GDPR-compliant hosting

GDPR-compliant hosting is not a certification but a bundle of setup choices: (1) server location inside the EU or EEA — alternatively a third country with an adequacy decision or with additional standard contractual clauses; (2) Data Processing Agreement (DPA / AVV) under Art. 28 GDPR between you and the provider; (3) documented technical and organisational measures (TOMs): encryption at rest and in transit, access control, backup strategy, deletion policy; (4) avoidance of opaque sub-processors outside the EU (critical after Schrems II for US subsidiaries like AWS, Google Cloud, Microsoft Azure — even when the chosen data centre sits in Frankfurt). Providers with a clear GDPR profile in the German market: netcup (Nuremberg + Vienna, DPA included), Hetzner (Falkenstein/Nuremberg/Helsinki, DPA), Cloud86 (Netherlands), IONOS (Karlsruhe), 1blu (Berlin), STRATO.