't stored
DataNostro is a proxy — we forward your events to the platforms you set up (GA4, Meta, etc.) and don't store the request body. Only debug capture (15-day retention, opt-in) and SLA monitoring.
LUKS-encrypted disks
Every data volume is LUKS / AES-256 encrypted at rest. Postgres backups are PGP-encrypted, 30-day retention, recovery tested monthly.
A public compliance roadmap
ISO 27001 inherited at the infrastructure level; DataNostro's own ISO 27001 audit is planned for Q4 2026. The Trust Center keeps the current status of every claim.
Three. And nothing more.
For comparison: a typical SaaS vendor has 30+, half of them in the USA.
| Sub-processor | Purpose | Country | EU/SCC |
|---|---|---|---|
| An EU Tier III data center (Germany) | Compute, storage, network for the sGTM containers + database | 🇩🇪 Germany (Tier III DC) | EU jurisdiction |
| Cloudflare, Inc. | CDN for the marketing site datanostro.com — never for tracking traffic |
🇺🇸 USA (with EU edge) | SCC + DPA signed |
| Seznam.cz, a.s. | Delivery of transactional emails (SMTP) | 🇨🇿 Czech Republic | EU jurisdiction |
Conspicuously absent: AWS, GCP, Vercel, Supabase, Clerk, PostHog, Segment, Stripe data-pipeline. We don't use these services.
How a tracking event passes through DataNostro.
-
1
The browser calls your tracking subdomain
E.g.
track.your-store.cz— a CNAME points to*.sst.datanostro.cominto an EU Tier III data center (Germany). TLS terminates on European soil. -
2
Your sGTM container processes the event
Per-tenant isolation using Docker network namespaces + iptables. Memory and CPU are bounded by quotas, so a noisy neighbor won't take your resources. The power-ups (Anonymizer, Bot Detection, Click ID Restorer) also run in this step.
-
3
The event travels to the configured ad / analytics platforms
GA4, Meta CAPI, Google Ads, TikTok Events API, Sklik, Heureka — whatever you've set up. From this point the data is on that platform's infrastructure and subject to your existing DPA with that platform. DataNostro doesn't store the request body.
-
4
Optionally: 15-day debug capture (opt-in)
In the first weeks of a deployment you usually need to see the full payloads. Turn on Debug capture; we store the whole request + dispatch trace in EU Postgres for 15 days, then delete it. Off by default.
Procurement questions, clear answers.
Where is the data physically stored?
An EU Tier III data center (Germany). One region. Backups on a separate EU volume in the same region. We don't replicate outside the region. The specific location is listed in the DPA (the sub-processor list).
Does Schrems II affect you?
No — the data layer has no US sub-processors. The marketing site (datanostro.com landing pages) runs through Cloudflare with an EU edge + SCC, which is a known and limited exposure. Customer tracking data never touches Cloudflare.
Do you sign a DPA?
Yes. The standard DPA is automatically part of registration; for Enterprise customers we sign a tailored DPA. See our DPA and the Trust Center.
Who owns the company?
DataNostro is operated by Jan Malatinský, a sole trader with a Czech VAT ID (company ID 19152361, registered seat in Karviná, CZ). Bootstrapped, no foreign investors, no US parent. We provide registry extracts for your procurement on request.
What about ISO 27001 / SOC 2?
ISO 27001 inherited at the infrastructure level. DataNostro's own ISO 27001 audit is planned for Q4 2026 — see the current status in the Trust Center. We don't plan SOC 2 for now (a US standard that European customers don't ask for).
Can we run a vendor risk assessment?
Yes — the Trust Center covers ~70% of the standard SIG-Lite questions outright. For the rest, write to [email protected] with your questionnaire and we'll respond within 3 working days.
Ready when your procurement is ready.
A 14-day free trial, EU residency from day one. You start the technical deployment in parallel with your legal team reviewing the DPA.