AWS Lightsail EU Alternative 2026: The Art.28 SMB Cloud Trap and CLOUD Act Exposure for Simple Apps

Post #789 in the sota.io EU Compliance Series

AWS Lightsail is designed for simplicity. That simplicity is exactly what makes it a GDPR problem.

When AWS abstracts away VPC configuration, IAM complexity, and security group management, it also abstracts away the visibility you need to demonstrate GDPR compliance. Every WordPress site, every Node.js API, every MySQL database you run on Lightsail is a US-controlled cloud resource subject to CLOUD Act access — and the simplified Lightsail interface makes it harder, not easier, to build the Art.30 records and Art.32 technical measures that GDPR requires.

This is the GDPR analysis of AWS Lightsail and the EU-sovereign alternatives that provide equivalent simplicity without US-jurisdiction exposure.

What AWS Lightsail Does and Why EU Businesses Use It

AWS Lightsail is Amazon's simplified compute product. Unlike EC2, which requires configuring VPCs, subnets, security groups, IAM roles, and billing by the second, Lightsail bundles compute, storage, and networking into fixed monthly prices — starting at $3.50/month for a 512MB RAM instance.

Lightsail supports pre-configured application stacks: WordPress, LAMP, Node.js, Django, Ghost, Magento, Joomla, and others. A small business can deploy a production WordPress site in minutes without AWS infrastructure expertise.

This is genuinely useful. The GDPR problem is that Lightsail's simplicity extends to the compliance surface too — but unlike the technical complexity, the compliance surface doesn't go away just because AWS hides it.

What runs on Lightsail for EU businesses:

• Customer-facing WordPress sites with contact forms, WooCommerce stores, membership databases
• Small SaaS applications with user accounts and session data
• Business websites with analytics, cookies, and visitor tracking
• Internal tools with employee data and business records
• Development and staging environments with production data copies

Each of these stores personal data of EU data subjects on AWS infrastructure subject to US jurisdiction.

Five GDPR Obligations AWS Lightsail Triggers

1. Art.28 — The Processor Agreement Trap

GDPR Art.28 requires that whenever you engage a processor — a company that handles personal data on your behalf — you must have a written Data Processing Agreement (DPA) that specifies the subject matter, duration, nature, and purpose of the processing, the type of personal data, categories of data subjects, and your obligations and rights.

AWS provides a DPA (the AWS GDPR Data Processing Addendum). The problem isn't that it doesn't exist — it's that most Lightsail customers never review it, and many don't realise they've accepted processor status with implications they don't understand.

The practical gap: Lightsail's one-click app deployments encourage rapid deployment without a compliance review step. A small business deploying WooCommerce on Lightsail has created a relationship where AWS processes transaction data, shipping addresses, payment metadata, and customer PII — all covered by Art.28, none of it explicitly reviewed by the business owner.

The second gap: The AWS DPA covers AWS as a processor of your customer data. It does not cover AWS as a controller of the metadata they generate about your Lightsail instance — usage patterns, API calls, network traffic volumes — which they process for their own purposes under their own privacy policy.

2. Art.5(1)(e) — Storage Limitation and Snapshot Accumulation

GDPR Art.5(1)(e) requires personal data to be kept in a form permitting identification for no longer than necessary for the purpose.

Lightsail's automated snapshot feature creates daily backups of your instance and block storage. Snapshots accumulate. Lightsail does not automatically delete old snapshots. The default retention settings keep snapshots indefinitely unless you configure explicit deletion policies.

The compliance consequence: if your Lightsail instance stores personal data — and it does, if it runs any application handling EU users — then each snapshot is a copy of that personal data. Multiple snapshots mean multiple copies. Indefinite retention violates Art.5(1)(e) storage limitation unless you can demonstrate a specific legal basis for each copy's continued storage.

Many EU businesses running Lightsail have years of accumulated snapshots containing customer data that should have been deleted under their own privacy policies. Lightsail's dashboard doesn't surface this as a GDPR risk. The snapshot page shows dates and sizes. It doesn't say "these snapshots contain personal data subject to deletion obligations."

3. CLOUD Act — Full Application Stack Under US Jurisdiction

The Clarifying Lawful Overseas Use of Data Act (2018) requires US cloud providers to comply with US law enforcement requests for data regardless of where it is physically stored. AWS is a US company. Lightsail is an AWS service.

