Hosting Laravel in the EU: GDPR Compliance with Hetzner and Deploynix | Deploynix Laravel Blog
Back to Blog

Hosting Laravel in the EU: GDPR Compliance with Hetzner and Deploynix

Sameh Elhawary · · 10 min read
Hosting Laravel in the EU: GDPR Compliance with Hetzner and Deploynix

If you serve European customers, GDPR is not optional. It is not a suggestion, a best practice, or something you can worry about later. Since May 2018, the General Data Protection Regulation has been the law across the European Economic Area, and the fines for non-compliance are not theoretical. Companies of every size have been penalized, and regulators are getting more aggressive, not less.

For Laravel developers, GDPR compliance starts with a fundamental question: where does your data physically live? The regulation does not prohibit transferring personal data outside the EU, but it imposes strict conditions on such transfers. The simplest path to compliance is keeping EU user data on EU soil, and that is exactly what Deploynix and Hetzner make possible.

This guide walks you through setting up a fully EU-resident Laravel infrastructure using Deploynix with Hetzner as your cloud provider, covering everything from server provisioning to backups to the operational practices that keep you compliant.

Why Data Residency Matters Under GDPR

GDPR's data transfer rules (Articles 44-49) restrict transferring personal data to countries outside the EEA unless specific safeguards are in place. For years, many companies relied on the EU-US Privacy Shield framework to justify transatlantic data transfers, but the Court of Justice of the European Union invalidated that framework in the Schrems II decision. While the EU-US Data Privacy Framework has since been established as a replacement, relying on adequacy decisions introduces regulatory risk. Frameworks can be challenged and invalidated.

Keeping data within the EU eliminates this entire category of risk. If personal data never leaves EU-based servers, you do not need to worry about transfer mechanisms, adequacy decisions, or supplementary measures. Your data residency story is simple and defensible.

This is especially important for applications in sensitive sectors like healthcare, fintech, legal services, and education, where data protection authorities scrutinize data handling practices more closely.

Why Hetzner for EU Hosting

Hetzner is a German cloud provider with data centers exclusively in the EU and Finland. Unlike hyperscale providers that operate globally and require you to carefully select regions and verify that your data does not replicate elsewhere, Hetzner's entire infrastructure is European by design.

Hetzner's data centers are located in:

  • Nuremberg, Germany (multiple facilities)

  • Falkenstein, Germany (multiple facilities)

  • Helsinki, Finland

All of these locations are within the EEA, which means any server you provision on Hetzner through Deploynix is automatically EU-resident. There is no risk of your data being routed through a US data center for caching, failover, or load balancing because Hetzner does not have US data centers.

Beyond data residency, Hetzner offers practical advantages for GDPR compliance. As a German company, Hetzner is directly subject to EU data protection law and German federal data protection regulations, which are among the strictest in the world. They provide a Data Processing Agreement (Auftragsverarbeitungsvertrag) that meets GDPR Article 28 requirements, and their technical and organizational measures are documented and auditable.

From a performance and cost perspective, Hetzner is also exceptionally competitive. Their dedicated vCPU servers deliver excellent performance for Laravel applications at price points significantly below comparable offerings from US-based cloud providers. You do not have to pay a premium for EU compliance.

Setting Up EU-Only Infrastructure on Deploynix

Deploynix makes it straightforward to build a fully EU-resident infrastructure. Here is how to set up a complete Laravel production environment using only Hetzner servers.

Step 1: Connect Hetzner as Your Cloud Provider

In your Deploynix organization settings, add Hetzner as a cloud provider by providing your Hetzner API token. Deploynix will use this token to provision and manage servers on your behalf within your Hetzner account.

You retain full ownership and control of your Hetzner account. Deploynix manages the servers through the API, but the servers, the data on them, and the Hetzner account itself belong to you. If you ever stop using Deploynix, your servers continue running exactly as they are.

