Hosted in Europe on AWS which is a US company bound by the patriot act by a US company bound by the patriot act. PostHog seems to be based in NY, US, so the feds wouldn't even have to go through AWS to access the data, they could simply coerce PostHog directly as they can with US hosted data.
To be blunt, we cannot guarantee not sharing data in the scenario that the US government forces us to transfer data to them from our EU Cloud. We have self hosting for those who want 100% certainty of GDPR compliance, as then we require no access to the instance.
The case law[0] as it stands today makes it impossible for US companies to fully comply in practice if providing cloud software like this - in order to comply with a request from a US agency to transfer data out of the EU, a US company would need to breach its obligations under GDPR today (and vice versa). However, recent changes[1] in the US may (or may not) enable legitimate transfers from the EU to US, but a ruling from the European Commission on this isn't expected until 2023.
For this reason, we've launched PostHog Cloud EU on AWS in Frankfurt for now (we've had many customers asking for this) as a first step. From here, we can iterate depending on the above or by changing our legal structure if we wind up with a ton of adoption and want to improve this offering.
We'll issue a few clarifications to the page and docs to help explain the above properly, as I think we should make the above points more clearly on our website. We didn't expect this to appear on HN front page so fast!
Has your counsel reviewed the GDPR surety claims of PostHog? The way it is described here suggests existing in a grey area being US run, running on US owned servers. Even with a self host option, which is noble, im worried by the statement "We have self hosting for those who want 100% certainty of GDPR compliance" which to me suggests this isn't clear yet whether it is GDPR compliant on the hosted product.
So you're saying you can't offer GDPR compliance because as long as US law isn't adjusted to restore the Privacy Shield guarantees, no US company can offer GDPR compliance, but you're providing best effort privacy guarantees and can offer GDPR compliance via self-hosting?
You should definitely adjust your messaging then because your announcement makes a big deal about your EU offering being GDPR compliant which it thus can't be. There's no such thing as "almost GDPR compliant". That's like "almost not getting fined". The customers asking you for hosting your service on AWS in Frankfurt were clearly misinformed if they did so because they thought it would provide them with GDPR compliance and it seems shady that you went along with it instead of informing them that only self-hosting with a non-US (and non-subsidiary) company can make them compliant.
I'm not a legal expert but this sounds like you're almost engaging in false advertising if you claim PostHog Cloud EU to be GDPR compliant.
Microsoft Azure representatives say every time “data is hosted in Europe this is fine”, while it is obviously not. They get upset and dismissive if you insist.
I know some companies fall for these lies, or decide to break the law a little bit because it’s convenient.
This feels redundant given that the current interpretation of EU privacy laws is that US companies can not be used under GDPR compliance because the EU-US Privacy Shield agreement has been killed by US courts ruling that federal agencies are allowed to access data stored on overseas servers. This also extends to EU subsidiaries of US companies but it seems that PostHog doesn't even try to make that distinction.
If your first thought is that this would render EU companies unable to use common cloud providers like AWS, Google Cloud or Azure, you're not wrong, although most EU companies are likely unaware of this as it's the outcome of a recent court case and not entirely settled.
As a EU resident I would advise EU companies to avoid all US service providers and their subsidiaries where possible, regardless of where their servers are located until the US legislature makes explicit guarantees protecting EU servers from being accessed by US law enforcement without going through the apropriate international channels (which would include notifying all affected EU residents of the access).
I realize this can't always be avoided but replacing Google Analytics with another US company over GDPR concerns seems a lot of effort for no effect when there are self-hosted and EU-based alternatives available.
There are tons of decent european-based cloud providers,… like upcloud, Scaleway, exoscale or OVH to name the ones at the top of my head.
I would love to know what motivated this choice outside of "nobody got fired buying IBM/AWS" or résumé-driven development.