EU Object Storage Comparison 2026: R2 vs B2 vs Wasabi vs GCS — Which Is GDPR-Safe?
Post #5 of 5 in the sota.io EU Object Storage Series
Object storage holds the most sensitive data your application processes: user uploads, backups, document archives, media files, and database dumps. Getting the jurisdiction wrong means your GDPR compliance posture collapses at the storage layer — even if everything else is perfectly configured.
Over the past four posts in this series, we analyzed every major US-headquartered object storage provider operating in Europe. The picture that emerges is consistent and alarming: all four providers are US corporations subject to CLOUD Act surveillance orders, regardless of where they store your data in Europe.
This finale synthesizes everything into a decision framework you can use today.
The CLOUD Act Problem Explained
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US law enforcement to issue warrants for data held by US companies anywhere in the world — including EU data centers. The legal mechanism bypasses EU GDPR protections entirely.
Key legal chain:
- US law enforcement issues CLOUD Act warrant to US parent company
- US parent is legally compelled to produce data from European subsidiaries
- EU-based storage location is irrelevant — corporate structure determines jurisdiction
- EU GDPR Art. 44-49 adequacy decisions don't override US CLOUD Act warrants
Under Schrems II (CJEU C-311/18, July 2020), EU supervisory authorities cannot approve transfers where surveillance risk is "not limited to what is strictly necessary." CLOUD Act warrants are not limited — they cover any data the US government requests.
The Series at a Glance: CLOUD Act Risk Scores
| Provider | HQ | CLOUD Act Score | Key Risk Factor |
|---|---|---|---|
| Cloudflare R2 | San Francisco, CA | 16/25 | Control plane US, Zero-egress ≠ zero jurisdiction |
| Backblaze B2 | San Mateo, CA | 13/25 | California corp, EU data center via 3rd party, no EU entity |
| Wasabi | Boston, MA | 14/25 | Massachusetts corp, no EU legal entity, resells Equinix capacity |
| Google Cloud Storage | Delaware (Google LLC) | 20/25 | PRISM-confirmed, FISA 702, highest risk in series |
| Hetzner Object Storage | Gunzenhausen, DE | 0/25 | German GmbH, no US parent, no CLOUD Act exposure |
| Scaleway Object Storage | Paris, FR | 0/25 | French SAS (Iliad group), no US parent |
| OVHcloud Object Storage | Roubaix, FR | 1/25 | French SAS, US CDN partner (minor), best EU pricing |
| MinIO (self-hosted) | — | 0/25 | Open source, deploy on any EU VPS |
Score methodology: 0 = no CLOUD Act risk, 25 = maximum. Points for: US parent company (+8), PRISM/FISA 702 participation (+5), US control plane (+4), US law enforcement compliance process (+3), US-based support access (+3), US metadata storage (+2).
Detailed Risk Analysis
Cloudflare R2 — 16/25
Cloudflare positioned R2 aggressively with zero egress fees, making it attractive for high-traffic EU applications. But "zero egress" refers only to bandwidth pricing — the legal jurisdiction remains 100% US.
Risk factors:
- R2 control plane is US-based. All API requests, bucket configurations, and access control decisions route through Cloudflare's US infrastructure. EU data residency applies only to stored objects.
- Cloudflare account data is US-stored. Your organization's identity, API keys, billing data, and audit logs are in the US, outside GDPR scope.
- Workers Compute isn't EU-guaranteed. If you use R2 with Workers (edge computing), execution happens at the nearest PoP — not necessarily in the EU.
- Zero Trust auth integration. Cloudflare Access/Zero Trust authenticates access to R2 via US-based identity infrastructure.
- Documented law enforcement compliance. Cloudflare's transparency reports show regular law enforcement responses.
GDPR verdict: Cloudflare R2 requires a Transfer Impact Assessment (TIA) under GDPR Art. 44 + Schrems II guidelines. Standard Contractual Clauses (SCCs) alone are insufficient when the controller is a US corporation subject to CLOUD Act.
Backblaze B2 — 13/25
Backblaze scores lowest in this comparison (13/25) — not because they're safer, but because they have less infrastructure and thus fewer attack surfaces. The CLOUD Act exposure is still complete.
Risk factors:
- California corporation (NASDAQ:BLZE). Fully subject to US jurisdiction. Going public in 2021 increased scrutiny and regulatory exposure.
- EU data center through third parties. Backblaze doesn't own EU infrastructure — they resell capacity from European colocation providers. This creates a legal chain where data physically sits in the EU but is controlled by a US company.
- No EU legal entity. Unlike AWS or Google, Backblaze has no European subsidiary that could absorb local law. All service contracts are US-governed.