Step 2: Provision Your Server Infrastructure

For a GDPR-compliant Laravel production environment, we recommend the following server setup, all provisioned on Hetzner through Deploynix:

App Server: Your primary application server running your Laravel application. Choose FrankenPHP, Swoole, or RoadRunner as your Octane driver for optimal performance. Deploynix configures Nginx, PHP, and your Octane driver automatically.

Database Server: A dedicated server running MySQL, MariaDB, or PostgreSQL. Running your database on a separate server is both a performance best practice and a compliance advantage: it isolates personal data on a server that you can apply additional access controls to.

Cache Server: A dedicated Valkey server for caching, sessions, and queue management. If you store any personal data in your cache or sessions, this server is also within your EU-resident infrastructure.

Worker Server: A dedicated server for processing queue jobs. Jobs that handle personal data, such as sending emails, generating reports, or processing user exports, execute on EU-resident infrastructure.

When provisioning each server, select a Hetzner datacenter location. Whether you choose Nuremberg, Falkenstein, or Helsinki depends on your latency requirements and preferences, but all options are EU-resident.

Step 3: Configure Firewall Rules

GDPR requires appropriate technical measures to protect personal data (Article 32). Deploynix's firewall management lets you configure strict access rules for each server.

At minimum, configure the following:

  • Your database server should only accept connections from your app server and worker server IP addresses. Block all other inbound traffic on the database port.

  • Your cache server should similarly restrict connections to only your app and worker servers.

  • SSH access should be limited to your team's IP addresses or accessed exclusively through the Deploynix web terminal.

  • Your app server should only expose ports 80 and 443 to the public internet.

These firewall rules are configured directly in the Deploynix dashboard and applied at the server level. Document these measures as part of your GDPR Article 32 technical safeguards.

Step 4: Configure EU-Only Backups

Database backups must also remain within the EU to maintain your data residency posture. Deploynix supports several backup storage providers, and for EU compliance, you have several options:

Hetzner Storage Boxes: Hetzner offers storage boxes that are physically located in their EU data centers. These are ideal for keeping backups within the same provider and the same jurisdiction as your servers.

AWS S3 with EU Region: If you prefer S3, create your backup bucket in an EU region such as eu-central-1 (Frankfurt) or eu-west-1 (Ireland). Configure the bucket with no cross-region replication to ensure data stays in the selected region.

Wasabi EU: Wasabi offers EU storage locations including Amsterdam and Frankfurt. Their S3-compatible API works seamlessly with Deploynix's backup system.

Configure your backup schedule in Deploynix to run daily database backups. We recommend retaining daily backups for at least 30 days and weekly backups for a year, but adjust based on your data retention policy and legal requirements.

Enable encryption for backups. Deploynix encrypts backup data, and you should also enable server-side encryption on your storage bucket so that backups are encrypted at rest.

Step 5: SSL Certificate Configuration

SSL encryption for data in transit is a baseline GDPR requirement. Deploynix automatically provisions Let's Encrypt SSL certificates for your sites with zero configuration needed.

For DNS validation, which is required for wildcard certificates, Deploynix integrates with Cloudflare, DigitalOcean DNS, AWS Route 53, and Vultr DNS. If you are using Cloudflare for DNS management (common even when hosting on Hetzner), the DNS management layer does not affect data residency because DNS records are metadata about where to route traffic, not personal data.

Your application traffic flows directly from the user's browser to your Hetzner server over HTTPS. It does not pass through Cloudflare unless you have enabled Cloudflare's proxy mode. If you want to ensure traffic does not pass through non-EU infrastructure, use Cloudflare in DNS-only mode (grey cloud) rather than proxied mode (orange cloud).

Operational Practices for GDPR Compliance

Infrastructure is only one piece of the GDPR puzzle. Your operational practices matter equally.

Access Control

Deploynix's organization roles (Owner, Admin, Manager, Developer, Viewer) let you implement the principle of least privilege for server access. Not everyone on your team needs access to the database server or the ability to trigger deployments.

  • Developers can view server details and deployment logs but cannot modify server configurations or access the production database.

  • Managers can trigger deployments and view more detailed server information.

  • Admins have broader access but can be restricted from billing and organization-level settings.

  • Owners have full access to everything.

