GDPR Consent Management 2026: TCF 2.2, Cookie Walls, Dark Patterns & the Proof-of-Consent Stack for SaaS Developers
Every SaaS developer who processes personal data eventually faces the consent management question: when do you need consent, what does valid consent actually require, and how do you prove you have it if a Data Protection Authority audits you? The answer in 2026 is more precisely defined — and more rigorously enforced — than it was at GDPR's 2018 launch.
Enforcement has moved beyond symbolic fines for missing cookie banners. The Irish DPC, the French CNIL, the Spanish AEPD, and the Italian Garante have all issued significant fines specifically for consent mechanism failures: consent records that didn't capture what the data subject actually agreed to, withdrawal mechanisms buried in settings pages, pre-ticked boxes still appearing on forms, and cookie walls that forced consent as a condition of service access.
This guide covers the complete technical stack for GDPR-compliant consent management: the legal foundation in Art.4(11) and Art.7, the ePrivacy Directive overlay, TCF 2.2's architecture and limitations, cookie wall legality, prohibited dark patterns, the proof-of-consent database schema, withdrawal symmetry, children's consent under Art.8, the EU sovereignty risk in standard CMP infrastructure, and a 15-item implementation checklist.
The Legal Foundation: Art.4(11) and Art.7
GDPR Art.4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Four conditions are packed into this definition. Each is independently necessary — failing any one renders the consent legally invalid.
Freely given
Consent is not freely given when:
-
There is an imbalance of power between controller and data subject. The EDPB is particularly strict here for employment relationships: consent from employees to employer data processing is presumptively invalid because employees fear consequences for refusing. Use a different lawful basis (legitimate interest or legal obligation) for employment-context processing wherever possible.
-
Consent is bundled with service access as a condition. You cannot condition access to a service on consent to processing that is not necessary for that service. A SaaS product that requires consent to marketing emails as a condition of account creation fails the "freely given" test.
-
There is a significant negative consequence for withdrawing consent. If your product degrades in a material way when consent is withdrawn — beyond the loss of the specific functionality the consent enabled — the initial consent was not freely given.
-
Granularity is absent. The EDPB's Guidelines 05/2020 on consent require that where processing serves multiple distinct purposes, the data subject must be able to give consent to each purpose separately. A single "I agree to all uses" checkbox for analytics, marketing, and third-party sharing fails this test.
Specific
Consent must be tied to a defined purpose. "Use of your data for improving our services" is not specific enough. Each processing purpose must be described with enough precision that the data subject understands what processing will happen, with what data, for how long, and by whom.
The specificity requirement is the reason granular purpose selection UI is a compliance necessity, not a UX nicety. The EDPB has consistently held that purpose descriptions must be concrete enough that the data subject can genuinely evaluate the trade-off they are making.
Informed
Before consent is given, the controller must provide — at minimum — the information required by Art.13 (for data collected directly from the subject) or Art.14 (for data obtained from third parties):
- The controller's identity and contact details
- The Data Protection Officer's contact details (where applicable)
- The purposes and legal bases for processing
- The recipients or categories of recipients
- The data subject's rights (access, erasure, portability, objection)
- The right to withdraw consent at any time without detriment
- Where processing involves automated decision-making, meaningful information about the logic involved
In practice, for cookie consent, "informed" requires disclosing which third parties will receive the data, what tracking technologies are used, and how long data will be retained — before consent is obtained, not after.
Unambiguous indication by clear affirmative action
Silence, pre-ticked boxes, inactivity, and scrolling are not valid consent. The data subject must perform a deliberate, affirmative action — clicking a clearly labelled "Accept" button, actively selecting a checkbox, or similar — that unambiguously signals agreement to the specific processing described.
This directly prohibits the once-common practice of presenting a banner with "By continuing to use this site, you agree to our use of cookies." Continuing to navigate is not a clear affirmative action.
The ePrivacy Directive Overlay
GDPR Art.6 governs lawful bases for processing personal data. The ePrivacy Directive (2002/58/EC as amended) governs specifically the use of electronic communications data and the placing of cookies or similar tracking technologies on a user's device.
The critical rule: the ePrivacy Directive requires prior consent for any cookies or tracking technologies that are not strictly necessary for the service the user has requested, regardless of whether those cookies process personal data in the GDPR sense.
