The General Data Protection Regulation has been in force since 2018. Eight years in, most SaaS vendors claim compliance, but the details vary enormously. For European businesses, the stakes are real: fines, reputational damage, and the operational cost of switching vendors after a problem surfaces.
Here is what to actually check before committing to a tool.
Where exactly is data stored? “EU servers” is not specific enough. Frankfurt and Dublin are both in the EU. What matters is which entities have legal access to that data, not just where the hardware sits. US companies with EU subsidiaries may still be subject to US data requests under the CLOUD Act.
Who is the data processor? Many SaaS tools use sub-processors — third-party services like analytics providers, error trackers, or email platforms — that may process your users’ data. The GDPR requires vendors to disclose these. If they don’t publish a sub-processor list, ask for one.
What is the DPA situation? A Data Processing Agreement is legally required when you share personal data with a service provider. Many SMEs skip this step. Don’t.
A trustworthy vendor will:
We store all customer data exclusively in Frankfurt (AWS eu-central-1). Our DPA is available for download without contacting sales. We publish our sub-processor list and notify customers via email of any changes 30 days in advance.
For Business plan customers we offer custom data processing addendums and can provide documentation for internal compliance audits on request.
Questions about Taskora’s data practices? Contact our legal team.