- Less enterprise security posture. No SOC 2 Type II (only Type I), no ISO 27001, limited DPA options compared to larger providers.
GDPR verdict: Despite lower infrastructure risk (fewer integration points), CLOUD Act exposure is complete. Not recommended for regulated EU data.
Wasabi — 14/25
Wasabi Hot Cloud Storage is a popular "cheap S3" alternative, but its EU compliance posture has the same fundamental problem as Backblaze: it's a Massachusetts corporation with no EU legal entity.
Risk factors:
- Massachusetts corporation (Wasabi Technologies Inc.) incorporated in Delaware for legal purposes. No EU subsidiary.
- "EU-Central" region without EU legal structure. Wasabi operates EU storage through US corporate contracts. The physical location doesn't create EU jurisdiction.
- Resells Equinix/Corelink capacity in Amsterdam. Third-party data center in the Netherlands, but Wasabi is the data controller — a US entity.
- S3-compatibility brings false security. Switching from AWS S3 to Wasabi doesn't eliminate CLOUD Act risk — it just changes which US company receives the warrant.
- No GDPR DPA (Data Processing Agreement) from an EU entity. All DPAs are signed with Wasabi Technologies Inc. (US), legally undermining GDPR Art. 28 compliance.
GDPR verdict: Wasabi is marketed as an S3 cost-reducer, not an EU compliance solution. The jurisdiction gap is identical to AWS S3.
Google Cloud Storage — 20/25
GCS scores highest in the CLOUD Act risk series — 20/25 — because Google's surveillance history is documented at the highest level of specificity.
Risk factors (maximum severity):
- PRISM program confirmed. NSA PRISM documents from 2013 (Edward Snowden) explicitly list Google as a PRISM participant. This means direct NSA access to Google's systems, not just warrant-based requests.
- FISA 702 orders. Google is subject to Foreign Intelligence Surveillance Court orders — secret orders with no transparency, no appeal, and no limit on scope.
- Control plane is US-based. GCS's IAM, Cloud KMS (encryption key management), Audit Logs, and billing all run from Google's US infrastructure.
- Support access from US. Google Cloud support staff have potential access to customer environments from US locations.
- Cloud KMS US jurisdiction. Even if you enable CMEK (Customer-Managed Encryption Keys), Cloud KMS itself runs under US jurisdiction — Google can be compelled to produce key usage metadata.
- Law enforcement compliance documented. Google publishes transparency reports showing volume of government data requests.
Multi-Region EU ≠ EU jurisdiction: Google's "EU multi-region" storage keeps data physically in the EU — but the legal entity (Google LLC, Delaware) remains US, and CLOUD Act warrants don't require Google to move data before producing it.
GDPR verdict: GCS is the highest-risk option for EU businesses. PRISM confirmation makes this not a theoretical risk but a documented reality. Schrems II + EDPB guidelines make it nearly impossible to justify GCS use for personal data under GDPR Art. 44.
The EU-Native Alternative Stack
All four US providers share the same structural problem: US parent company = CLOUD Act exposure. The solution is simple — use storage from companies incorporated in the EU.
Hetzner Object Storage — 0/25 CLOUD Act Risk
Legal structure: Hetzner Online GmbH, Gunzenhausen, Bavaria, Germany. 100% German company, no US investors, no US parent.
Technical specs:
- S3-compatible API (rclone, boto3, AWS SDK work out of the box)
- Locations: Nuremberg, Falkenstein, Helsinki
- Pricing: €0.0115/GB/month (storage) + €0.01/GB egress
- Included transfer: 1TB free egress per month
- Redundancy: 3-copy replication within location
10TB monthly cost example:
Storage: 10TB × €0.0115 = €115/month
Egress (1TB free + 1TB paid): 1TB × €0.01 = €10/month
Total: ~€125/month
vs GCS: ~€285/month (33TB outbound @€0.08/GB)
GDPR posture: German GmbH under German law (BDSG + GDPR). No US parent = no CLOUD Act exposure. DPA signed with German entity. ISO 27001 certified.
Scaleway Object Storage — 0/25 CLOUD Act Risk
Legal structure: Scaleway SAS, 8 rue de la Ville l'Evêque, Paris, France. Subsidiary of Iliad Group (NASDAQ: ILD — but Iliad is a French company listed on Paris Bourse, not subject to US jurisdiction).
Technical specs:
- S3-compatible API
- Locations: Paris, Amsterdam, Warsaw
- Pricing: €0.015/GB/month (storage) + first 75GB egress free, then €0.01/GB
- Object Lifecycle Management built-in
- Glacier-equivalent cold storage: €0.002/GB/month
GDPR posture: French SAS under French law. Iliad Group is headquartered in Paris. No CLOUD Act exposure. Scaleway is a CISPE (Cloud Infrastructure Services Providers in Europe) member.