This creates the following matrix:
| Cookie type | ePrivacy requirement | GDPR requirement |
|---|---|---|
| Session cookies (login state, shopping cart) | Exempt — strictly necessary | Legitimate interest (Art.6(1)(f)) or contract |
| Security cookies (CSRF tokens) | Exempt — strictly necessary | Legitimate interest |
| Analytics cookies (Google Analytics, Matomo) | Consent required | Consent (Art.6(1)(a)) |
| Marketing/advertising cookies | Consent required | Consent (Art.6(1)(a)) |
| A/B testing (if tracking individual users) | Consent required | Consent or legitimate interest depending on implementation |
| First-party analytics without cross-site tracking | Potentially exempt in some Member States | Legitimate interest may apply |
The interaction matters: even if you could argue legitimate interest under GDPR for analytics, the ePrivacy Directive's stricter consent requirement for cookie-based tracking applies first. You cannot use GDPR's legitimate interest balancing test to bypass the ePrivacy Directive's consent mandate.
TCF 2.2: What It Is and Where Its Limits Lie
The IAB Europe Transparency & Consent Framework (TCF), now at version 2.2, is the industry-standard mechanism for propagating consent signals across the digital advertising supply chain. CMPs that implement TCF 2.2 read and write a consent string — a base64-encoded binary blob stored in a cookie — that encodes:
- Which vendors have been granted consent
- Which purposes consent covers (TCF defines 11 standard purposes)
- Which special features consent covers (geolocation, device fingerprinting)
- Which legitimate interest claims vendors have made and whether the user has objected
TCF 2.2 Purpose taxonomy
| Purpose ID | Purpose | Typical use case |
|---|---|---|
| 1 | Store and/or access information on a device | Reading/writing cookies |
| 2 | Use limited data to select advertising | Basic ad targeting |
| 3 | Create profiles for personalised advertising | Behavioral ad profiling |
| 4 | Use profiles to select personalised ads | Serving targeted ads |
| 5 | Create profiles to personalise content | Content personalization |
| 6 | Use profiles to select personalised content | Serving personalized content |
| 7 | Measure advertising performance | Ad attribution |
| 8 | Measure content performance | Content analytics |
| 9 | Understand audiences through statistics | Aggregate audience insights |
| 10 | Develop and improve services | Product improvement from data |
| 11 | Use limited data to select content | Basic content selection |
A CMP implementing TCF 2.2 presents the user with granular toggles for these purposes and for individual vendors, writes the resulting consent string to a EUCONSENT-V2 cookie, and makes it available to downstream vendors via the TCF API (window.__tcfapi).
The TCF 2.2 compliance problem
In 2022, the Belgian DPA (APD) ruled that the IAB TCF mechanism itself violated GDPR — specifically that the consent obtained through TCF was not valid "freely given" consent because of the complexity of the vendor list (currently >900 vendors) and the practical impossibility of a user making genuine informed choices. The European Data Protection Board supported this view.
The IAB reached a settlement with the APD and released TCF 2.2 with modifications, but the underlying tension remains: TCF 2.2 consent may not survive DPA scrutiny in all Member States, particularly for purpose 1 (device storage/access) when combined with large vendor counts.
For SaaS developers, the practical implication is:
- If you use a TCF-based CMP for advertising purposes, document your assessment of why the consent obtained is valid under your specific use case
- If you use analytics only (no advertising), consider whether you can avoid TCF entirely and implement a simpler first-party consent mechanism
- If you operate in multiple Member States, check whether national DPAs have issued specific guidance on TCF validity in their jurisdiction
Cookie Walls: The Pay-or-Consent Model
A cookie wall conditions access to a website or service on accepting tracking cookies — the "consent or leave" model. The question is whether this makes consent freely given.
In 2023, the EDPB issued Opinion 05/2023 on cookie walls and the "pay or okay" model. The EDPB's position:
Cookie walls (without a paid alternative) = consent not freely given. Conditioning service access on accepting tracking cookies fails the "freely given" test because there is a significant negative consequence (loss of service access) for refusing consent. The CNIL has taken the same position.
