Need email infrastructure? Try PostScale -- transactional email API built in the EU. PostScale

    GDPR-compliant DNS providers — a 2026 buyer's checklist

    What 'GDPR-compliant DNS' actually means, what to ask in procurement, and which DNS providers satisfy the structural sovereignty criteria for EU-resident data.

    Updated

    TL;DR

    GDPR doesn't mandate an EU-jurisdiction DNS provider, but it imposes constraints — lawful transfer mechanisms, processor obligations, data-minimisation, right-of-access — that are materially simpler to satisfy with a structurally EU-jurisdiction provider. This checklist gives you the procurement questions to ask, the contractual artefacts to require, and how the major DNS providers stack up against them in 2026.

    If you're an EU-based business, a public-sector buyer, or an operator under NIS2 or sectoral compliance frameworks, "GDPR-compliant DNS" is part of your procurement checklist. This page walks through what that actually means in 2026, what to ask vendors in the RFP stage, and which DNS providers structurally fit.

    What "GDPR-compliant DNS" actually means

    GDPR doesn't certify products. There's no "GDPR-compliant" stamp. What there is:

    1. Personal data definitions. DNS query data — IP addresses, queried names, timestamps — can be personal data under GDPR (Article 4(1), confirmed by the CJEU in Breyer v. Germany, 2016).
    2. Controller / processor obligations. If your DNS provider processes personal data on your behalf, they are a processor and you are a controller (Article 28). That triggers requirements: a written DPA, restricted processing, subprocessor controls, breach notification, audit rights, and so on.
    3. Lawful transfer mechanisms. If the processor is outside the EU/EEA, you need a lawful basis for the transfer: EU–US Data Privacy Framework (if certified), Standard Contractual Clauses (SCCs) with a Transfer Impact Assessment (TIA), or Binding Corporate Rules.
    4. Data minimisation, purpose limitation, retention limits, and right-of-access. Apply to whatever query metadata the provider stores.

    A "GDPR-compliant" DNS provider, in the practical sense, is one that:

    • Has a published, executable DPA with SCCs / DPF as appropriate.
    • Has clear data-handling, retention, and subprocessor disclosures.
    • Operates with personal data minimisation by default (no advertising-driven query log monetisation).
    • Has incident-reporting commitments aligned with GDPR Article 33's 72-hour requirement.
    • Either is structurally EU-jurisdiction (simpler audit story) or has a credible cross-border transfer regime (extra audit work).

    The 12-question procurement checklist

    Drop these directly into your RFP. Ask vendors for written answers — verbal commitments don't survive an audit.

    1. Where is your company headquartered, and under which legal regime do you operate?
    2. Where are your operations team and primary ops infrastructure located?
    3. Where is authoritative zone data stored? Is it ever processed outside the EU/EEA?
    4. Do you have a publicly available Data Processing Agreement we can execute? (Send me the link.)
    5. What is the lawful basis for any transfer of personal data outside the EU/EEA? (DPF certification? SCCs? Adequacy?)
    6. What query metadata do you store? For how long? Who can access it? Is it ever used for advertising or monetisation?
    7. What is your subprocessor list, and how do you notify customers of changes?
    8. What is your breach-notification SLA, and is it aligned with GDPR Article 33?
    9. Do you have ISO 27001 / SOC 2 Type II / other relevant certifications? Provide the latest reports.
    10. Are you in scope for NIS2, and what is your status against its incident-reporting obligations?
    11. Can I exercise data-subject rights (access, deletion, portability) for personal data in your query logs?
    12. Can I cancel and have all my zone data and query metadata deleted within 30 days?

    The answers tell you more than any marketing page.

    How to score the responses

    Not every question carries equal weight. Here's a suggested weighting framework you can adapt to your context. Score each provider 0–3 per question (0 = no answer / non-responsive, 1 = partial / weak, 2 = adequate, 3 = strong / documented).

