Backblaze B2 EU Alternative 2026: An EU Region Doesn't Fix a California Jurisdiction Problem

Post #2 in the sota.io EU Object Storage Series

Backblaze B2 has become a favourite among cost-conscious developers: S3-compatible API, zero-surprise pricing ($0.006/GB/month, $0.01/GB egress), and — since 2023 — an EU-Central region in Amsterdam. For teams migrating away from AWS S3 for cost reasons, B2 looks like an obvious step: cheaper, compatible, and now apparently GDPR-friendly with EU residency.

The Amsterdam region is real. The S3-compatible API is real. What isn't real is the assumption that EU data residency solves the EU's core legal concern with US cloud: jurisdiction. Backblaze Inc. is a California corporation publicly traded on NASDAQ (BLZE). That means US federal law — including the CLOUD Act — applies to every customer relationship, every bucket, and every object, regardless of which data center stores it.

This post scores Backblaze B2 on the sota.io CLOUD Act Risk Framework (25-point scale) and documents five concrete GDPR exposure points that persist even when you select the EU-Central region. Then we compare the EU-native object storage alternatives that score 0/25.

What Is Backblaze B2 Cloud Storage?

Backblaze was founded in 2007 in San Mateo, California — originally as consumer backup software. B2 Cloud Storage launched in 2015 as the company's S3-compatible object storage product, targeting developers and small-to-mid businesses priced out of AWS.

Corporate identity:

• Legal name: Backblaze, Inc.
• Incorporation: California (not Delaware — a less common but equally US-jurisdiction choice)
• Headquarters: San Mateo, CA, USA
• Stock: NASDAQ: BLZE (IPO November 2021)
• Revenue (FY2024): ~$107 million, primarily from B2 Cloud Storage

Storage regions:

• US West: Sacramento, CA and Phoenix, AZ
• EU Central: Amsterdam, Netherlands (launched Q1 2023)

Pricing (B2 Cloud Storage):

• Storage: $0.006/GB/month
• Download (egress): $0.01/GB (vs. AWS S3 at $0.09/GB)
• API calls: $0.004 per 10,000 Class B operations
• Free daily download: 3× stored data

Compatibility: Full S3-compatible API. Existing S3 SDKs (boto3, AWS CLI, rclone) work with an endpoint change.

CLOUD Act Risk Score: 13/25

The CLOUD Act (2018) grants US federal agencies the authority to compel US persons and US-incorporated companies to disclose stored data — regardless of where that data physically sits. A US court order served to Backblaze Inc. in San Mateo can legally require disclosure of objects stored in Amsterdam.

13/25 — meaningfully lower than AWS (21/25) or Google Cloud (20/25), because Backblaze has no known government intelligence relationships and is much smaller. But the California incorporation and lack of an operationally independent EU entity mean the CLOUD Act exposure is structurally identical to any Big Tech provider.

Five GDPR Exposure Points

1. California Corporation — Federal Jurisdiction Applies EU-Wide

Backblaze Inc.'s California incorporation is not a technicality. Under the CLOUD Act, any US person or entity incorporated under US law must comply with a valid US warrant or court order for data disclosure — whether the data is in Sacramento or Amsterdam. The statute explicitly overrides data-location arguments.

Unlike a French subsidiary of a US group (which could have a separate data controller relationship), Backblaze operates its EU-Central region as a direct business line of the California parent. There is no legal firewall between the US parent and the Amsterdam infrastructure. A sealed US court order served to Backblaze's registered agent in California compels disclosure of Amsterdam-stored objects with no EU judicial review requirement.

GDPR Article 44 requires adequate protection for third-country transfers. When a US court can compel disclosure of EU-stored data, the "adequacy" of that protection is structurally undermined — precisely the argument the Austrian DSB used in the Schrems II aftermath against Google Analytics.

2. EU-Central Region Launched in 2023 — But No Corresponding EU Legal Entity

Backblaze's 2023 EU-Central launch press release highlighted GDPR benefits and named Amsterdam as the physical location. What it did not announce was the creation of a Backblaze EU subsidiary, EU data controller, or operationally independent European entity.

The data in Amsterdam is owned and controlled by Backblaze, Inc. (California). The DPA Backblaze provides customers relies on Standard Contractual Clauses (SCCs) — a mechanism the Court of Justice of the EU explicitly said is insufficient when the destination country's laws prevent compliance with the clauses (Schrems II, C-311/18, para. 202).

