What does 'GDPR-compliant by construction' mean?

Most frameworks treat GDPR compliance as a checklist you apply after your app is built — add a cookie banner, write a privacy policy, maybe configure a data region. "GDPR-compliant by construction" is the opposite approach: the compliance properties are part of the application's architecture from the first line. Data residency is a default, not an opt-in. The audit log is a database trigger that cannot be removed by application code. The DSAR portal is generated whenever a module that processes personal data is included. You cannot accidentally compose a non-compliant app because the composition engine validates the module graph before generating any code.

Alleex Cloud enforces compliance through its module composition engine and the compliance-eu module. When you include any module that processes personal data, the engine requires compliance-eu to be present in the same plan — if it is missing, the plan is rejected before code generation begins. The compliance-eu module generates: a DSAR portal (access, portability, and erasure endpoints, verified by email token, with every step hash-chained in the audit log), a self-hosted GDPR cookie consent banner (equal-prominence accept/reject, granular categories, consent receipts stored with version and expiry), and a generated privacy policy specific to the module selection. Data residency is enforced at the infrastructure layer: the generated app's Neon Postgres database is provisioned in the EU (Frankfurt), Cloudflare Workers run in the EU zone, and auth is handled by Better Auth self-hosted in the same EU database — no third-party US auth vendor processes your customer data. The hash-chained audit log is a Postgres append-only table with a server-side trigger; chain heads are periodically witnessed in Sigstore Rekor for third-party verifiability.

1. 1

   Choose your modules

   Select the modules your app needs from the Alleex Cloud registry (auth, payments, AI, booking, etc.). The composition engine automatically includes compliance-eu whenever any module processes personal data.

2. 2

   Composition validation

   The engine validates the full module graph before generating code. Any plan that would create a non-compliant data path — for example, adding analytics without consent capture — is rejected with a clear error message.

3. 3

   EU infrastructure provisioned

   At deploy time, Alleex Cloud provisions a dedicated Neon Postgres project in the EU (Frankfurt), configures Cloudflare Workers in the EU zone, and sets up Better Auth in the same EU database. No data leaves the EU.

4. 4

   Compliance artefacts generated

   The compliance-eu module generates the DSAR portal, cookie consent banner, and privacy policy as part of the app. The hash-chained audit log triggers are installed into the Postgres schema. These are live immediately on first deploy.

5. 5

   Eject and own the compliance code

   If you eject the app to your own GitHub, the compliance artefacts come with it — they are plain Next.js code and Postgres triggers, not Alleex Cloud-proprietary runtime features. The compliance properties survive a fork.

Does this mean Alleex Cloud is certified under GDPR?

GDPR is a regulation, not a certification scheme — there is no official "GDPR-certified" badge. Alleex Cloud's architectural defaults are designed to meet GDPR requirements, and a generated privacy policy is included. SOC 2 Type II audit is in progress (target Q4 2026); ISO 27001 is roadmap after SOC 2. This page is information, not legal advice — consult your DPO for your specific obligations.

What happens if I add a third-party analytics script later?

The Alleex Cloud composition engine will reject a plan that adds analytics without compliance-eu. If you eject and add a script manually, you are responsible for ensuring it fires only after consent — the generated consent banner provides the consent signal you need to hook into.

Does Alleex Cloud rely on the EU–US Data Privacy Framework (DPF)?

No. Alleex Cloud does not rely on the DPF for any data transfer. Customer app data does not leave the EU. The Alleex Cloud builder dashboard itself uses US vendors (Vercel, Clerk) under Standard Contractual Clauses — that is the Alleex Cloud platform, not your customer app data.

Is Lovable also GDPR-compliant by construction?

Lovable offers EU data residency as a region toggle (opt-in per project) and holds SOC 2 and ISO 27001 certifications. Alleex Cloud's distinction is that EU hosting is the default with no toggle, and the GDPR compliance features (DSAR portal, audit log, cookie consent) are generated into the app itself rather than being the user's responsibility to add.