EU compliance guides for app builders. Grounded in real code.

What does 'GDPR-compliant by construction' mean?

"GDPR-compliant by construction" means that every application produced by Alleex Cloud includes the required data-protection measures as a structural default — data residency in the EU, a tamper-evident audit log, DSAR self-serve, and cookie consent — before any custom code is written. The compliance properties are enforced at composition time, not retrofitted later. If the composition plan would produce a non-compliant data path, the engine rejects it.

Read guide →

EU data residency for web apps: what it requires and how to achieve it

EU data residency means that all personal data your web application collects and processes — including the database, server-side logic, and transactional email — remains physically located within the European Union. For a Next.js app, this requires choosing EU-region infrastructure for each layer: database (Postgres in Frankfurt or similar), compute (Cloudflare Workers EU zone or an EU server), auth, and email. Alleex Cloud provisions all of these in the EU by default, without a region toggle.

Read guide →

How to implement a DSAR portal in a Next.js app (GDPR Articles 15, 17, 20)

A DSAR (Data Subject Access Request) portal lets users exercise their GDPR rights — access (Article 15), portability (Article 20), and erasure (Article 17) — without contacting your support team. In a Next.js app, this requires a verified request intake route, a background job that collects and packages the user's data from every data store, an erasure handler that removes personal data while preserving non-personal records, and a 30-day fulfilment deadline tracker. Alleex Cloud generates all of this via the compliance-eu module whenever a personal-data module is included in the app plan.

Read guide →

Hash-chained audit log for GDPR: how it works and how to build one

A hash-chained audit log records every state-changing action in your application in an append-only sequence where each entry's hash includes the hash of the previous entry. This makes retroactive alteration detectable: changing any historical record breaks the chain from that point forward. For GDPR, it provides a tamper-evident record of data access, modification, DSAR fulfilment, and consent changes — which is useful for demonstrating compliance to a data protection authority. Alleex Cloud generates a hash-chained audit log into every app, with chain heads witnessed in Sigstore Rekor so third parties can verify integrity without access to your database.

Read guide →

EU-hosted Lovable alternative: how Alleex Cloud and Lovable approach EU compliance differently

Lovable is an AI app builder with genuine SOC 2 and ISO 27001 certifications and an EU data residency option available as a per-project region toggle. Alleex Cloud is an EU-native composition-based app builder where EU data residency is the default for every project, and GDPR compliance features (DSAR portal, hash-chained audit log, cookie consent) are generated into the app itself rather than being the developer's responsibility to add. The two builders take different architectural approaches to compliance; the right choice depends on your team's priorities.

Read guide →