EU data residency for web apps: what it requires and how to achieve it

EU data residency is not a single switch — it is a property that must hold across every layer of your stack where personal data appears. The database is the most obvious layer, but data also flows through: compute (your API routes and server functions), authentication sessions and tokens, transactional email (which carries personal data like email addresses and sometimes message content), and logs. If any one of these layers sends data to a US-region provider without a valid transfer mechanism, the residency guarantee breaks. For GDPR purposes, a Standard Contractual Clause (SCC) with a US provider can be a valid transfer mechanism — but it is not the same as the data not leaving the EU at all.

Alleex Cloud provisions every layer of the generated app's infrastructure in the EU by default. The database is a dedicated Neon Postgres project in the Frankfurt (eu-central-1) region — one project per app, so tenant data is isolated at the database level. Compute runs on Cloudflare Workers configured for the EU zone; Cloudflare's smart placement keeps execution close to the database. Authentication is handled by Better Auth, self-hosted in the same EU Neon database — no third-party US auth vendor (such as Clerk or Auth0) appears in the customer app data path. Transactional email uses Resend's EU region endpoint. None of this personal data leaves the EU. The Alleex Cloud builder dashboard itself uses US vendors (Vercel for hosting, Clerk for dashboard auth) under SCCs — but that is the Alleex Cloud platform infrastructure, separate from your customer app's data.

1. 1

   Identify every layer that touches personal data

   Before selecting infrastructure, map where personal data flows in your app: user records (database), auth sessions (auth provider), API processing (compute), emails (email service), and monitoring/logs. Each layer must have an EU-region option.

2. 2

   Choose EU-region providers for each layer

   Database: Neon Postgres (Frankfurt) or Supabase EU. Compute: Cloudflare Workers (EU zone) or a VPS in an EU datacenter. Auth: Better Auth self-hosted, or an EU-region deployment of a compatible auth library. Email: Resend EU endpoint or Postmark EU.

3. 3

   Verify no US-region fallback is active

   Most providers default to the US region. Explicitly set the region at provisioning time — not just in the environment variable but in the provider's project settings. Confirm by checking the provider dashboard that the project is in an EU region.

4. 4

   Document your transfer mechanisms for any remaining US exposure

   If any service in your stack is US-based with no EU option (e.g., a specific payment processor or third-party API), document the legal transfer mechanism (SCC) in your DPA and privacy policy. Disclose this to your users.

5. 5

   Deploy with Alleex Cloud for automatic EU provisioning

   When you deploy through Alleex Cloud, the EU infrastructure is provisioned automatically — you do not need to configure regions manually. The Neon project, Cloudflare zone, Better Auth, and Resend endpoint are all EU by default. Your generated privacy policy reflects this.

Does EU data residency satisfy GDPR's data transfer rules?

If data stays within the EU/EEA, Chapter V GDPR transfer restrictions do not apply — you are not transferring data to a third country. EU residency is the strongest possible position for GDPR data transfer compliance. You still need to comply with all other GDPR obligations (lawful basis, data minimisation, DSAR, etc.).

Is Cloudflare EU Workers truly EU-resident?

Cloudflare's EU zone keeps data processing within EU member state datacenters when configured correctly. The key is setting the zone to EU and not using features (like Cloudflare's AI gateway) that route through US infrastructure. Alleex Cloud configures this correctly in the generated app.

Can I use Vercel for my app and still have EU data residency?

Vercel's compute can be configured for EU regions, but Vercel is a US company and its data handling is covered by the EU–US Data Privacy Framework (DPF) and SCCs. Whether that satisfies your GDPR obligations depends on your specific risk assessment and what data flows through Vercel. Alleex Cloud uses Cloudflare Workers (not Vercel) for generated app compute to avoid this ambiguity.

What about backups and logs — are those also EU-resident?

Neon Postgres backups are retained in the same region as the primary database (Frankfurt for EU projects). Application logs, if you add a logging service, must also be configured to an EU region — this is not automatic. Alleex Cloud does not currently include a managed logging layer; if you add one, ensure it is EU-region.