Pay-or-okay models may be valid — with conditions. The EDPB acknowledged that offering a paid alternative (subscribing to avoid tracking) can make consent genuine, provided:
- The paid alternative is not excessively priced — the price must represent a genuine equivalent to the value the advertiser pays for the user's data, not a punitive barrier designed to force consent
- The paid alternative provides equivalent service quality and functionality
- The data subject has a genuine free choice and is not subject to pressure
- The controller can demonstrate that the price reflects fair valuation, not a deterrence mechanism
In practice, several large European media publishers have implemented pay-or-okay models. DPA enforcement on pricing has been inconsistent, and the Court of Justice of the EU has not yet ruled definitively. If you are building a subscription-supported product, legal advice on your specific pay-or-okay implementation is essential before deployment.
Dark Patterns: The EDPB Prohibited List
The EDPB's Guidelines 03/2022 on dark patterns in social media platforms (but with general applicability) identify specific prohibited consent interface patterns. The list applies to any consent mechanism, not just social media.
Interface dark patterns that invalidate consent
Confirmshaming: Labelling the "decline" option with emotionally charged language that induces guilt. Example: "No thanks, I prefer less relevant ads" or "No thanks, I don't mind more data breaches." The decline option must be neutral.
Trick questions: Using double-negatives or confusing question phrasing to induce accidental consent. "Uncheck to not receive our newsletter" is a trick question.
Hidden default options: Pre-selecting consent checkboxes. Any pre-ticked box results in invalid consent. The user must actively tick to consent.
Visual misdirection: Designing the "Accept all" button to be visually prominent (large, brightly coloured, centrally placed) while making "Reject all" or "Manage preferences" visually subordinate (small, grey, peripheral). The EDPB requires that the options to accept and decline be presented with equivalent visual salience. The French CNIL has specifically fined controllers for this: the "Accept all" and "Refuse all" buttons must be the same size, same colour weight, and equally prominent.
Hiding the reject option: Placing the "Reject all" option only inside a nested settings menu, while "Accept all" is available on the first layer. The CNIL and ICO both require that the option to refuse consent be as easy to exercise as the option to give it — meaning a single-click "Reject all" option must be available at the same level of the interface as "Accept all."
Endless clicking: Requiring the user to navigate through a multi-step process to refuse consent, while "Accept all" is available with a single click on the first screen. The symmetry requirement is strict.
Urgency language: Creating false urgency to pressure consent. "Limited offer: click Accept before your session expires" is prohibited.
Forced action: Requiring the user to interact with advertising content or perform an unrelated action before being able to decline consent.
The EDPB's position: if any of these patterns appear in your consent UI, the consent obtained is invalid, regardless of whether the user technically clicked a button that said "Accept."
Proof-of-Consent: What Art.7(1) Requires You to Store
GDPR Art.7(1) imposes a burden on the controller: where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
"Shall be able to demonstrate" is an evidentiary standard. If a data subject complains to a DPA, or a DPA audits you, you must produce evidence showing:
- That this specific data subject gave consent
- What they consented to (which purposes, which processing)
- When they consented
- How they consented (what interface version, what they were shown)
- That the interface was compliant when consent was given (no dark patterns, correct information provided)
This requires a consent audit log that preserves the state of the consent interface at the time consent was given.
Proof-of-consent database schema
-- Consent records (immutable append-only)
CREATE TABLE consent_records (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID NOT NULL REFERENCES users(id),
session_id TEXT,
event_type TEXT NOT NULL CHECK (event_type IN ('grant', 'withdraw', 'update')),
-- What was consented to
purposes JSONB NOT NULL, -- e.g. {"analytics": true, "marketing": false}
vendors JSONB, -- for TCF: vendor IDs and their granted purposes
-- How consent was obtained
interface_version TEXT NOT NULL, -- hash or semver of the banner version shown
interface_snapshot_url TEXT, -- link to archived screenshot/HTML of the interface
-- Context
ip_address TEXT, -- for jurisdictional purposes (anonymise after audit period)
user_agent TEXT,
page_url TEXT NOT NULL,
-- Timestamps
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- Current consent state per user (derived view — do not mutate)
CREATE VIEW current_consent AS
SELECT DISTINCT ON (user_id, purpose)
user_id,
purpose,
granted,
created_at AS consented_at
FROM (
SELECT
user_id,
(jsonb_each(purposes)).key AS purpose,
(jsonb_each(purposes)).value::boolean AS granted,
created_at
FROM consent_records
ORDER BY created_at DESC
) AS expanded
ORDER BY user_id, purpose, created_at DESC;
-- Interface versions (what the user was actually shown)
CREATE TABLE consent_interface_versions (
version TEXT PRIMARY KEY,
deployed_at TIMESTAMPTZ NOT NULL,
retired_at TIMESTAMPTZ,
html_snapshot TEXT NOT NULL, -- full HTML of the banner at this version
purposes_list JSONB NOT NULL -- canonical purpose descriptions shown
);
The interface_snapshot_url or html_snapshot field is critical. It allows you to demonstrate, months or years later, exactly what information the user was presented with when they consented. Without this, you cannot prove the consent was informed.