OVHcloud Object Storage — 1/25 CLOUD Act Risk
Legal structure: OVH SAS, Roubaix, France. European company, 1 point deducted for minor US CDN partnership.
Technical specs:
- S3-compatible API (Standard + High Performance tiers)
- Locations: 15+ EU data centers (Paris, Strasbourg, London, Frankfurt, Warsaw, etc.)
- Pricing: €0.0085/GB/month — lowest in this comparison
- High Performance tier (SSD): €0.07/GB/month
- Egress: Free within OVH ecosystem, €0.011/GB external
10TB monthly cost example:
Storage: 10TB × €0.0085 = €85/month
Egress (10% external): 1TB × €0.011 = €11/month
Total: ~€96/month
vs Wasabi: ~€99/month (no egress fees but higher base)
vs GCS: ~€285/month
GDPR posture: OVH SAS is a French company. CISPE member. ISO 27001 + HDS (French health data) certified. EUCS (EU Cybersecurity Certification Scheme) aligned.
MinIO (Self-Hosted) — 0/25 CLOUD Act Risk
Legal structure: You are the operator. MinIO Inc. is a US company, but the software is Apache 2.0 open source — you deploy it on EU infrastructure you control.
Technical specs:
- Fully S3-compatible API (drop-in replacement)
- Deploy on any EU VPS: Hetzner Cloud (CCX13, €26/month), OVH VPS, Scaleway
- AGPL license for self-hosted, commercial license for production OEM
- MinIO Console: web UI for bucket management
- Distributed mode: multi-node erasure coding for durability
Recommended EU deployment:
# Hetzner Cloud CX22 (€5.83/month, 4 vCPU, 8GB RAM, 80GB SSD)
# + Hetzner Volume (€0.048/GB/month for extra storage)
docker run -d \
-p 9000:9000 -p 9001:9001 \
-v /mnt/minio-data:/data \
-e "MINIO_ROOT_USER=youradmin" \
-e "MINIO_ROOT_PASSWORD=yourstrongpassword" \
quay.io/minio/minio server /data --console-address ":9001"
GDPR posture: Zero CLOUD Act exposure. You control the data, the infrastructure, and the legal agreements. Ideal for regulated industries (healthcare, legal, financial).
Migration Guide: Moving from US to EU Object Storage
All S3-compatible providers support migration via rclone — the same tool works for all.
Step 1: Install rclone and configure remotes
# Install rclone
curl https://rclone.org/install.sh | sudo bash
# Configure source (example: Wasabi)
rclone config create wasabi-source s3 \
provider=Wasabi \
access_key_id=YOUR_WASABI_KEY \
secret_access_key=YOUR_WASABI_SECRET \
endpoint=s3.eu-central-1.wasabisys.com \
region=eu-central-1
# Configure destination (example: Hetzner)
rclone config create hetzner-dest s3 \
provider=Other \
access_key_id=YOUR_HETZNER_KEY \
secret_access_key=YOUR_HETZNER_SECRET \
endpoint=fsn1.your-objectstorage.com \
region=eu-central
Step 2: Dry-run migration check
# List all buckets in source
rclone lsd wasabi-source:
# Dry run to see what would be copied
rclone copy --dry-run wasabi-source:your-bucket hetzner-dest:your-bucket \
--progress --stats 30s
Step 3: Parallel migration with bandwidth control
# Production migration
rclone copy wasabi-source:your-bucket hetzner-dest:your-bucket \
--progress \
--stats 30s \
--transfers 16 \ # 16 parallel transfers
--checkers 8 \ # 8 metadata checkers
--bwlimit 100M \ # 100MB/s bandwidth limit
--log-file /var/log/rclone-migration.log
Step 4: Verify integrity
# Check that checksums match between source and destination
rclone check wasabi-source:your-bucket hetzner-dest:your-bucket \
--one-way # Only check source exists in dest
Step 5: Update application configuration
For most applications, you only need to change three environment variables:
# Before (Wasabi)
S3_ENDPOINT=s3.eu-central-1.wasabisys.com
S3_BUCKET=your-bucket
S3_REGION=eu-central-1
# After (Hetzner)
S3_ENDPOINT=fsn1.your-objectstorage.com
S3_BUCKET=your-bucket
S3_REGION=eu-central
Most S3 SDKs support custom endpoints — no code changes beyond configuration.