    QuestionWeightWhat a "3" looks like
    Q1 — HQ / jurisdictionEU headquarters, written confirmation.
    Q2 — Ops locationEU-based ops team. Primary ops infrastructure disclosed publicly or on request.
    Q3 — Zone data locationZone data stored and processed in EU/EEA. Clear statement available.
    Q4 — DPAPublished DPA link. Executable during onboarding.
    Q5 — Transfer basisFor non-EU: DPF certification + SCCs + TIA guidance provided. For EU: no transfer needed, stated.
    Q6 — Query metadataData types, retention in days, no advertising use, documented.
    Q7 — SubprocessorsPublic list. Commit to notification.
    Q8 — Breach SLASLA matches or exceeds Article 33 (72h). Incident response plan described.
    Q9 — CertificationsActive ISO 27001 and/or SOC 2 Type II. Link to certificate/registry.
    Q10 — NIS2 statusIn scope. Status disclosed. Incident-reporting workflow confirmed.
    Q11 — Data-subject rightsProcess documented. DPO contact published.
    Q12 — Cancellation & deletionExport + deletion commitment within 30 days.

    Multiply score by weight for a weighted total (max possible: 72). Don't treat the number as absolute — it's a structured conversation starter. A US provider scoring 55 with strong DPF documentation might be a better operational fit than an EU provider scoring 40 with weak documentation.

    Run this scoring exercise for each provider on your shortlist, attach the scores to your procurement record, and re-score at contract review. Changes in a provider's posture (new DPA, dropped certification, subprocessor addition) should trigger a re-score.

    Procurement artefacts — what to collect and what to look for

    Before you sign anything, collect these documents. Each one should be read — not filed unread — because the details in them are what a data-protection authority will ask about.

    ArtefactWhere to get itWhat to look for
    Data Processing Agreement (DPA)Provider's legal page or on requestExplicit Article 28 reference. Subprocessor list included or linked. Transfer mechanism stated (SCC module, DPF certification ID). Audit-rights clause. Breach-notification timeline in hours.
    Subprocessor registerDPA appendix or separate disclosureDate of last update. Names and jurisdictions of subprocessors. Notice period for additions. Right to object?
    Transfer Impact Assessment (TIA)You write it; provider supplies inputsFor non-EU providers only. Documents that surveillance laws don't undermine SCC protections in your specific use case. If the provider publishes a TIA template or white paper, review it — but don't substitute it for your own. The TIA is your legal obligation.
    Certification reports (ISO 27001, SOC 2)Provider's trust centre or on requestDate of issue and expiry. Scope — does it cover DNS infrastructure and operations, or only the billing portal? Auditor name.
    Incident-response policy / post-incident reportsSecurity page or blogAre post-incident reports published? What's the format? For NIS2-regulated buyers, verify the 24h/72h/1-month structure.
    Data-retention and deletion policyDPA or privacy policySpecific retention periods for query metadata, billing logs, and zone data. Deletion process after contract termination. Confirmation of deletion.

    Collect these before the contract is signed. Once a provider is in production, replacing them is harder than qualifying them.

    How major DNS providers stack up

    Status legend: 🟢 structural fit · 🟡 satisfiable with extra audit work · 🔴 problematic.

    EU-headquartered providers

    ProviderHQ jurisdictionEU opsDPA / SCCsCertificationsSovereignty fit
    DNScaleEUEUYesISO 27001🟢 Structural
    Hetzner DNSDE (EU)EUYesISO 27001🟢 Structural
    Gandi LiveDNSFR (EU)EUYes🟢 Structural
    OVHcloud DNSFR (EU)EUYesISO 27001, SOC 2, HDS, SecNumCloud🟢 Structural
    Bunny DNSSI (EU)EUYes🟢 Structural
    ClouDNSBG (EU)EUYes🟢 Structural

    US-headquartered providers

    ProviderHQ jurisdictionEU operationsDPA / SCCsDPF certifiedCertificationsSovereignty fit
    Cloudflare DNSUSGlobal edgeYes (SCCs)YesISO 27001, SOC 2 Type II🟡 Satisfiable with TIA
    AWS Route 53USGlobal edgeYes (SCCs)YesISO 27001, SOC 2, FedRAMP🟡 Satisfiable with TIA
    Google Cloud DNSUSGlobal edgeYes (SCCs)YesISO 27001, SOC 2🟡 Satisfiable with TIA
    NS1 (IBM)USGlobal edgeYes (SCCs via IBM)Yes (via IBM)ISO 27001, SOC 2🟡 Satisfiable with TIA
    DNS Made EasyUSGlobal edgeYes (SCCs)YesSOC 2 Type II🟡 Satisfiable with TIA

    🔴 cases are providers without any DPA/SCC mechanism, or with documented data-handling practices that don't meet GDPR processor requirements. Not naming names — confirm with each vendor's published DPA.

