undefined | Better HN

0 pointsvillasv4y ago0 comments

> From a GDPR perspective it's not even clear if this is even lawful

It is pretty clear it is

0 comments

No it's not, you can check e.g. the EDPB's recommendation [1] on this. At the very least you'd need to use data mapping and ensure EU citizens data stays within the EU, the author's service advertises "200 edge locations around the world" so I'm skeptical whether data won't leave the EU.

Not many companies care about this and there's little enforcement so far, I think it's fair to think about this though if you're running a privacy-focused web service from Germany.

[1] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_re...

villasvOP4y ago

It's pretty clear that using AWS is lawful. What you're questioning is if AWS is being used in a compliant manner, which is an entirely different thing. It is possible to do so, so there's nothing odd with choosing AWS.

ThePhysicist4y ago

Personally I find it odd to choose AWS (and Cloudflare) for running a privacy-focused service out of Germany. But again, that's just my personal opinion, I guess most people here are fine with this setup. And I'm also at least a bit doubtful that a one-person startup can get all compliance aspects of running services in a global AWS and Cloudflare-based setup right, so I'd recommend using infrastructure that by default will be hosted in the EU so you don't have to worry about this.

anarsdk4y ago

Edge locations refer to the CDN which his static assets are served from, i.e. HTML, JS, CSS, images.

Not customers data.

luckylion4y ago

Data is passed through -unencrypted- those edge locations though.

1 more reply

moooo994y ago

You don't have to obey the GDPR for users outside the EU, so as long as the central storage is located in the EU (and only replicated across EU countries, which is easily configurable), the author is most likely absolutely fine.

By the edge locations, I'd assume he's serving cached static files, such as his blog or tracking scripts from there using CloudFlare. Assuming CloudFlare is not falsely advertising their GDPR compliance, the author is also fine.

ThePhysicist4y ago

As a EU company you have to obey GDPR for all of your users, regardless whether they're EU citizens or not.

cj4y ago

> Ensure EU citizens data stays within the EU

As far as I'm aware, there's no requirement imposed by GDPR requiring that data stay within the EU as long as you have DPA's with Cloudflare, AWS, and any other data processors.

DPAs are very easy to sign with AWS and Cloudflare.

I also don't understand your complaint about "200 edge locations". Are you expecting him not to use a CDN?

j / k navigate · click thread line to collapse

0 comments

ThePhysicist4y ago

Not many companies care about this and there's little enforcement so far, I think it's fair to think about this though if you're running a privacy-focused web service from Germany.

[1] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_re...

villasvOP4y ago

ThePhysicist4y ago

anarsdk4y ago

Edge locations refer to the CDN which his static assets are served from, i.e. HTML, JS, CSS, images.

Not customers data.

luckylion4y ago

Data is passed through -unencrypted- those edge locations though.

1 more reply

moooo994y ago

ThePhysicist4y ago

As a EU company you have to obey GDPR for all of your users, regardless whether they're EU citizens or not.

cj4y ago

> Ensure EU citizens data stays within the EU

As far as I'm aware, there's no requirement imposed by GDPR requiring that data stay within the EU as long as you have DPA's with Cloudflare, AWS, and any other data processors.

DPAs are very easy to sign with AWS and Cloudflare.

I also don't understand your complaint about "200 edge locations". Are you expecting him not to use a CDN?

j / k navigate · click thread line to collapse