The scope of CLOUD Act exposure for a typical Lightsail deployment is broader than for specialised AWS services:

Everything on the instance disk is accessible: database files, uploaded media, configuration files, SSL certificates, environment variables with API keys, application source code, mail spool files, log files with IP addresses and user agents.

Everything in snapshots is accessible: historical copies of all of the above, potentially going back years.

Everything in Lightsail object storage (Lightsail Buckets) is accessible: backups you've stored, user uploads, static assets, any file accessible from your application.

A US law enforcement request targeting your business — or targeting a customer of yours — can compel AWS to hand over your entire application stack without notifying you, under a gag order that prevents you from telling the affected individuals or triggering your Art.33 breach notification obligation.

The standard Lightsail use case — a small e-commerce WordPress site with WooCommerce customer data — stores name, email, address, purchase history, and potentially IP addresses and device fingerprints in a MySQL database on the instance disk. All of it falls within CLOUD Act scope.

4. Art.32 — Technical Security Measures and Lightsail's Simplified Security Model

GDPR Art.32 requires implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of personal data, the ability to ensure ongoing confidentiality, and a process for regularly testing and evaluating the effectiveness of those measures.

Lightsail's simplified security model creates specific Art.32 gaps:

No VPC isolation by default. Standard Lightsail instances are not in a VPC by default. They have public IP addresses and are accessible directly from the internet via configured firewall ports. VPC peering is available but requires explicit configuration that many Lightsail users never perform.

Database exposure. Lightsail Managed Databases are accessible from any Lightsail instance by default, with no network isolation requiring explicit firewall rules. In the EC2 world, this would be configured via security groups in a private subnet. Lightsail abstracts this into a simplified firewall that makes it easier to accidentally expose databases to the internet.

No automatic encryption at rest. Lightsail instances do not have encryption at rest enabled by default. Enabling it requires additional configuration steps that the Lightsail quick-start guides don't emphasise. For applications processing sensitive personal data — health information, financial records, employee data — this may not meet Art.32's "appropriate measures" standard.

Simplified access logging. EC2 provides CloudTrail integration for API access logging. Lightsail's access logging is less granular. If you need to demonstrate to a DPA that you have appropriate access controls and can detect unauthorised access attempts, Lightsail's simplified model makes this harder to evidence.

5. Schrems II and Data Transfer Impact Assessments

The Schrems II ruling (C-311/18, July 2020) and the subsequent EDPB guidance require a Transfer Impact Assessment (TIA) when transferring personal data to third countries, including the US, even when using Standard Contractual Clauses.

A TIA requires you to assess whether the laws of the destination country undermine the protection offered by SCCs. For data transferred to AWS US infrastructure, the relevant laws include:

• FISA Section 702 (Foreign Intelligence Surveillance Act) — authorises collection of communications of foreign nationals for intelligence purposes
• Executive Order 12333 — authorises surveillance activities outside the US
• CLOUD Act — compels disclosure to US law enforcement
• National Security Letters — allows FBI to demand data with no judicial oversight, subject to indefinite gag orders

EU DPAs have consistently found that US surveillance law creates a gap between what SCCs promise and what US law allows. The European Commission's adequacy assessment for the US (EU-US Data Privacy Framework) provides a pathway, but it applies only to companies that self-certify under the DPF — AWS has done so, but the DPF remains under legal challenge and has a track record of being invalidated by the CJEU.

For a small EU business running Lightsail, conducting a documented TIA is a genuine compliance obligation they're unlikely to have performed. The EDPB guidance is clear that using a US cloud provider without a completed TIA is a compliance gap — regardless of which EU region you deploy to.

The Real Cost Comparison: Lightsail vs EU Alternatives

AWS Lightsail's pricing appears competitive in USD. When you account for EU-region pricing and compare against equivalent EU providers, the picture changes.

AWS Lightsail EU regions (eu-central-1 Frankfurt):

• 2 vCPU, 2GB RAM, 60GB SSD: $12/month
• 2 vCPU, 4GB RAM, 80GB SSD: $20/month
• 4 vCPU, 8GB RAM, 160GB SSD: $40/month

Hetzner Cloud (Nuremberg/Falkenstein/Helsinki):

• 2 vCPU (shared), 2GB RAM, 40GB SSD (CX22): €3.79/month (~$4.10)
• 2 vCPU (shared), 4GB RAM, 80GB SSD (CX32): €5.77/month (~$6.25)
• 4 vCPU (shared), 8GB RAM, 160GB SSD (CX42): €11.49/month (~$12.45)

Scaleway (Paris/Amsterdam/Warsaw):

