Privacy-first file storage for the EU market.
GDPR compliance isn't a checkbox you tick after launch. We designed disposal.space with privacy as an architectural constraint from day one — not a retrofit.
Building a cloud storage product in the EU means privacy is the product.
File storage is inherently sensitive. Users upload contracts, financial documents, personal files. In the EU, mishandling that data isn't just bad practice — it's illegal. We needed GDPR compliance baked into every layer of the architecture.
Data residency requirements
EU user data must stay in the EU. Every service in the chain — storage, database, processing, CDN — needs to operate within European regions.
Third-party DPA tracking
Every external service that touches user data needs a Data Processing Agreement. Authentication, payments, file parsing, AI — each vendor has different DPA processes.
Minimal data collection
GDPR's data minimization principle means you collect only what's necessary. No analytics tracking, no behavioral profiling, no unnecessary cookies.
Privacy as architecture, not afterthought.
Every infrastructure decision was made with data residency, encryption, and user rights in mind. Here's how the privacy layer works end-to-end.
EU-Only Infrastructure
AWS S3 in eu-north-1 (Stockholm), PostgreSQL in Frankfurt, backend services in Stockholm. Every byte of user data stays in the EU.
Encryption Everywhere
Files are encrypted at rest in S3 and in transit via TLS. Presigned URLs for uploads and CloudFront signed URLs for downloads — no direct bucket access.
Transient Processing
File parsing for AI search is transient — content is extracted, embedded, and the raw text is discarded. Only vector embeddings are stored long-term.
Full Data Deletion
When a user deletes their account, we cascade delete everything — files from S3, metadata from PostgreSQL, embeddings from pgvector. Nothing lingers.
Every third-party service, accounted for.
GDPR requires a Data Processing Agreement with every vendor that handles user data. We tracked and secured DPAs across the entire supply chain.
AWS — Storage & CDN
DPA included in the AWS Customer Agreement, automatically active. S3 bucket restricted to eu-north-1. CloudFront signed URLs prevent unauthorized access.
Clerk — Authentication
Handles user identity and session management. DPA available through their standard terms. We collect no passwords or auth tokens ourselves.
Stripe — Payments
Processes subscriptions and billing. DPA through Stripe's standard terms. We never store credit card data — Stripe handles PCI compliance entirely.
OpenAI — AI Features
Generates embeddings for semantic search. DPA auto-signed via Terms of Service. Data sharing disabled in API settings — OpenAI doesn't train on our users' data.
The outcome.
A cloud storage platform that's GDPR-compliant by design — not by patch. Users trust it with sensitive files because the architecture earns that trust.
Analytics trackers, cookies, or behavioral profiling on the platform.
User data stored within EU regions. No exceptions.
Auto-expiring share links ensure shared access doesn't persist.
Building for the EU market?
Privacy can't be an afterthought. We help teams build GDPR-compliant products from the ground up — so compliance doesn't slow you down later.