Retention period for consent records
Consent records must be retained for as long as you rely on that consent for any processing. After the consent is withdrawn and all processing based on it ceases, EDPB guidance suggests retaining the record for the period during which a complaint could be filed — typically 2-3 years in most Member States, though this varies by jurisdiction.
Do not delete consent records when a user deletes their account. If a DPA investigation opens after account deletion, you still need to demonstrate that processing during the account's active period was based on valid consent.
Consent Withdrawal: The Symmetry Requirement
GDPR Art.7(3) states: "The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw consent as to give it."
"As easy to withdraw as to give" is an operational requirement, not a design aspiration. It creates a symmetry obligation:
| Consent was given via | Withdrawal must be possible via |
|---|---|
| A single-click banner | A single-click withdrawal mechanism |
| A settings page toggle | A settings page toggle at the same depth |
| An email subscription checkbox | An unsubscribe link in every email |
| A pop-up during app onboarding | An accessible in-app consent management screen |
Withdrawal mechanisms buried three levels deep in account settings, or available only by contacting customer support, fail this requirement.
Withdrawal effect: immediate processing cessation
Withdrawal must take effect immediately for ongoing processing. You cannot continue to send marketing emails for a "transition period" after an unsubscribe request. You cannot continue analytics tracking after consent withdrawal. The controller must:
- Stop all processing based on the withdrawn consent immediately
- Update the consent record with a withdrawal event
- Propagate withdrawal to all processors who were authorised based on that consent (Art.28 obligation chain)
- Confirm withdrawal to the data subject where they have requested confirmation
Withdrawal does not require you to delete historical data that was lawfully processed before withdrawal. If you tracked analytics events when consent was active, those historical events are lawful. But the collection of new events must stop immediately.
async function withdrawConsent(
userId: string,
purposes: string[],
requestContext: { ipAddress: string; userAgent: string; pageUrl: string }
): Promise<void> {
// 1. Record the withdrawal (immutable event)
await db.consentRecords.create({
userId,
eventType: 'withdraw',
purposes: Object.fromEntries(purposes.map(p => [p, false])),
interfaceVersion: CURRENT_INTERFACE_VERSION,
...requestContext,
});
// 2. Update live processing flags immediately
await Promise.all([
analyticsService.disableTracking(userId),
marketingService.suppressUser(userId),
thirdPartyAdNetwork.optOut(userId),
]);
// 3. Notify downstream processors
await notifyProcessorsOfWithdrawal(userId, purposes);
// 4. Confirm to data subject
await sendWithdrawalConfirmation(userId);
}
Children and Consent: Art.8 Requirements
GDPR Art.8 applies specifically to information society services offered directly to children. The rules:
- Age threshold: In the UK and Germany, the threshold is 13. In most other Member States, it is 16, unless Member State law has set a lower threshold (down to 13). There is no single EU-wide threshold.
- Parental consent required: For children below the applicable threshold, consent for processing must be authorised or given by the holder of parental responsibility.
- Verification: The controller must make "reasonable efforts" to verify that parental consent has been obtained. The standard of "reasonable efforts" is technology-commensurate — a children's social platform faces higher verification requirements than a general-purpose productivity tool that incidentally attracts some users below 16.
- Notice must be child-appropriate: Information provided to children must be in clear, plain language that a child of the relevant age can understand.