    NIS2 and GDPR — how the two frameworks interact for DNS procurement

    GDPR and NIS2 are separate legal instruments, but for DNS procurement they overlap in practice. Understanding the interaction makes your procurement exercise once-and-done rather than twice-the-pain.

    AreaGDPRNIS2Overlap in DNS procurement
    ScopeAny entity processing EU personal dataEssential and important entities in named sectorsIf you're a NIS2-regulated entity, your DNS provider selection is part of supply-chain risk. If you also handle EU personal data, GDPR processor obligations apply simultaneously.
    Due diligenceArticle 28 — processor must provide sufficient guaranteesArticle 21(2)(d) — supply-chain securityThe evidence you collect is largely the same: DPA, certifications, subprocessor list, incident-response capability.
    Incident reportingArticle 33 — personal data breach notification within 72hArticle 23 — significant incident early warning 24h / notification 72h / final report 1 monthA DNS outage that exposes query logs is a personal data breach under GDPR and a significant incident under NIS2. Both reporting obligations may fire. Your DNS provider should have processes for both.
    JurisdictionApplies wherever EU personal data is processed; foreign processors need SCCs/DPFApplies to EU entities; foreign suppliers evaluated under supply-chain riskAn EU-jurisdiction provider satisfies both without extra mechanisms. A non-EU provider requires cross-border mechanisms for GDPR and extra due diligence for NIS2.
    FinesUp to €20M or 4% of global turnoverUp to €10M or 2% for essential entitiesNot mutually exclusive. A DNS-related incident could trigger penalties under both frameworks.

    The takeaway: do the procurement once, collect the evidence once, and document it in a format that serves both regulatory regimes. The NIS2 supply-chain evidence and GDPR processor-selection evidence should live in the same procurement record.

    For the full NIS2 context — which sectors are in scope, Article 21 measures in detail, incident-reporting timelines — see the NIS2 and DNS guide.

    When "structural fit" matters more than "satisfiable"

    For most workloads, a US-headquartered provider with DPF certification + SCCs + a TIA is fine — the legal regime is clear, the contractual mechanism exists, the audit overhead is bounded.

    It matters more when:

    • You're under NIS2 as an essential or important entity and supply-chain risk is part of your assessment. A structurally EU-jurisdiction provider materially simplifies that assessment.
    • You're a public-sector buyer with explicit sovereignty mandates (e.g., French SecNumCloud, German BSI Cloud Computing Compliance Catalogue, EU CSIRT criteria).
    • Your customers' procurement requires it. Increasingly common in EU-headquartered enterprises selling to other EU enterprises — DNS is in the supply-chain risk assessment.
    • You handle high-sensitivity personal data (healthcare, financial, children's data) where DPAs default to extra scrutiny.
    • You're in a sector with specific guidance (DORA for financial services, EHDS for health data) that effectively prefers EU-jurisdiction processors.

    For everything else — early-stage SaaS, dev/test, non-regulated content sites — pick the provider that fits your stack. GDPR compliance is achievable on either side.

    Buyer-scenario guide — which provider profile fits

    Not every buyer needs the same level of due diligence. Here's how the decision maps to common scenarios.

    Buyer profileRegulatory riskRecommended approachTypical shortlist
    Early-stage startup (pre-revenue, non-regulated, small team)LowDPA signed. Don't over-engineer. Focus on product. Revisit when you enter a regulated sector or raise Series A.DNScale (simplicity), Bunny DNS (cheap), Cloudflare Free (zero cost, but no DPA on free tier).
    Growth-stage SaaS (EU customers, hiring DPO, ISO 27001 in progress)MediumFull 12-question checklist. Scored provider comparison. Signed DPA. TIA for any non-EU provider. Document the decision.DNScale, OVHcloud DNS, Cloudflare (if TIA and DPA are in place).
    Regulated enterprise (finance, energy, health, NIS2 essential)HighFull procurement record. Weighted scoring. Procurement artefacts collected for every provider. NIS2 supply-chain evidence packaged alongside GDPR processor-selection evidence. Prefer EU-jurisdiction unless there's a strong operational reason not to.DNScale (EU ops page documented), OVHcloud (multi-cert), Hetzner (DE public-sector fit). US providers only with documented TIA and legal approval.
    Public-sector / governmentHigh, with political dimensionProcurement often governed by public-procurement law with explicit sovereignty clauses. EU jurisdiction usually mandatory. Check tender documentation for specific certification requirements (SecNumCloud, BSI C5, ENS High).OVHcloud (SecNumCloud), Hetzner (BSI C5), DNScale (EU-only network option).