• 2 vCPU, 2GB RAM, 40GB SSD (DEV1-S): €3.52/month
• 4 vCPU, 4GB RAM, 80GB SSD (DEV1-M): €6.49/month
• 8 vCPU, 8GB RAM, 80GB SSD (DEV1-L): €13.31/month

OVHcloud (Strasbourg/Paris/London):

• 1 vCPU, 2GB RAM, 20GB SSD (B2-7): €3.50/month
• 2 vCPU, 4GB RAM, 50GB SSD (B2-15): €7/month

For the 2 vCPU / 2GB RAM tier, Hetzner Cloud is roughly 70% cheaper than AWS Lightsail, with equivalent or better performance for typical web workloads, while keeping all data under EU-jurisdiction German law.

The total cost of GDPR compliance — including TIA documentation, Art.28 DPA review, Art.32 security measures, and DPA audit risk — makes the Lightsail cost advantage negative for most EU businesses.

EU Alternatives to AWS Lightsail

Hetzner Cloud — Best Overall for EU SMBs

Hetzner is a German company (Gunzenhausen, Bavaria) subject exclusively to German and EU law. No CLOUD Act. No FISA 702. The German Bundesdatenschutzgesetz (BDSG) supplements GDPR and provides additional protections.

Hetzner provides:

• Web console for one-click app deployment (similar to Lightsail experience)
• Server snapshots and backups with configurable retention
• Private networks (equivalent to VPC) included in base price
• Load balancers, Managed Databases (PostgreSQL, MySQL), Object Storage
• Floating IPs, DNS management
• API and Terraform provider for infrastructure as code

For WordPress deployments specifically, Hetzner App Images include WordPress, LAMP, LEMP, and Docker pre-configured. The setup experience is comparable to Lightsail.

Art.28 DPA: Hetzner provides a standard DPA aligned with EU requirements, with German law as governing law.

Scaleway — Best for Multi-Region EU

Scaleway (Paris, part of Iliad Group) operates data centres in Paris, Amsterdam, and Warsaw, all under EU jurisdiction. Key advantages:

• Kubernetes (Kapsule) and serverless (Faas) included in base platform
• S3-compatible Object Storage (Scaleway Object Storage)
• Managed Databases (PostgreSQL, MySQL, Redis)
• EU-sovereign DNS (Scaleway Domains)
• Strong developer-experience focus comparable to AWS

Scaleway is listed on the EU Cloud Alliance member list and has received positive assessments from French CNIL for GDPR compliance architecture.

OVHcloud — Best for Regulated Industries

OVHcloud (Roubaix, France) is Europe's largest cloud provider by infrastructure size. Notably:

• Full EU data sovereignty with detailed GDPR compliance documentation
• ISO 27001, ISO 27017, ISO 27018 certifications
• SecNumCloud qualification (French ANSSI certification for sovereign cloud)
• Public Sector-focused offering (OVH Hosted Private Cloud)
• Competitive pricing with strong compliance paper trail

For businesses in regulated sectors — healthcare under Art.9, financial services, legal services — OVHcloud's certification stack provides stronger DPA documentation than AWS Lightsail.

Infomaniak — Best for Swiss GDPR+ Coverage

Infomaniak (Geneva) operates under Swiss law (nFADP) with GDPR adequacy. For businesses needing Swiss-law governance (Swiss subsidiaries, Swiss customer bases), Infomaniak provides:

• Web hosting and VPS from CHF 3.90/month
• Swiss data centres, all infrastructure owned by Infomaniak
• ISO 27001 certified
• Strong Art.28 DPA documentation

Coolify + Any EU VPS — Best for Developer Control

For developers comfortable with self-managed infrastructure, Coolify is an open-source Heroku/Netlify alternative that runs on any VPS. Pair it with a Hetzner CX22 (€3.79/month) and you get:

• One-click app deployments via web UI (comparable to Lightsail)
• Automated SSL certificate management
• Built-in backup configuration with retention policies
• Docker-based deployments for any application stack
• Full control over all data, stored on your EU VPS

The Coolify approach gives you the Lightsail deployment simplicity with full GDPR control — you set the retention policies, you control the backups, you own the encryption keys.

Migration Checklist: AWS Lightsail to EU Cloud

Migrating from Lightsail to an EU alternative involves three phases: assessment, migration, and compliance documentation.

Phase 1: Inventory and Assessment

Step 1: Audit all Lightsail resources.

