EU data sovereignty, the hard way

Descodify ends up holding a lot about you. Your invoices. Your expenses. Your NIF and your client list. Your income, month by month, and eventually your whole IRS filing. If I'm going to ask for all of that, the smallest thing I owe you back is a straight answer to one question: where does it live, and who can reach it?

For most software built today, the honest answer is uncomfortable. The default stack for a small business app sends a lot of its data through American companies. Analytics to Google. Error reports to a service in San Francisco. Payments, email, sign-in, and almost always the servers themselves. Most of it sits under US jurisdiction, which means a US court order can reach it no matter which country the hardware is in. None of this is illegal, and most founders never think about it.

But Descodify exists to keep your fiscal life in order under European rules. Building that on infrastructure a US court can subpoena felt like selling someone a lock and keeping a copy of the key. The analytics part bothered me more than the rest: a product I want people to trust with their tax data, quietly handing every click to an advertising company. That isn't a privacy product. It's a privacy brochure.

So I build it differently, and it comes down to two rules. Keep the data that matters under European law. And keep the number of outside companies that touch it as small as possible. The two are the same instinct: every extra company in the chain is one more place your data can sit, one more jurisdiction to check, one more business whose incentives might not line up with yours.

Take the first rule, and start with the servers, because that's where most European claims quietly fall apart. The common version of "European" in this industry is to take AWS, Google Cloud, or Azure, switch the region to Frankfurt, and call it done. The servers really are in Germany. But the company running them is American, and American law can compel an American company to hand over data it controls, wherever the disk happens to sit. An EU region of a US cloud moves the hardware, not the reach of the subpoena.

So Descodify doesn't run on any of the big clouds. No AWS, no Google Cloud, no Azure. The database, the documents you upload, and the backups all live on a German hosting company, under German and European law, and that's the whole sentence. There's no American parent further up the chain who can be ordered to reach in. That choice is unusual enough that it confuses other developers when it comes up, and it's the one that makes everything else real instead of decorative.

The reasoning isn't really about politics. If you're a freelancer in Portugal, your data protection rights come from European law, and the reason GDPR has any teeth is that the data and the company holding it sit somewhere a European regulator can actually reach. For most apps the jurisdiction question is a risk nobody will ever notice. For an app that holds your income and your invoices, I'd rather it not be my customers' problem at all.

The same rule runs through the rest of the stack. Email goes through a European provider. Sign-in doesn't have to route through Google. The analytics are self-hosted, next to everything else, instead of Google Analytics. The AI that reads your receipts and answers your questions runs on a French model, Mistral, instead of an American one. I'll go through each of those in its own post.

The second rule is about not adding outside companies in the first place. The easy way to build a product today is to assemble it from other people's services: one for analytics, one for error tracking, one for email, one for every feature you don't feel like writing yourself. It's fast, and each one is another account, another data processor, another company you're quietly asking your users to trust without telling them. So my default is the opposite. Before I add a third party, I ask whether I actually need it, and most of the time a smaller version I run myself is good enough. I built my own error tracking instead of sending every crash to a US service. The analytics run on my own servers instead of Google's. A handful of things a normal app just pays a monthly fee for, I run in-house, on the same European servers as the rest. I only reach for an outside company when there's no reasonable way to do it myself, and when I do, I try to pick the European one.

Which brings me to the honest part, because a privacy product that rounds up to "we use nothing American" is lying, and you'd be right not to trust it.

A few outside dependencies were necessary enough to keep, and some of those are still American. The site sits behind Cloudflare for speed and protection against attacks. You can sign in with Google if you prefer it, because a lot of people do. Push notifications go through Apple and Google, because on a phone there's no other path. Some of those have a plan to move, others don't yet, and I'd rather say so than pretend.

I want to be clear about something, because it's easy to misread. I'm not avoiding American tools because I think American companies are bad. Most of them are excellent, often the best in their category, and on raw capability the US is still ahead of Europe in a lot of areas. I'd genuinely rather use the best tool for the job. The problem isn't the company, it's the law standing behind it. Rules like the US CLOUD Act let American authorities compel an American company to hand over data it holds, anywhere in the world, and US surveillance law leaves Europeans with almost no recourse. The agreement that's meant to make EU-to-US data transfers safe has been written, struck down by Europe's highest court, rewritten, and struck down again, and the version standing today still leans heavily in one direction. For ordinary data, depending on it is a fine bet. For someone's tax records, I'd rather not build on an agreement that keeps getting torn up.

The good news is I don't have to. Europe finally has options that are genuinely good, not just good enough to tick a box. A German host I'd actually recommend. A French AI model that holds its own against the big American ones. A Dutch payment provider. I think those deserve to be backed, and building on them is the most direct way I know to do it.

None of this is the easy way to build, and it's worth being specific about what the hard part actually is. On AWS or Google Cloud, a lot of genuinely difficult problems are a checkbox. Scaling up when traffic spikes is close to automatic there; on your own servers it's capacity you plan for and keep an eye on. Redundancy, running across more than one machine so a single failure doesn't take the site down, is a setting on a hyperscaler and a real project to build yourself. Backups in more than one region work the same way: the big clouds copy your data across the continent for you, and on plain servers you set it up and test it yourself. None of it is unsolvable. It's just work, and it's exactly the work the easy path hides from you. Doing the rest of the stack in-house instead of renting it piles on more of the same.

But it adds up to something I didn't fully expect: a product that runs mostly on tools it owns instead of tools it rents. That turned out to be a whole story on its own, and it's the one I want to tell next.

So that's the bet. Keep the data that matters on European servers under European law, and keep the number of companies touching it as small as I can. Be honest about the parts that aren't there yet. And where there's a good European option, back it, because the only way that ecosystem gets better is if people building real things actually use it.

The next posts go through the real choices, one at a time: the host, the payment provider, the analytics, the error tracking, and what each one cost next to the obvious American default. If you're building something in Europe and weighing the same trade-offs, the specifics will be more useful than the manifesto.

If you want the formal version of all this, the privacy policy, the security page, and the GDPR page lay out exactly what we collect, where it lives, how it's encrypted, and the rights you have over it.