Sovereignty Scan
Scan
Sovereignty Scan/Vendors/EU- & EWR-Anbieter
Risk indicator, not a GDPR compliance verdict. Point-in-time assessment based on public web stack signals.Methodology & LimitationsCorrect listing / submit response

Jurisdiction

Recommended

EU- & EWR-Anbieter: GDPR Assessment & Vendor List

Anbieter mit Hauptsitz und Datenverarbeitung in der EU oder im EWR unterliegen direkt der DSGVO. Ein Drittlandtransfer ist nicht erforderlich, was die rechtssicherste Option für DACH-B2B darstellt.

101 curated profiles269 total detectedDSGVO-Baseline · kein Drittlandtransfer

Last updated:

Vendors

Sorted by category

Each entry links to a dedicated profile with GDPR verdict, ownership chain, data categories, migration plan and FAQ.

E-Signatur

All E-Signatur vendors

1 providers · Elektronische Unterschriften & eIDAS

Other jurisdictions:UK & SchweizUS-AnbieterAnbieterprüfung

Frequently asked questions

EU- & EWR-Anbieter: in brief

Are all EU providers automatically GDPR compliant?

EU providers are directly subject to GDPR and no third-country transfer is required. This is the most legally secure starting position. However: even an EU provider needs a DPA, documented technical and organisational measures, and must disclose its subprocessor list. Some EU providers use US subprocessors for hosting or email delivery and are thereby indirectly exposed to the CLOUD Act. We flag this in the profile.

What is the difference between EU and EEA?

The European Economic Area (EEA) comprises the EU plus Norway, Iceland, and Liechtenstein. EEA states have implemented GDPR or an equivalent regulation. Data exports between the EU and EEA are not third-country transfers. In practice, supervisory authorities treat EEA and EU identically.

Which EU hosting providers are particularly relevant?

Hetzner (DE), OVHcloud (FR), IONOS (DE), Scaleway (FR), Open Telekom Cloud (DE), STACKIT (DE), and for sovereignty-critical workloads the Gaia-X and EuroStack initiatives. For SaaS stacks the question is usually not ‘where does the server run’ but ‘who owns the provider’. Both must be EU, otherwise the CLOUD Act applies.

How did the Sovereignty Scan determine the jurisdiction?

We check the registered seat and parent company (commercial register, legal notice, privacy policy), the contractual partner for EU customers, the hosting region, and the subprocessor list. For multi-level structures (EU contractual partner + US parent), we label the primary jurisdiction and additionally flag ‘third-country transfer check required’.

Also by category

Vendor overview by application area

Terminbuchung26Lead-Routing & Terminbuchung8CRM33Formulare & Lead-Erfassung39E-Signatur7Sales-Content / Deal Rooms2Analytics & Tracking119Tag Management & CDPs20Session-Replay & Heatmaps9E-Mail-Marketing & Versand44Office & Kommunikation13Live-Chat & Support33Video-Konferenzen14Zahlungen20CDN17Hosting / Compute25DNS-Provider6Error-Tracking4

Next Step

Which EU- & EWR-Anbieter are running on your website?

60 seconds, no login. The Sovereignty Scan lists all detected tools with jurisdiction, ownership chain and matching EU alternative.

Start Sovereignty ScanBack to vendor directoryMethodology