List all instances, databases, buckets, snapshots, and static IPs. For each resource, identify:

• What personal data does this resource store or process?
• Who are the data subjects (customers, employees, visitors)?
• What is the legal basis for processing (Art.6 or Art.9)?
• Is there a documented retention period?

Step 2: Audit accumulated snapshots.

aws lightsail get-instance-snapshots --region eu-central-1 \
  --query 'instanceSnapshots[*].{Name:name,Date:createdAt,Size:sizeInGb}' \
  --output table

Delete snapshots older than your documented retention period before migrating. Do not transfer personal data snapshots you're not legally obligated to keep.

Step 3: Document data flows.

Map which external services your Lightsail application calls. Migrations reveal hidden data flows. If your WordPress site uses Mailchimp (US), Google Analytics (US), Stripe (US), or other US processors, migrating the hosting doesn't eliminate those data flows — but it reduces the attack surface.

Phase 2: Application Migration

For WordPress on Lightsail → Hetzner + Coolify:

# On existing Lightsail instance:
# Export WordPress database
mysqldump -u root -p wordpress_db > wordpress_export.sql

# Export WordPress files
tar -czf wp-content.tar.gz /var/www/html/wp-content/

# Transfer to new Hetzner instance
scp wordpress_export.sql user@hetzner-ip:/tmp/
scp wp-content.tar.gz user@hetzner-ip:/tmp/

# On Hetzner instance (after installing WordPress):
# Import database
mysql -u wordpress_user -p wordpress_db < /tmp/wordpress_export.sql

# Restore uploads and themes
tar -xzf /tmp/wp-content.tar.gz -C /var/www/html/

For the Hetzner setup, use the WordPress App Image via the Hetzner console, which handles Apache/Nginx, PHP, MySQL, and WordPress configuration automatically.

For Node.js/Python applications:

# Export application code
git clone your-repo /tmp/app-export
# Or: rsync if not in git
rsync -avz /var/www/app/ user@hetzner-ip:/var/www/app/

# Export environment variables
# IMPORTANT: Audit these for secrets before export
printenv | grep -E "^(DB_|API_|SECRET_|KEY_)" > .env.export
# Transfer securely, not via git
scp .env.export user@hetzner-ip:/var/www/app/.env

# Export database
pg_dump -U postgres app_db > app_db.sql
# or
mysqldump -u root -p app_db > app_db.sql

For Lightsail Managed Databases:

# Get database endpoint from Lightsail console
# Export via pg_dump or mysqldump
pg_dump -h your-lightsail-db-endpoint \
        -U dbmasteruser \
        -d dbname \
        -f database_export.sql

# Import to new EU managed database (Hetzner Managed Database,
# Scaleway Managed Database, or self-hosted)
psql -h new-eu-db-endpoint \
     -U newuser \
     -d newdb \
     -f database_export.sql

For Lightsail Object Storage (Buckets):

# Install AWS CLI and configure with Lightsail credentials
# Export all bucket contents
aws s3 sync s3://your-lightsail-bucket/ ./bucket-export/ \
  --endpoint-url https://s3.eu-central-1.amazonaws.com

# Upload to new EU object storage
# Example: Hetzner Object Storage (S3-compatible)
aws s3 sync ./bucket-export/ s3://new-eu-bucket/ \
  --endpoint-url https://fsn1.your-objectstorage.com

Phase 3: DNS Cutover and Lightsail Cleanup

# Update DNS TTL to 60 seconds 24h before cutover
# (Lightsail DNS or your DNS provider)

# At cutover:
# 1. Create final database export from Lightsail
# 2. Import to EU database
# 3. Update application config to point to new DB
# 4. Update DNS A record to new EU IP
# 5. Monitor for 15 minutes
# 6. Update any hardcoded Lightsail endpoints in app

# After DNS propagation (check with):
dig +short yourdomain.com @8.8.8.8

# Delete Lightsail resources in order:
# 1. Delete instances
# 2. Delete managed databases (after confirming EU DB is live)
# 3. Delete buckets (after confirming EU storage is live)
# 4. Delete snapshots (in compliance with retention policy)
# 5. Release static IPs

Phase 4: Compliance Documentation

After migration, update your GDPR documentation:

Art.30 Records of Processing Activities: Update your RoPA to reflect the new processor (Hetzner/Scaleway/OVHcloud) and their EU-based DPA.

Art.28 Data Processing Agreements: Sign the DPA with your new EU cloud provider. Terminate the AWS DPA or limit it to any remaining AWS services.