If your SaaS product is not intentionally targeted at children, you should still implement age gating if there is a reasonable probability that users below the applicable threshold will use the product. The EDPB and national DPAs have taken a practical view: "general audience" platforms that have significant child user bases cannot rely on "not targeted at children" to avoid Art.8 obligations.
The EU Sovereignty Risk in Standard CMP Infrastructure
Most commercial CMPs (OneTrust, Cookiebot, Usercentrics, TrustArc, Didomi) are built on US-incorporated parent entities with infrastructure that includes US-based data processing.
What this means in practice: When your CMP records a consent event, that event — which constitutes personal data (it is tied to the user's identity or device) — is transmitted to the CMP's servers. If those servers are operated by a US entity subject to CLOUD Act jurisdiction, the consent record itself is accessible to US law enforcement under a CLOUD Act production order, without EU judicial review.
The specific exposure:
| Risk | Description |
|---|---|
| CLOUD Act subpoena | US DOJ or law enforcement can compel CMP provider to disclose consent records tied to identified individuals |
| FISA 702 collection | NSA bulk collection programs may have access to consent signal infrastructure |
| Privacy Shield/DPF invalidation | If the EU-US Data Privacy Framework is invalidated (as Privacy Shield was in Schrems II), consent data stored on US CMP servers may lack a valid transfer basis |
| Processor chain compliance | The CMP is your Art.28 processor; if you cannot audit their US data flows, your Art.28 DPA is incomplete |
Practical mitigations for EU-hosted SaaS:
- Self-hosted CMP: Matomo's consent solution, Open Cookie Banner, or a custom implementation stores consent records only in your own database. Zero third-party transfer of consent data.
- EU-incorporated CMP with EU-only infrastructure: Borlabs Cookie (German entity), Consentmanager.net (German/Austrian entity), and several others offer EU-incorporated, EU-infrastructure options.
- Contractual controls: If using a US CMP, verify your Art.28 DPA includes: (a) contractual prohibition on responding to US government orders without prior notice to you, (b) commitment to challenge over-broad orders, (c) EU-only data storage option. Note: contractual commitments cannot override US law, but they create evidence of your due diligence.
- First-party consent database: Even if you use a commercial CMP for the UX layer, replicate consent records to your own EU-hosted database immediately. This ensures your proof-of-consent evidence is not dependent on a third party whose jurisdiction is uncertain.
Implementation: The Compliant Consent Flow
// Types
interface ConsentPurposes {
analytics: boolean;
marketing: boolean;
personalization: boolean;
thirdPartySharing: boolean;
}
interface ConsentRecord {
userId: string | null; // null for pre-login consent (use deviceId)
deviceId: string;
purposes: ConsentPurposes;
interfaceVersion: string;
consentedAt: Date;
ipAddressRegion: string; // store region only, not full IP
userAgent: string;
}
// Before any non-essential processing: check consent
async function hasValidConsent(
userId: string,
purpose: keyof ConsentPurposes
): Promise<boolean> {
const record = await db.currentConsent.findFirst({
where: { userId, purpose },
orderBy: { consentedAt: 'desc' },
});
return record?.granted === true;
}
// Apply consent gate to analytics
async function trackEvent(
userId: string,
event: AnalyticsEvent
): Promise<void> {
if (!(await hasValidConsent(userId, 'analytics'))) {
return; // Silent skip — do not track
}
await analyticsBackend.track(userId, event);
}
The key pattern: never process before checking consent state, and fail silently (not with an error) when consent is absent. From the user's perspective, the service works the same with or without consent to non-essential processing; it simply collects less data in the consent-absent state.
