hyggecloud / data protection & compliance
What EU hosting really changes legally
This topic is wrapped in marketing myths — in both directions. Some promise "GDPR compliance by changing servers", others claim US clouds are entirely unproblematic. Both are wrong. Here's the honest version, sorted for humans.
The legal landscape
Three terms you should know
US law follows the company, not the server
The CLOUD Act obliges US providers to give US authorities access to data they control — regardless of where it is stored. A Frankfurt AWS data centre changes nothing: Amazon is a US company, so US jurisdiction applies.
The structural conflict is court-confirmed
The CJEU struck down the Privacy Shield agreement because US surveillance law and EU fundamental rights collide. Its successor (the Data Privacy Framework) stands on similarly shaky legal ground — another invalidation is a realistic scenario worth being prepared for.
Resilience becomes a duty, not a virtue
The NIS2 directive obliges far more companies to do risk management, incident reporting and supply-chain security. Dependence on a single non-European provider is a risk you must assess and justify.
Honest balance
What the move solves — and what it doesn't
Off the table: the structural risk
- No CLOUD Act access — your provider is outside US jurisdiction
- No third-country transfer for your infrastructure data — Schrems debates no longer concern you
- A DPA with an EU company under EU law — easier to review, easier to defend
- Sanction and kill-switch risk drastically reduced
- Simpler answers in your enterprise customers' security questionnaires
- Certified providers (BSI C5, ISO 27001) as a solid basis for your own evidence
Still on the table: your processes
- Legal bases of your data processing (Art. 6 GDPR) — server location doesn't change them
- Data subject rights: access, deletion, portability — your application must support them
- US SaaS in daily use: US analytics tools just move the transfer elsewhere
- TOMs: access concepts, encryption, logging within your application
- Records of processing activities & DPIAs where required
- Training and processes for your team
Our contribution
What you concretely get from us
Data flow map
In the Hygge Check we document what data lives where and where it flows — including the US services that snuck into your stack (analytics, mail, CDN, fonts). Often the first complete overview a company has ever had.
Compliance package with the migration
Provider DPAs, a description of infrastructure-level TOMs, encryption and backup concepts, a deletion concept — documentation your DPO can use directly.
Security by default
Encryption at rest and in transit, SSO/2FA access, audit logs, network segmentation, automatic patches. Not a paid add-on, but the standard of every environment we build.
Common misconceptions
Three sentences we interrupt
- "We use the EU region, so we're safe." — The region determines latency, not jurisdiction. What matters is who owns the provider and which law applies to it.
- "Encryption at rest solves the CLOUD Act problem." — Only if the provider never sees the keys. With the provider's standard KMS, it holds them. Honest key management is architecture work.
- "The new data transfer deal sorts this out." — Until the next court ruling. Building your architecture on a politically negotiable agreement is building on sand. Sovereignty is the more robust strategy.
"Data protection isn't a sales pitch with paragraph decorations for us.
It's the simple question: can you explain to your customers in one sentence where their data lives and who can access it?
After a migration with us: yes."
— The HyggeCloud principle
Your DPO asks uncomfortable questions? Good.
Bring them to the intro call. We provide the technical answers — together it becomes a setup that lets both sides sleep again.
→ Book an intro callWith your DPO if you like · not legal advice