GDPR and Fly Postgres

I’m starting to look at GDPR requirements for my app.

I thought hosting my DB in the EU would be enough to comply but apparently because Fly is a US company this is not enough.

I’ve read in the docs that volumes are encrypted by default. Does Fly have access to the encryption keys?

Can Fly access the PG data in any way?

Are volume backups encrypted?

Thanks Fly team. Any information you can provide will help me navigate this massive headache.


You can tell if volumes are encrypted by fly volumes list.

Backups are encrypted if the volumes are.

One thing to check is what the question actually is:

Does Fly have policies preventing employees from accessing Postgres data? Yes.

But! We manage your encryption keys. It is technically possible for us to extract those keys from vault and use them on your backups. Or to even connect to your running Postgres.


Thanks for the info Kurt.

I don’t know if you can share this info but… do you have any EU customers that have gone through a GDPR audit using Postgres?

I really don’t want to move my DB to somewhere else.

Maybe that’s useful for you.

1 Like

Thanks, I know about this, but a DPA is probably not enough for data storage of personal information. This is most likely for logs, handling of IPs, etc.

Honestly, I have no idea.

I will probably end up hiring a lawyer or some consultant because all this is way above my head.

I can’t answer the question as to whether Fly’s DPA is sufficient for you – you’ll need to read it and / or have your lawyer look at it in order to make that determination, as you say.

Speaking more generally, I would be surprised if it were insufficient, though: the ongoing uncertainty over the ramifications of the US CLOUD act notwithstanding, you’re storing your customers’ data on servers in the EU, you have a GDPR-compliant DPA, and no data transfers are taking place (I assume).

It’s worth having a look at section 9 of Fly’s DPA (which concerns the vendor’s obligation to provide assistance in preparing a data privacy impact assessment), as well as Annex 2, Section II, Clause 8.8, regarding onward data transfers.

Disclaimer: I am not a lawyer; I am not your lawyer; this is not legal advice; I may not even be real; this conversation isn’t even taking place.

1 Like

As I understand it, the problem is the US govt can force any US company to give up their data. So if Fly still has the encryption keys it means technically it could give away personal EU information to the US govt.

I have no idea how accurate this is.

I can neither confirm nor deny we’re having this conversation :joy:

IANAL. But in general, I’d note that you can easily comply with GDPR while using a US based hosting provider. I’d also note that GDPR does not protect an individual against law enforcement obtaining evidence against you.

IANAL but it probably depends?

Hosting files and applications is one thing. But storing personal data is another.

Probably not, but the US is not considered an adequate country regarding the storage and transmission of personal data.

If the server is in Europe, it is not transmitting to a third country.

That is not the issue. The issue is that there’s uncertainty as to whether there’s a legal basis for the vendor to hand over data in response to a judicial warrant from a US government entity through the MLAT (this has nothing to do with the NSA). There have been some steps forward this year with the new US Executive Order, but privacy advocates say that they haven’t gone far enough. Ultimately the European Commission has to make a ruling, which is expected any day now.

The issue for you as someone who is processing data related to EU citizens (or even just people in the EU?) is whether you’re willing to accept the risk that arises as a result of the current uncertainty. Lots of people are. Some are not.

1 Like

I wish it was that simple.

See this article about using AWS in the EU.

Basically I think it says it’s ok to use AWS in Europe as long as you BYOK so that AWS employees do not have access to the unencrypted data.

@pier Using your own key would ensure that only you could access data. However that article does note that technically the service is being provided by a European subsidiary company (in the case of AWS). Microsoft, Oracle … they all seem to have one. I’d assumed that was partly for tax reasons (e.g being based in Ireland) however it looks like it would also assist with data (at least based on my read - not a lawyer :slightly_smiling_face:).

I don’t know if Fly has/plans for creating any European subsidiary (a company can be easily created, but comes with additional overhead for them to deal with). That could be another route.

1 Like

Yes, that’s true. I don’t know how relevant it is though.

And just to complicate things even further… there’s the right to be forgotten which means that if a user asks for their data to be erased it has to be deleted from the database backups too when “technically possible”.


@pier unless there has been a change that I’m not aware of, the right to be forgotten has carve outs for backups that mean as long as your privacy policy is up front about how long their data will remain in backups you should be fine, e.g. Backups will be kept for up to 3 months so their data will fully be erased after 3 months.


Here’s an interesting legal case in France.

A health company that stored data in AWS. The judge ruled it was ok because:

The judge also noted technically the data hosted by AWS Sarl is encrypted and the key is held by a trusted third party in France, not by AWS, to prevent data from being read by third parties.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.