    DNScale's GDPR posture

    For transparency, here's how DNScale specifically answers the 12-question checklist:

    1. HQ / jurisdiction: EU.
    2. Operations: EU (specific locations on the network page).
    3. Zone data location: EU. Replicates to a global anycast edge for performance, but the source of truth is EU.
    4. DPA: Yes, published; can be signed as part of onboarding.
    5. Cross-border transfers: None for authoritative zone data. Edge query handling occurs at PoP locations worldwide; aggregated query metadata for billing returns to EU storage.
    6. Query metadata: Aggregated. Retention bounded to billing and operational diagnostics. Not used for advertising. Not sold.
    7. Subprocessors: Disclosed; notification on change.
    8. Breach notification: Aligned with Article 33's 72-hour requirement.
    9. Certifications: ISO 27001 certified. NIS2 in progress.
    10. NIS2: Yes, in scope. Operational obligations met.
    11. Data-subject rights: Yes, support is via the published DPO contact.
    12. Cancellation: Zone data export and deletion within 30 days.

    Specific contractual artefacts available on request via support. For the infrastructure details that underpin these claims — AS numbers, IXP peering, network architecture — see the DNScale infrastructure and EU operations page.

    Audit-readiness — what your internal team needs to produce

    If a data-protection authority or NIS2 regulator asks about your DNS provider selection, the response window is short. Have a processor selection record ready before they ask. Here's a template.

    Processor selection record — template

    Provider: [Name] Date of selection: [Date] Date of most recent review: [Date] Review cadence: [e.g., annually, or on contract renewal]

    1. Selection criteria — Adapt the 12-question checklist above to your context. List the criteria you used and their weightings.

    2. Shortlist and scores — Attach the weighted scoring table for each shortlisted provider. Include the rationale for the chosen provider.

    3. Contractual artefacts on file — Check each one:

    • Signed DPA
    • Subprocessor register (date of last update: ___)
    • Transfer Impact Assessment (if non-EU provider; date of assessment: ___)
    • Certification reports (ISO 27001 expiry: ___, SOC 2 date: ___)
    • Incident-response policy / last post-incident report (date: ___)
    • Data-retention and deletion policy (retention period: ___)

    4. Risk assessment — Note any risks identified and mitigated. Example: "Provider uses US-based subprocessor for CDN cache (Cloudflare); accepted because the subprocessor has DPF certification and our DPA includes subprocessor obligations. Risk: medium. Mitigation: monitored."

    5. DPO / legal review — Name of reviewer and date of sign-off.

    6. Next review date — Scheduled.

    Store this record where your DPO can retrieve it within 48 hours. Don't create it during an audit — have it maintained as a living document. Update it when the provider changes their DPA, adds subprocessors, drops a certification, or announces a material change to their infrastructure.