Map these roles to your team structure so that only team members who need access to personal data for their job function actually have it.

Logging and Audit Trails

GDPR requires that you can demonstrate compliance (the accountability principle, Article 5(2)). Deploynix maintains logs of all server management actions: who deployed what, when servers were provisioned or modified, when firewall rules were changed, and when backups were created or restored.

These audit logs serve double duty. They help you maintain operational awareness and provide evidence of your security practices if a data protection authority ever asks.

Incident Response

Article 33 of GDPR requires notifying the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Deploynix's health alerts and monitoring give you early warning of potential security incidents, including unauthorized access attempts, unusual server behavior, and service disruptions.

Configure your health alerts to notify your team immediately via the fastest channel available. When an alert fires, you need to assess quickly whether personal data may have been compromised and start your 72-hour breach notification clock if necessary.

Data Processing Agreement

As a tool that manages your servers, Deploynix acts as a data processor in certain contexts. We provide a Data Processing Agreement that meets GDPR Article 28 requirements. Make sure you also have a DPA in place with Hetzner and any other sub-processors in your stack (email providers, payment processors, analytics services).

Maintain a list of all sub-processors that handle personal data from your application. GDPR requires that you can identify every entity involved in processing personal data on your behalf.

Common Pitfalls to Avoid

Do not assume EU servers mean full compliance. Data residency is necessary but not sufficient. You still need lawful bases for processing, privacy notices, data subject rights mechanisms, and proper consent management in your application code.

Do not forget about logs. Application logs, error tracking services, and monitoring tools often capture personal data (IP addresses, email addresses, user IDs). If you send logs to a service hosted outside the EU, you have a data transfer. Either choose EU-hosted logging services or anonymize personal data before shipping logs.

Do not overlook third-party services. Your servers may be in the EU, but if your application calls APIs hosted in the US (analytics, email delivery, payment processing), personal data may still leave the EU during those API calls. Audit every external service your application communicates with.

Do not ignore email delivery. If your Laravel application sends emails containing personal data, the email delivery service is processing that data. Choose an email provider that offers EU-based infrastructure or has appropriate data transfer safeguards in place.

The Deploynix Advantage

Building a GDPR-compliant infrastructure manually is possible but tedious and error-prone. Deploynix streamlines the process by letting you provision, configure, and manage EU-only infrastructure through a single dashboard. Hetzner integration is first-class, firewall rules are straightforward to configure, backups can be directed to EU-only storage, and SSL is automatic.

More importantly, Deploynix gives you the operational tools, such as monitoring, health alerts, access controls, and audit logs, that support ongoing compliance. GDPR is not a one-time checkbox. It is a continuous obligation, and having the right tooling makes that obligation manageable.

Your European users trust you with their data. Deploynix and Hetzner make it possible to honor that trust with infrastructure that is European from the ground up.

Ready to deploy your Laravel app?

Deploynix handles server provisioning, zero-downtime deployments, SSL, and monitoring — so you can focus on building.

Get Started Free No credit card required

Related Posts

The Deploynix Roadmap: What We're Building Next and Why

The Deploynix Roadmap: What We're Building Next and Why

A transparent look at the Deploynix roadmap. See what features are coming next, how we prioritize community requests, and where the platform is heading.

Sameh Elhawary · Apr 20, 2026
How We Dogfood Deploynix: Running Our Own Platform on Our Own Platform

How We Dogfood Deploynix: Running Our Own Platform on Our Own Platform

See how the Deploynix team uses Deploynix to deploy and manage Deploynix itself. Our infrastructure, deployment pipeline, monitoring, and hard-won lessons.

Sameh Elhawary · Apr 19, 2026
From Idea to $10K MRR: Infrastructure Decisions at Every Revenue Milestone

From Idea to $10K MRR: Infrastructure Decisions at Every Revenue Milestone

A practical guide to infrastructure decisions at every SaaS revenue milestone, from $0 to $10K MRR. Scale your Deploynix setup as your Laravel app grows.

Sameh Elhawary · Apr 19, 2026