Self-hosting and privacy laws

Cradle CMS is self-hosted and this has a big advantage when it comes to privacy laws, such as GDPR (General Data Protection Regulation) as it is possible to protect the personal data of the persons that interact with the site.

GDPR is the EU data protection law and apply to personal data about individuals and even includes such data as name and email address. 

And for businesses this means that it is important to keep track of what, where and how the data is stored and to ensure it is safe. On the where part it seems that it needs to be kept within EU which makes it a problem to use many of the popular north american SaaS solutions even if there is a US company safe list it is not competely clear if it is complying with the regulations.

More information about GDPR

Other privacy laws from around the world

  • CCPA & CPRA (California)
  • VCDPA (Virginia)
  • CPA (Colorado)
  • CTDPA (Connecticut)
  • UCPA (Utah)
  • LGPD (Brazil)
  • PIPEDA (Canada)
  • APPI ( Japan)
  • PDPA (Thailand)
  • FADP (Switzerland)

How the law so far been implemented

It is hard to know to which degree the laws are implemented and as a European company (or simply doing business that involved european citizens), adhering to GDPR is not optional and the risk of getting penalties must be evaluated for each company. For example, Swedish companies CDON and Tele2 were fined for not adhering to GDPR rules by using Google Analytics incorrectly. Other companies in the EU have had similar fines; thus, knowing which statistics tools are used and how they are implemented is essential. 

According to the EU Commission webpage, not all SMEs (Small and Medium Enterprises) need to adhere to all obligations of GDPR laws; those under 250 employees are exempt from keeping records of the processing activities:


“For instance, companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.”

Source: European Commission

Self-hosting as a solution

A self-hosted solution can offer several benefits for adhering to GDPR and similar privacy laws elsewhere. Self-hosting allows you to maintain full control over your data. You can decide where your data is stored, how it is processed, and who can access it. This level of control helps you comply with GDPR's data protection principles, such as data minimisation and purpose limitation. Self-hosting reduces reliance on third-party vendors for data processing. Keeping data within your infrastructure mitigates the risks associated with sharing personal data with external service providers. This can help comply with GDPR's requirements for data transfers and avoid these to countries outside the European Union (EU).

  1. Enhanced Security: With a self-hosted solution, you can implement robust security measures tailored to your specific needs. You can choose and configure security protocols, encryption standards, and access controls to protect personal data. This control helps meet GDPR's requirement for ensuring the security and confidentiality of personal data.

  2. Transparency and Auditability: Self-hosting enables better transparency and auditability of data processing activities. You can maintain detailed logs and records of data processing activities, including data transfers, access requests, and modifications. This transparency assists in demonstrating compliance with GDPR's accountability principle and facilitates regulatory audits.

  3. Flexibility and Customization: Self-hosted solutions provide greater flexibility and customisation options. You can design and configure your systems to align with specific GDPR requirements, such as data subject rights (e.g., right to access, rectify, erase data) and lawful basis for processing. This flexibility allows you to tailor your processes to meet unique organisational needs.

  4. Geographical Data Sovereignty: Some privacy laws, including GDPR, restrict the transfer of personal data to countries without adequate data protection laws. By self-hosting, you can ensure that personal data remains within your jurisdiction or in countries with suitable privacy frameworks, reducing the risk of non-compliance with data transfer regulations.


- On the topic of GDPR, analysis of a Google Analytics : Is Google Analytics GDPR Compliant? Ensuring Google Analytics GDPR Compliance for Google Analytics 4 (GA4) [Updated February 2024]