EU Hosting & Subprocessors

Every byte CookieSentry processes — your account, your scans, your customers' cookie inventory — stays inside the European Union.

Last updated: April 13, 2026

Primary region

All application traffic is served from EU data centers in Lithuania (Vilnius) and Germany (Frankfurt).

Data residency

Customer database (Neon) and asset CDN (Bunny) are pinned to Frankfurt. Job queue and application servers live in Vilnius.

No US transfers by default

Personal data is never written to a non-EU region. The only US-touching surface is Cloudflare's anti-bot challenge token, which carries no PII.

GDPR + ePrivacy aligned

Subprocessor list, hosting locations, and data flows are documented for your DPIA / RoPA. AVV / DPA available on request.

The complete list of third parties that process data on behalf of CookieSentry, in line with Art. 28 GDPR. We notify customers of any change to this list before it takes effect.

Neon

— Primary database (Postgres)

Location: Frankfurt, Germany (EU)
Data processed: Account data, websites, scan results, cookie inventory
Legal basis: Art. 28 GDPR — Data Processing Agreement

Hostinger

— Redis cache & job queue

Location: Vilnius, Lithuania (EU)
Data processed: Rate-limit counters, scan job state, ephemeral session data
Legal basis: Art. 28 GDPR — Data Processing Agreement

Hostinger VPS

— Application server, scanner workers, transactional email (SMTP)

Location: Vilnius, Lithuania (EU)
Data processed: All request handling, headless browser scans, outbound email
Legal basis: Art. 28 GDPR — Data Processing Agreement

Bunny CDN

— Static assets & uploaded logo storage

Location: Frankfurt, Germany (EU)
Data processed: Public assets, customer-uploaded report logos
Legal basis: Art. 28 GDPR — Data Processing Agreement

Stripe Payments Europe Ltd.

— Subscription billing & invoicing

Location: Dublin, Ireland (EU)
Data processed: Billing email, payment method, VAT ID, invoice records
Legal basis: Art. 28 GDPR + EU SCCs for any onward US transfer

ScrapingBee

— Overflow scanner (used only when EU VPS pool is saturated)

Location: Paris, France (EU)
Data processed: Target URL only — no customer or visitor PII
Legal basis: Art. 28 GDPR — Data Processing Agreement

Cloudflare Turnstile

— Anti-bot challenge for the free scan form

Location: Global edge (challenge tokens only — no PII transferred)
Data processed: Opaque challenge token; no personal data leaves the browser
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (abuse prevention)

1. Request enters in LithuaniaYou hit the API on the Vilnius VPS over TLS 1.3.
2. Job queued in VilniusThe scan is enqueued in Hostinger Redis (Lithuania).
3. Headless scan from EUA scanner worker on the Vilnius VPS pool drives a headless browser against the target site. ScrapingBee (France) is only used as overflow.
4. Result persisted in FrankfurtFindings are written to Neon Postgres (Frankfurt). Cookie values are salted + hashed before storage.
5. Reports & assets served from FrankfurtPDF reports render in your browser from data fetched in Frankfurt; report logos are served from Bunny CDN (Frankfurt edge).

Post-Schrems II, transferring personal data to the United States triggers a Transfer Impact Assessment and reliance on the EU-US Data Privacy Framework — which is itself under legal challenge.

CookieSentry sidesteps the entire problem: there are no transfers to assess because there are no transfers. Your DPO gets a one-line answer for the hosting row of your RoPA, and your legal team doesn't need to draft new SCCs.

We're happy to sign a Data Processing Agreement (Auftragsverarbeitungsvertrag) before you onboard. Email us with your legal entity name and we'll send a countersign-ready PDF.

Email: info@cookiesentry.com

EU Hosting & Subprocessors

Every byte CookieSentry processes — your account, your scans, your customers' cookie inventory — stays inside the European Union.

Last updated: April 13, 2026

Primary region

All application traffic is served from EU data centers in Lithuania (Vilnius) and Germany (Frankfurt).

