EU data residency is a paid upgrade for half your SaaS stack
EU data residency is a paid upgrade for half your SaaS stack
欧盟数据驻留权:半数 SaaS 工具将其作为付费升级项
Most SaaS vendors put “GDPR-compliant” on a trust page and call it done. When you actually read the DPA and the subprocessor list, three things decide whether a tool is safe to put EU personal data into — and the trust badge tells you none of them. I went through ten SaaS tools that show up in almost every EU company’s stack (Salesforce, HubSpot, Atlassian, Intercom, Notion, Slack, Asana, monday.com, Zendesk, Calendly) and checked the same three questions for each. One pattern jumped out: EU data residency, the thing most buyers assume is table stakes, is gated behind a higher plan for half of them. One vendor gates the signed DPA itself behind a paid tier.
大多数 SaaS 供应商会在信任页面上贴上“符合 GDPR”的标签,然后就万事大吉了。但当你真正阅读数据处理协议(DPA)和子处理商列表时,你会发现决定一个工具是否能安全存储欧盟个人数据的关键在于三点,而那些信任徽章对此只字未提。我调研了几乎每家欧盟公司都会使用的十款 SaaS 工具(Salesforce、HubSpot、Atlassian、Intercom、Notion、Slack、Asana、monday.com、Zendesk、Calendly),并针对每款工具核查了三个相同的问题。一个明显的模式浮出水面:大多数买家认为理所当然的“欧盟数据驻留权”,在半数工具中被锁定在更高等级的付费方案中。甚至有一家供应商将签署 DPA 的权限也设为了付费门槛。
The three questions that actually decide it
真正决定安全性的三个问题
When a DPO or a buyer vets a subprocessor, the marketing copy is noise. These three questions change the answer:
- Can my data stay at rest in the EU? Not “do they have an EU office” — can you provision your tenant so personal data physically rests in an EU region. For some vendors this is a real toggle. For others it only exists on Enterprise.
- What’s the transfer mechanism when data leaves the EEA? Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (DPF), or both. After Schrems II this is the part legal asks about first, and “we self-certify to the DPF” and “we fall back to SCCs” are different risk profiles.
- Who signs the DPA, and on what plan? A self-serve DPA you accept in-product is a different thing from one that’s only offered to paid customers or negotiated per contract.
当数据保护官(DPO)或买家审查子处理商时,营销文案都是噪音。以下三个问题才是决定性因素:
- 我的数据能留在欧盟境内吗? 这不是指“他们是否有欧盟办公室”,而是指你是否能配置租户,使个人数据物理存储在欧盟区域。对于某些供应商,这是一个可选开关;而对另一些供应商,这仅存在于企业版中。
- 当数据离开欧洲经济区(EEA)时,传输机制是什么? 是标准合同条款(SCCs)、欧盟-美国数据隐私框架(DPF),还是两者兼有?在 Schrems II 裁决之后,这是法务部门首先询问的部分,“我们通过 DPF 自我认证”与“我们以 SCCs 作为兜底”代表着完全不同的风险状况。
- 谁来签署 DPA,以及在什么方案下签署? 你在产品内点击接受的自助式 DPA,与仅提供给付费客户或需逐份合同谈判的 DPA 是完全不同的。
What I found across 10 common vendors
我在 10 家常见供应商中发现的情况
| Vendor | EU data residency | Transfer mechanism | DPA |
|---|---|---|---|
| Salesforce | Available (Hyperforce DE/FR) | DPF + SCCs | Self-serve |
| HubSpot | Available | DPF + SCCs | Self-serve |
| Atlassian | Available | DPF + SCCs | Self-serve |
| Intercom | Available | DPF + SCCs | Self-serve |
| Notion | Tier-gated | SCCs | Self-serve |
| Slack | Tier-gated | DPF + SCCs | Self-serve |
| Asana | Tier-gated | SCCs | Paid tier |
| monday.com | Tier-gated | SCCs | Self-serve |
| Zendesk | Tier-gated | DPF + SCCs | Self-serve |