    References

    Frequently asked questions

    Does GDPR require me to use an EU DNS provider?
    No, not directly. GDPR regulates the processing of personal data of EU/EEA residents. DNS query data — the relationship between a query (a name, a source IP, a timestamp) and an identifiable person — can be personal data under GDPR. If your DNS provider processes this data, they're a processor and you're a controller, with the obligations that flow from that. You can satisfy those obligations with a non-EU provider via Standard Contractual Clauses and supplementary measures, but a structurally EU-jurisdiction provider materially simplifies the audit and risk-assessment story.
    What GDPR transfer mechanism do I need with a US-headquartered DNS provider?
    Either the EU–US Data Privacy Framework (DPF, in force since July 2023, replacing Privacy Shield) if the provider is certified, or Standard Contractual Clauses (SCCs) plus a Transfer Impact Assessment that documents whether US surveillance laws (FISA 702, EO 12333) materially undermine the SCCs in your specific case. Most US-headquartered DNS providers have a published DPA with SCCs. Several have DPF certifications. The TIA is your responsibility — it must be done, and re-done if circumstances change.
    What does 'EU jurisdiction' actually mean for a DNS provider?
    Three concrete things: (1) the company is incorporated and operated under EU law; (2) the operations team and ops infrastructure sit in EU member states; (3) the legal regime governing zone data is European. A regional EU presence of a US-headquartered provider doesn't change the jurisdictional answer at the corporate level — that's set by where the company is headquartered, not where individual servers run.
    Is the DNS query data for my domain even personal data?
    Often, yes. A DNS query carries the source IP of the recursive resolver (which can map to an end user via various correlation), the queried name, and the timestamp. Combined with other data, that's identifiable. The European Court of Justice has confirmed that IP addresses can be personal data (Breyer, 2016). If your DNS provider stores query logs, those logs are processing personal data of EU residents.
    Do I need a DPA with my DNS provider?
    Yes, if they process personal data on your behalf. Most reputable DNS providers publish a Data Processing Agreement that you can execute (often as part of their ToS or as a separate signable document). Read it: it should specify subprocessor list, transfer mechanism, retention, audit rights, and breach-notification obligations. If the provider doesn't have a DPA, treat that as a red flag for any production use case involving EU users.
    Does NIS2 interact with my GDPR obligations for DNS procurement?
    Yes, and the interaction is practical, not just theoretical. NIS2 (Directive EU 2022/2555) makes DNS providers essential entities and imposes supply-chain risk-management obligations on regulated buyers under Article 21(2)(d). When you select a DNS provider as a NIS2-regulated entity, you must demonstrate that the provider meets equivalent standards. The overlap with GDPR is: the evidence you collect for GDPR processor due diligence overlaps substantially with NIS2 supply-chain evidence. Doing both in one procurement exercise saves time and produces a defensible audit trail. See the NIS2 and DNS guide for the full regulatory breakdown.
    How does DNScale handle GDPR specifically?
    DNScale operates from EU jurisdiction — corporate headquarters and operations are in the EU. Authoritative zone data and operational metadata are processed within the EU. We publish a DPA. Personal data is minimised: query logs are aggregated, retained for the minimum necessary period for billing and operational diagnostics, and not used for advertising or sold to third parties. We're not a perfect answer to every regulatory edge case — but the structural shape is materially simpler than a US-headquartered provider for EU-resident data.
    How do I document my DNS provider selection decision for an audit?
    Keep a single 'processor selection record' that contains: (1) the criteria you used (this checklist adapted to your context), (2) scored responses from shortlisted providers, (3) the signed DPA, (4) a completed Transfer Impact Assessment if using a non-EU provider, (5) the subprocessor list with any risk mitigations noted, (6) the date of your most recent review, and (7) a brief rationale for the chosen provider. Store it where your DPO can retrieve it within 48 hours. See the audit-readiness section below for a fuller template.
    What if my DNS provider claims compliance but won't sign a DPA?
    That's a contradiction. GDPR Article 28 requires a written contract before processing begins. If a provider won't sign a DPA, they are either unfamiliar with their obligations (incompetence risk) or unwilling to be bound by them (legal risk). Either way, they are not a suitable processor for EU personal data. Walk away. There are too many credible providers that do sign DPAs to accept this.
    Can I use a US DNS provider and still be NIS2-compliant?
    Yes, provided you satisfy the Article 21(2)(d) supply-chain due diligence: you must document that the US provider meets equivalent cybersecurity standards, holds relevant certifications (ISO 27001, SOC 2 Type II), has a published DPA with SCCs + DPF certification, and can demonstrate incident-reporting timelines compatible with NIS2 Article 23's 24h/72h/1-month structure. The burden of proof is on you, not the provider. An EU-headquartered provider shifts that burden — the regulator supervises them directly under NIS2. See the NIS2/GDPR interaction section below.

    Other comparisons

    Ready to manage your DNS with confidence?

    DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

    Start free