Schrems II TIA: Document that you've eliminated the US-jurisdiction transfer. Update your TIA to reflect that data is now processed under EU jurisdiction.

Privacy Policy: Update the list of sub-processors. Remove AWS from the list or limit it to services you still use.

AWS European Sovereign Cloud: Does It Change the Calculus?

In January 2026, AWS launched the European Sovereign Cloud (AWS ESC) with a new German legal entity (AWS Europe GmbH) as the operator. AWS markets this as a solution to CLOUD Act concerns.

The core claim: because the German entity operates the infrastructure, US law enforcement requests go to the German entity under German law — not to Amazon.com Inc. under US law.

The reality is more nuanced:

What AWS ESC provides:

• German-law governed DPA with AWS Europe GmbH as processor
• Operations staff restricted to EU residents
• Separation from standard AWS infrastructure

What AWS ESC does not fully resolve:

• Amazon.com Inc. still owns the technology stack. The hardware, software, and cloud platform remain US-origin.
• FISA Section 702 targets people, not companies. If a US intelligence target uses your application, the data can be collected regardless of where it's stored.
• AWS ESC pricing is 20-30% higher than standard AWS — without equivalent functionality (ESC does not have feature parity with standard AWS).
• AWS ESC is still under legal challenge by EU privacy advocates.

For most EU SMBs, AWS ESC trades one compliance problem (CLOUD Act) for a worse commercial problem (30% price premium, reduced feature set) while not fully resolving the underlying sovereignty question.

Hetzner Cloud and Scaleway provide equivalent or better EU sovereignty at 60-70% lower cost, with feature parity for standard web workloads.

Art.25 Privacy by Design: What Lightsail's Simplicity Hides

GDPR Art.25 requires implementing data protection by design and by default — technical measures that minimise the amount of personal data processed and protect it by default.

Lightsail's design philosophy optimises for deployment speed and operational simplicity. This creates a tension with Art.25: the defaults that make Lightsail easy to use are often not the defaults that minimise data exposure.

Lightsail defaults that require remediation for Art.25:

• Snapshots enabled, retention unlimited → Set explicit retention periods matching your privacy policy
• Instance accessible on all ports by default until firewall configured → Configure before deploying any personal data
• No encryption at rest on instance disks by default → Enable before first deployment
• Database accessible from all Lightsail instances by default → Configure private networking
• Access logs not forwarded to a centralised system → Implement log forwarding for Art.30 evidence

Each of these defaults makes Lightsail simpler to operate. Each also requires remediation before the deployment is Art.25 compliant. The technical debt accumulates in the gaps between the Lightsail quick-start guide and the GDPR checklist.

EU alternatives like Hetzner Cloud require the same remediation steps — but they don't eliminate the CLOUD Act jurisdictional problem. The difference is that on Hetzner, fixing the technical defaults creates a genuinely compliant deployment. On Lightsail, fixing the technical defaults still leaves you with US-jurisdiction exposure that no technical measure can resolve.

Practical Decision Matrix

For most EU SMBs running web applications, Hetzner Cloud is the best Lightsail alternative: lower cost, full EU jurisdiction, comparable operational simplicity, and a straightforward Art.28 DPA.

For regulated industries (healthcare, financial services, public sector), OVHcloud's SecNumCloud qualification and ISO 27018 certification provide the compliance paper trail that auditors expect.

For multi-region EU deployments or serverless workloads, Scaleway's Warsaw and Amsterdam regions provide geographic distribution within EU jurisdiction.

Conclusion: Simplicity Without Sovereignty Is Not a Cloud Strategy

AWS Lightsail solves the wrong problem for EU businesses. It makes deploying simple but leaves complying complex. The GDPR obligations triggered by a Lightsail deployment — Art.28 processor review, Art.5(1)(e) snapshot retention, CLOUD Act exposure, Art.32 security baseline, Schrems II TIA — don't go away because the dashboard is clean and the pricing is monthly.

EU cloud providers have closed the simplicity gap. Hetzner's app images, Scaleway's developer tooling, and OVHcloud's managed services offer deployment experiences comparable to Lightsail — at lower cost, under EU jurisdiction, and without the compliance debt.

The migration from Lightsail to an EU provider is a one-time cost. The compliance debt from staying on Lightsail is ongoing.

sota.io is an EU-sovereign Platform as a Service for developers who need cloud-native deployment without US jurisdiction risk. If you're migrating off Lightsail and want a deployment experience optimised for GDPR compliance from day one — try sota.io.