| Calendly | None | DPF + SCCs | Self-serve |
| 供应商 | 欧盟数据驻留 | 传输机制 | DPA |
|---|---|---|---|
| Salesforce | 可用 (Hyperforce DE/FR) | DPF + SCCs | 自助式 |
| HubSpot | 可用 | DPF + SCCs | 自助式 |
| Atlassian | 可用 | DPF + SCCs | 自助式 |
| Intercom | 可用 | DPF + SCCs | 自助式 |
| Notion | 方案限制 | SCCs | 自助式 |
| Slack | 方案限制 | DPF + SCCs | 自助式 |
| Asana | 方案限制 | SCCs | 付费方案 |
| monday.com | 方案限制 | SCCs | 自助式 |
| Zendesk | 方案限制 | DPF + SCCs | 自助式 |
| Calendly | 无 | DPF + SCCs | 自助式 |
The part that surprises buyers
令买家惊讶的部分
Five of the ten only offer EU data residency on higher plans. You pick a tool on the Team plan, it clears procurement, and then you find out the “data stays in the EU” guarantee needed Enterprise the whole time. Asana goes one step further: the DPA itself isn’t a self-serve click on the lower tiers. Calendly is the honest edge case. No EU-at-rest option, so invitee names, emails, and meeting metadata transfer to the US under DPF/SCCs. That isn’t automatically disqualifying, but it’s a call you want to make on purpose, not discover in an audit.
十家供应商中有五家仅在更高等级的方案中提供欧盟数据驻留权。你选择了团队版方案,通过了采购流程,结果却发现“数据留在欧盟”的保证一直都需要企业版方案。Asana 更进一步:在低等级方案中,DPA 甚至无法通过自助点击签署。Calendly 是一个诚实的特例:它没有欧盟境内存储选项,因此受邀者的姓名、电子邮件和会议元数据都会根据 DPF/SCCs 传输到美国。这并不意味着自动被淘汰,但这是一个你需要主动做出的决定,而不是在审计中才发现的意外。
The four with real EU residency (Salesforce, HubSpot, Atlassian, Intercom) still hang the transfer mechanism on the DPF + SCCs combination, so “EU region selected” doesn’t mean “nothing ever leaves the EEA” — support, telemetry, and sub-processors can still route data out. The residency toggle narrows the surface; it doesn’t close it.
那四家真正提供欧盟数据驻留权的供应商(Salesforce、HubSpot、Atlassian、Intercom)依然依赖 DPF + SCCs 的组合作为传输机制,因此“选择了欧盟区域”并不意味着“没有任何数据离开 EEA”——支持服务、遥测数据和子处理商仍然可以将数据路由到境外。驻留权开关缩小了风险面,但并没有完全关闭它。
A checklist you can reuse
一份可复用的检查清单
Before a vendor goes on the data map:
- Ask the residency question on the tier you’ll actually buy, not the one on the pricing page hero.
- Get the transfer mechanism in writing (DPF, SCCs, or both) and note which one is the fallback.
- Confirm the DPA is available on your plan and screenshot the terms with a date — DPAs get revised quietly.
- Pull the current sub-processor list. The risk usually lives in the sub-processors, not the headline vendor.
在将供应商纳入数据地图之前:
- 针对你实际购买的方案询问驻留权问题,而不是参考定价页面上的宣传方案。
- 以书面形式确认传输机制(DPF、SCCs 或两者兼有),并注明哪一个是兜底方案。
- 确认你的方案是否包含 DPA,并截图保存条款及日期——DPA 经常会被悄悄修订。
- 获取当前的子处理商列表。风险通常存在于子处理商中,而非主供应商本身。
I keep the per-vendor details — residency specifics, sub-processor lists, the exact transfer language, each with a source and a last-verified date — in the GDPR DPA Atlas. It’s free and the individual vendor pages go deeper than the table above. These terms change. Verify against the vendor’s live DPA before you sign anything — treat this as a starting map, not a final answer.
我将各供应商的详细信息(驻留权细节、子处理商列表、确切的传输条款,以及来源和最后验证日期)整理在“GDPR DPA Atlas”中。它是免费的,且各供应商页面的内容比上表更深入。这些条款会发生变化。在签署任何协议之前,请务必对照供应商最新的 DPA 进行核实——请将此视为一张起始地图,而非最终答案。