Decision Framework: Which Storage Is Right for You?
| Use Case | Recommended | Why |
|---|---|---|
| Healthcare data (HIPAA/GDPR sensitive) | MinIO on Hetzner | Full control, zero cloud exposure, HDS-equivalent |
| EU SaaS user uploads | Hetzner Object Storage | German GmbH, ISO 27001, best reliability/price ratio |
| Multi-region EU coverage | OVHcloud Object Storage | 15+ EU locations, lowest price, CISPE member |
| High-volume CDN assets | Scaleway + CDN | Paris/AMS/WAW, Glacier tier for archives, cost-effective |
| Dev/staging environments | Any EU provider | Risk lower, optimize for developer ergonomics |
| Existing S3 code, fast migration | OVHcloud (S3-compat) | Drop-in, no code changes needed, €0.0085/GB |
| Financial data (DORA regulation) | Hetzner or OVHcloud | Both CISPE, both auditable under EU jurisdiction |
| Regulated industries (NIS2 essential) | Hetzner or MinIO | German/French jurisdiction, full audit trail |
Risk Comparison by Regulatory Framework
| Regulation | R2 (16/25) | B2 (13/25) | Wasabi (14/25) | GCS (20/25) | Hetzner (0/25) |
|---|---|---|---|---|---|
| GDPR Art. 44 (transfers) | ⚠️ TIA required | ⚠️ TIA required | ⚠️ TIA required | ❌ Very high risk | ✅ No transfer |
| GDPR Art. 28 (DPA) | ⚠️ US entity | ⚠️ US entity | ⚠️ US entity | ⚠️ US entity | ✅ EU DPA |
| NIS2 (essential services) | ⚠️ Risk factor | ⚠️ Risk factor | ⚠️ Risk factor | ❌ PRISM risk | ✅ Compliant |
| DORA (financial) | ⚠️ Notify DPA | ⚠️ Notify DPA | ⚠️ Notify DPA | ❌ Avoid | ✅ Preferred |
| EUCS (Level 3 sovereign) | ❌ Not possible | ❌ Not possible | ❌ Not possible | ❌ Not possible | ✅ Eligible |
| CADA (AI governance) | ⚠️ Training data risk | ⚠️ Risk | ⚠️ Risk | ❌ Highest risk | ✅ Safe |
Cost Comparison at Scale (10TB Storage + 2TB Monthly Egress)
Provider Storage (10TB) Egress (2TB) Monthly Total
─────────────────────────────────────────────────────────────────
Google Cloud Storage $230 $55 ~€265/month
Cloudflare R2 $150 FREE ~€150/month
Wasabi $99 FREE ~€99/month
OVHcloud $85 $22 ~€107/month
Hetzner $115 $10 ~€125/month
Scaleway $150 $15 (after 75GB free) ~€165/month
MinIO (self-hosted) $6 (Hetzner Cloud CCX13) + $48 (Hetzner Volume) ~€55/month
Price winner: MinIO self-hosted (€55/month), but requires operational overhead.
Managed EU winner: OVHcloud (€96/month) — lowest managed EU price.
Zero-egress illusion: Cloudflare R2 looks cheap at this scale, but GDPR TIA requirements add legal costs that often exceed the storage savings.
The Bottom Line
After analyzing four US object storage providers across five posts, the conclusion is unambiguous:
No US-headquartered object storage provider can guarantee GDPR compliance for personal data under current EU law. Not Cloudflare R2 (zero egress marketing), not Backblaze B2 (budget-friendly), not Wasabi (cheap S3 alternative), and certainly not Google Cloud Storage (PRISM-confirmed).
The CLOUD Act is permanent US federal law. It applies to every US corporation. The only reliable path to EU object storage compliance is:
- EU-incorporated provider (Hetzner, Scaleway, OVHcloud) — no CLOUD Act exposure by corporate structure
- Self-hosted on EU infrastructure (MinIO on Hetzner/OVH) — you control the entire stack
- EUCS Level 3 certified providers — when available, highest sovereignty guarantee
For EU businesses handling personal data — which is virtually all EU SaaS companies — the migration from US to EU object storage isn't optional under GDPR. It's a legal requirement hiding in plain sight.
The good news: migration is technically straightforward with rclone, costs are competitive (OVHcloud beats Wasabi on price), and EU-native providers offer the same S3-compatible APIs your applications already use.
EU Object Storage Series — Complete Posts
- Cloudflare R2 EU Alternative 2026 — Zero Egress ≠ Zero Jurisdiction (16/25)
- Backblaze B2 EU Alternative 2026 — California Corp, No EU Entity (13/25)
- Wasabi EU Alternative 2026 — Boston MA, Resells Equinix EU Capacity (14/25)
- Google Cloud Storage EU Alternative 2026 — PRISM-Confirmed, Highest Risk (20/25)
- EU Object Storage Comparison Finale 2026 — This post
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.