Data residency

Customer database (Neon) and asset CDN (Bunny) are pinned to Frankfurt. Job queue and application servers live in Vilnius.

No US transfers by default

Personal data is never written to a non-EU region. The only US-touching surface is Cloudflare's anti-bot challenge token, which carries no PII.

GDPR + ePrivacy aligned

Subprocessor list, hosting locations, and data flows are documented for your DPIA / RoPA. AVV / DPA available on request.

The complete list of third parties that process data on behalf of CookieSentry, in line with Art. 28 GDPR. We notify customers of any change to this list before it takes effect.

Neon

— Primary database (Postgres)

Location: Frankfurt, Germany (EU)
Data processed: Account data, websites, scan results, cookie inventory
Legal basis: Art. 28 GDPR — Data Processing Agreement

Hostinger

— Redis cache & job queue

Location: Vilnius, Lithuania (EU)
Data processed: Rate-limit counters, scan job state, ephemeral session data
Legal basis: Art. 28 GDPR — Data Processing Agreement

Hostinger VPS

— Application server, scanner workers, transactional email (SMTP)

Location: Vilnius, Lithuania (EU)
Data processed: All request handling, headless browser scans, outbound email
Legal basis: Art. 28 GDPR — Data Processing Agreement

Bunny CDN

— Static assets & uploaded logo storage

Location: Frankfurt, Germany (EU)
Data processed: Public assets, customer-uploaded report logos
Legal basis: Art. 28 GDPR — Data Processing Agreement

Stripe Payments Europe Ltd.

— Subscription billing & invoicing

Location: Dublin, Ireland (EU)
Data processed: Billing email, payment method, VAT ID, invoice records
Legal basis: Art. 28 GDPR + EU SCCs for any onward US transfer

ScrapingBee

— Overflow scanner (used only when EU VPS pool is saturated)

Location: Paris, France (EU)
Data processed: Target URL only — no customer or visitor PII
Legal basis: Art. 28 GDPR — Data Processing Agreement

Cloudflare Turnstile

— Anti-bot challenge for the free scan form

Location: Global edge (challenge tokens only — no PII transferred)
Data processed: Opaque challenge token; no personal data leaves the browser
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (abuse prevention)

1. Request enters in LithuaniaYou hit the API on the Vilnius VPS over TLS 1.3.
2. Job queued in VilniusThe scan is enqueued in Hostinger Redis (Lithuania).
3. Headless scan from EUA scanner worker on the Vilnius VPS pool drives a headless browser against the target site. ScrapingBee (France) is only used as overflow.
4. Result persisted in FrankfurtFindings are written to Neon Postgres (Frankfurt). Cookie values are salted + hashed before storage.
5. Reports & assets served from FrankfurtPDF reports render in your browser from data fetched in Frankfurt; report logos are served from Bunny CDN (Frankfurt edge).

Post-Schrems II, transferring personal data to the United States triggers a Transfer Impact Assessment and reliance on the EU-US Data Privacy Framework — which is itself under legal challenge.

We're happy to sign a Data Processing Agreement (Auftragsverarbeitungsvertrag) before you onboard. Email us with your legal entity name and we'll send a countersign-ready PDF.

Email: info@cookiesentry.com

Cookiesentry

EU Hosting & Subprocessors

At a glance

Primary region

Data residency

No US transfers by default

GDPR + ePrivacy aligned

Subprocessors

Neon

Hostinger

Hostinger VPS

Bunny CDN

Stripe Payments Europe Ltd.

ScrapingBee

Cloudflare Turnstile

How a scan flows through the EU

Why EU-only matters

Need an AVV / DPA?

Cookiesentry

EU Hosting & Subprocessors

At a glance

Primary region

Data residency

No US transfers by default

GDPR + ePrivacy aligned

Subprocessors

Neon

Hostinger

Hostinger VPS

Bunny CDN

Stripe Payments Europe Ltd.

ScrapingBee

Cloudflare Turnstile

How a scan flows through the EU

Why EU-only matters

Need an AVV / DPA?