[james_impliu]

(Founder)

To be blunt, we cannot guarantee not sharing data in the scenario that the US government forces us to transfer data to them from our EU Cloud. We have self hosting for those who want 100% certainty of GDPR compliance, as then we require no access to the instance.

The case law[0] as it stands today makes it impossible for US companies to fully comply in practice if providing cloud software like this - in order to comply with a request from a US agency to transfer data out of the EU, a US company would need to breach its obligations under GDPR today (and vice versa). However, recent changes[1] in the US may (or may not) enable legitimate transfers from the EU to US, but a ruling from the European Commission on this isn't expected until 2023. For this reason, we've launched PostHog Cloud EU on AWS in Frankfurt for now (we've had many customers asking for this) as a first step. From here, we can iterate depending on the above or by changing our legal structure if we wind up with a ton of adoption and want to improve this offering.

We'll issue a few clarifications to the page and docs to help explain the above properly, as I think we should make the above points more clearly on our website. We didn't expect this to appear on HN front page so fast!

[0] https://noyb.eu/en/project/eu-us-transfers [1] https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-e...

[aliqot]

Has your counsel reviewed the GDPR surety claims of PostHog? The way it is described here suggests existing in a grey area being US run, running on US owned servers. Even with a self host option, which is noble, im worried by the statement "We have self hosting for those who want 100% certainty of GDPR compliance" which to me suggests this isn't clear yet whether it is GDPR compliant on the hosted product.

[aliqot]

Not surprised to see this unanswered.

[hnbad]

So you're saying you can't offer GDPR compliance because as long as US law isn't adjusted to restore the Privacy Shield guarantees, no US company can offer GDPR compliance, but you're providing best effort privacy guarantees and can offer GDPR compliance via self-hosting?

You should definitely adjust your messaging then because your announcement makes a big deal about your EU offering being GDPR compliant which it thus can't be. There's no such thing as "almost GDPR compliant". That's like "almost not getting fined". The customers asking you for hosting your service on AWS in Frankfurt were clearly misinformed if they did so because they thought it would provide them with GDPR compliance and it seems shady that you went along with it instead of informing them that only self-hosting with a non-US (and non-subsidiary) company can make them compliant.

I'm not a legal expert but this sounds like you're almost engaging in false advertising if you claim PostHog Cloud EU to be GDPR compliant.