Does self-hosting make me GDPR-compliant?

No. Self-hosting controls where data lives and who can access it, which helps, but you remain the data controller. Compliance is about your practices — lawful basis, consent, minimisation, retention, DPAs — not where the servers are.

Does GDPR require me to store data in the EU?

No. GDPR restricts transfers of personal data outside the EEA (Chapter V) unless there's an adequacy decision or appropriate safeguards. It does not mandate EU-only storage. Residency can simplify transfers, but it isn't itself the rule.

What do I still have to do if I self-host?

Establish a lawful basis, record consent, minimise data and limit retention, sign Article 28 agreements with any processor, secure your logs, and be able to honour rights like access and erasure. Self-hosting doesn't remove any of these.

Do consent records and audit logs count as personal data?

Yes. The records you keep to prove compliance contain personal data, so they need a lawful basis, minimisation, security, and a retention limit of their own.

Learn · Open-source growth

GDPR and self-hosting

Self-hosting can support GDPR compliance by keeping personal data on infrastructure you control and letting you choose where it sits — but GDPR has no self-hosting requirement, and self-hosting alone is not compliance. You still need a lawful basis, consent records, data minimisation, retention limits, processor agreements, and a way to honour erasure.

Updated 10 Jun 20267 min readBy fromHello

Key takeaways

Self-hosting helps with control and residency; it is not, by itself, GDPR compliance.
GDPR does not require EU storage — Chapter V restricts cross-border transfers, which is different.
You still owe a lawful basis, consent records, data minimisation, retention limits, and DPAs.
Audit logs and consent records contain personal data, so they fall under GDPR too.

Self-hosting gives you control over where personal data physically sits and who can touch it — encryption keys, retention rules, access policies, and audit trails are yours to set. For a team that cares about data residency and minimising third parties, that is genuinely useful. But control is the means, not the end: GDPR judges what you do with the data, not where the server is.

The myth: self-hosting equals compliance

It does not. If you decide why and how customer data is processed, you are the data controller and carry primary responsibility, whether you self-host or use SaaS. Moving the servers into your VPC changes the residency and the risk surface; it does not discharge a single obligation. This is the single most important thing to get right, and the most commonly oversold.

1
Establish a lawful basis
Consent, contract, or legitimate interest — decide and document why you process each kind of data.
2
Record consent
Log when consent was given, for what, and how, so you can demonstrate it was freely given and unambiguous.
3
Minimise and limit retention
Collect only what's necessary, and delete it when it's no longer needed — Articles 5(1)(c) and 5(1)(e).
4
Sign DPAs and honour rights
Put Article 28 agreements in place with any processor, and build suppression and erasure so you can act on requests.

What self-hosting does not remove: the obligations a data controller owes regardless of where the data lives.

Residency is not the same as a storage rule

A common misreading: that GDPR requires personal data to stay in the EU. It doesn't. GDPR's Chapter V restricts transfers of data outside the EEA unless there's an adequacy decision or appropriate safeguards — that's a rule about transfers, not a mandate to store everything locally. Self-hosting lets you choose your data's jurisdiction, which can simplify transfers, but the obligation is about how you move data, not merely where you keep it.

Your logs are personal data too

One under-appreciated point: the consent records and audit logs you keep to prove compliance themselves contain personal data. They need a lawful basis, minimisation, security, and a retention limit like any other data. Built-in consent tracking, suppression, and audit logs are tooling that supports compliance — they make the obligations operable. They are not a substitute for the legal work, and they don't replace a data protection officer or legal counsel.

Sources

FAQ

Common questions

Does self-hosting make me GDPR-compliant?
No. Self-hosting controls where data lives and who can access it, which helps, but you remain the data controller. Compliance is about your practices — lawful basis, consent, minimisation, retention, DPAs — not where the servers are.
Does GDPR require me to store data in the EU?
No. GDPR restricts transfers of personal data outside the EEA (Chapter V) unless there's an adequacy decision or appropriate safeguards. It does not mandate EU-only storage. Residency can simplify transfers, but it isn't itself the rule.
What do I still have to do if I self-host?
Establish a lawful basis, record consent, minimise data and limit retention, sign Article 28 agreements with any processor, secure your logs, and be able to honour rights like access and erasure. Self-hosting doesn't remove any of these.
Do consent records and audit logs count as personal data?
Yes. The records you keep to prove compliance contain personal data, so they need a lawful basis, minimisation, security, and a retention limit of their own.

See the platform the team runs.

See how it works Star on GitHub

Related guides

Related comparisons

fromHello vs BrazeEnterprise-grade orchestration without the enterprise contract — or the team to run it.

Early access

Put your growth teamon autopilot.

Early access opens Q3 2026, gradually, so the team tunes to real use cases. Small teams with big ambitions go first.

Not ready to share an email? It's open source. Run it yourself today. View on GitHub