The 15-Item GDPR Consent Implementation Checklist
| # | Requirement | Legal basis | Common failure |
|---|---|---|---|
| 1 | "Accept all" and "Reject all" are equally prominent in the first-layer UI | CNIL; EDPB Guidelines 03/2022 | "Reject all" hidden in nested menu |
| 2 | No pre-ticked checkboxes | Art.4(11); Art.7(2) | Opt-out framing with defaults |
| 3 | Separate purpose toggles for each distinct processing purpose | EDPB Guidelines 05/2020 | Single "I agree to everything" checkbox |
| 4 | Vendor list disclosed before consent given | Art.13(1)(e) | Vendors revealed only after acceptance |
| 5 | No cookies set before consent given (except strictly necessary) | ePrivacy Directive Art.5(3) | Third-party scripts loading on page load |
| 6 | Consent record created with interface version and timestamp | Art.7(1) | No audit log |
| 7 | Interface snapshot stored for each version | Art.7(1) — demonstrability | Cannot prove what user was shown |
| 8 | "Withdraw consent" option available in account settings, one click | Art.7(3) | Buried in nested settings or requires email |
| 9 | All processing stops within seconds of withdrawal | Art.7(3) | Marketing emails continue for days |
| 10 | Downstream processors notified of withdrawal | Art.28 | Third-party retargeting continues after opt-out |
| 11 | Children's age gating where service is likely to reach under-16s | Art.8 | No age verification for general-audience apps |
| 12 | No cookie wall without equivalent paid alternative | EDPB Opinion 05/2023 | Consent required for service access |
| 13 | Consent records stored in EU-jurisdiction infrastructure | GDPR transfers; CLOUD Act risk | CMP stores data in US |
| 14 | Consent UI tested for dark patterns (confirmshaming, trick questions, urgency) | EDPB Guidelines 03/2022 | "No thanks, I like irrelevant ads" buttons |
| 15 | Consent records retained for dispute window after withdrawal | Art.7(1) | Records deleted on account termination |
EU-Hosted Infrastructure as a Consent Architecture Choice
The consent record is personal data. It must be processed with a lawful basis (typically legitimate interest — Art.6(1)(f) — for the controller's compliance obligation, or the consent itself for the CMP to provide its service). And it must not be transferred to third countries without a valid transfer mechanism.
When you deploy a SaaS product on EU-native infrastructure (Hetzner Cloud, Scaleway, OVH, or a platform like sota.io that runs on EU servers with EU-incorporated operations), your consent records inherit the EU-jurisdiction protection of the underlying infrastructure. There is no CLOUD Act exposure. There is no FISA 702 risk. The consent record stays in EU jurisdiction.
When you deploy on AWS, Azure, or GCP — even using their EU regions — your consent records are processed by US-incorporated parent entities subject to CLOUD Act jurisdiction. The EU-region location of the data centre does not change the corporate jurisdiction of the data controller. This is the same structural problem that makes CLOUD Act risk a GDPR concern for any personal data stored in US-cloud infrastructure.
For consent data specifically, the argument for EU-native infrastructure is unusually strong: you need the consent record to prove compliance, and you need that proof to be credible. A consent record that is itself subject to US government access has a structural credibility problem in EU DPA proceedings.
What the EDPB Has Said Most Recently
EDPB Guidelines 05/2020 on consent: The foundational document. Covers what freely given, specific, informed, and unambiguous mean in practice. Still the primary interpretive authority.
EDPB Guidelines 03/2022 on dark patterns: Prohibits the specific UI patterns described above. The annex contains worked examples with illustrations of compliant and non-compliant designs.
EDPB Opinion 05/2023 on cookie walls / pay-or-okay: Nuanced position on the pay-or-okay model. Valid only if the paid alternative price reflects genuine valuation and is not prohibitively priced.
EDPB Guidelines 02/2023 on technical scope of Art.5(3) ePrivacy: Clarifies that tracking pixels, fingerprinting, and localStorage are within scope of the ePrivacy Directive's consent requirement — not just HTTP cookies.
These documents are available at edpb.europa.eu and should be reviewed directly — they are the operative guidance that DPA auditors reference.
Conclusion
GDPR consent management in 2026 is a technical implementation problem with specific, measurable success criteria. Valid consent requires four conditions (freely given, specific, informed, unambiguous) met simultaneously. The interface must be symmetric (equally easy to accept and reject), dark-pattern-free (no confirmshaming, no pre-ticked boxes, no visual misdirection), and technically clean (no non-essential cookies before consent). The proof-of-consent record must be maintained with interface versioning, stored in EU-jurisdiction infrastructure, and preserved past account termination.
The developers who get this right are not just avoiding fines. They are building infrastructure that supports genuine user trust — which, in a market where GDPR-compliant EU-hosted products are a competitive differentiator, has direct business value.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.