C.E.Q: GDPR issues
According to your website, HeySummit is not fully GDPR compliant. Primarily because you store personal data on AWS servers located in the U.S., which is considered a third country under the GDPR and does not provide an equivalent level of data protection as the EU. Although technical safeguards like encryption/access controls may be in place, users cannot independently configure or verify these measures, and there's always a residual risk of unauthorized access by US authorities. The most urgent adjustments needed from HeySummit would be to offer EU-based data storage options, increase transparency about data processing and security practices, and provide customers with more granular control over data protection measures (encryption, access restrictions, audit logging). Could you please clarify if you plan to implement this, and when?
Ben_HeySummit
Jul 5, 2025A: Hi @C.E,
Thanks so much for raising this - really appreciate you taking the time to dig into our documentation and share your concerns.
You’re absolutely right that storing personal data in the US is considered a third-country transfer under GDPR. However, we want to reassure you that this setup is fully lawful under GDPR when the right safeguards are in place - and we’ve taken clear steps to ensure that’s the case.
Specifically:
- We host on Amazon Web Services (AWS) in their North Virginia (US) region, which is certified under the EU-US Data Privacy Framework (DPF).
- We’ve also put in place Standard Contractual Clauses (SCCs) and supplementary measures including data encryption in transit and at rest, access controls, and audit logging.
- These safeguards are referenced throughout our Terms, Privacy Policy, and our new Data Processing Agreement (DPA) - which is available here for download or signing at https://heysummit.com/legal/data-processing-agreement.
That said, we completely understand the desire for more regional control over data - and we agree it’s important. We’re currently evaluating a potential move to a more performant database provider. If and when that happens, we’ll also be reviewing whether we can shift to UK or EU-based hosting, as long as it doesn’t compromise the performance and latency of our infrastructure. While we can’t guarantee timelines just yet, this is our goal in the medium to long term if viable.
Thanks again for reaching out and holding us to a high standard :)
All the best,
Ben
Thanks Ben,
I appreciate you taking my concerns seriously and sharing these details. Honestly the best GDPR related answer here, kudos for that! While the current safeguards and DPF help ensure GDPR compliance, there are still legal uncertainties — both around the DPF and the UK’s adequacy status beyond December 2025. Hosting in the EU would offer more long-term stability. Thanks for considering!
Thanks, C.E - very much appreciate the follow-up and kind words. Totally agree, long term EU hosting would be preferable - if it does happen, it needs to be carefully coordinated with a wider shift in our infrastructure strategy and rollout.
Thanks again for the question.
Is it possible for you to stay with AWS, but move your database to their Frankfurt setup?
Possibly, but given the considerable size of our database, it's not something we can do on a whim. It will require considerable planning, testing and thought before we embark on a move like that. Something we need to give more thought to.