For EU companies processing GDPR-regulated personal data in B2 EU-Central, this creates a structural compliance gap: the contractual protections (SCCs) exist, but the underlying reality — a US entity with CLOUD Act obligations — undermines them.

3. API Endpoint and Metadata Processing

When your application uploads to a B2 EU-Central bucket, the S3-compatible API endpoint is:

s3.eu-central-003.backblazeb2.com

Object data flows to Amsterdam. But API authentication, account-level metadata, usage metrics, and billing data flow through Backblaze's US infrastructure. Your account ID, API application keys, bucket names, object counts, and bandwidth figures are processed by systems under US jurisdiction.

For GDPR purposes, this creates a secondary transfer: the metadata about your EU user data crosses to the US even when the objects stay in Amsterdam. Under GDPR Art. 4(1), "personal data" includes identifying metadata — object keys that encode user IDs, bucket names that reveal product lines, access patterns that reveal user behaviour.

4. Account Management and Support Access

Backblaze's support team is primarily US-based. When you open a support ticket, your account data — including bucket inventory, object counts, and access logs — may be reviewed by US-resident employees. GDPR Art. 29 worker processing requires that processors only act on controller instructions; but US employees accessing EU customer data may be subject to individual-level compelled disclosure through lesser instruments than CLOUD Act (such as subpoenas).

Backblaze's Terms of Service and DPA do not restrict support access to EU-resident staff or EU-jurisdiction employees.

5. No Separation from US Consumer Backup Service

Backblaze's other major product — Backblaze Personal Backup and Backblaze Computer Backup — is explicitly a US consumer product with US-based data. Backblaze B2 and the backup products share the same corporate entity, billing infrastructure, legal team, and (partially) technical infrastructure. There is no firewall between the B2 business and the consumer backup business at the legal or operational level.

This matters for GDPR Chapter V (international transfers): when assessing whether a third-party processor is appropriate, EU controllers must consider the "effective legal remedies" available and the "overall legal context" of the processor's home country. Backblaze's dual business creates an additional surface: if US authorities target the personal backup business (e.g., for CSAM investigations), the legal infrastructure developed there applies equally to the B2 business.

EU-Native Object Storage Alternatives: 0/25

These providers are incorporated in EU member states with no US parent companies, no US investor control, and data centers entirely within the EU. Under the CLOUD Act, they cannot be compelled to disclose data because they are not US persons.

Hetzner Object Storage

Score: 0/25 | Price: €0.0115/GB/month

Hetzner Online GmbH is headquartered in Gunzenhausen, Bavaria, Germany. Founded 1997. Privately held by the Hetzner family. No US ownership, no US-listed parent.

• S3-compatible API (Hetzner uses s3.eu-central-003.hetznercloud.com)
• Data centers: Falkenstein DE, Nürnberg DE, Helsinki FI
• Pricing: €0.0115/GB storage, no egress fees within Hetzner network, €0.01/GB public egress
• IAM: bucket-level policies, access keys
• Migration: boto3 endpoint override, rclone remote, standard S3 tooling

Migration from B2 EU-Central:

import boto3

# Before: Backblaze B2 EU-Central
b2_client = boto3.client('s3',
    endpoint_url='https://s3.eu-central-003.backblazeb2.com',
    aws_access_key_id='YOUR_B2_KEY_ID',
    aws_secret_access_key='YOUR_B2_APP_KEY',
    region_name='eu-central-003'
)

# After: Hetzner Object Storage
hetzner_client = boto3.client('s3',
    endpoint_url='https://s3.eu-central-003.hetznercloud.com',
    aws_access_key_id='YOUR_HETZNER_ACCESS_KEY',
    aws_secret_access_key='YOUR_HETZNER_SECRET_KEY',
    region_name='eu-central-003'
)

Scaleway Object Storage

Score: 0/25 | Price: €0.015/GB/month

Scaleway SAS is a subsidiary of Iliad SA (Paris, France, CAC 40). Iliad is majority-owned by Xavier Niel, a French entrepreneur. No US parent or investor control.

• S3-compatible API (s3.nl-ams.scw.cloud, s3.fr-par.scw.cloud, s3.pl-waw.scw.cloud)
• Data centers: Amsterdam NL, Paris FR, Warsaw PL
• IAM: organization-level, project-level access control with policy inheritance
• Lifecycle rules, multipart upload, server-side encryption (SSE-C, SSE-S3)
• Price: €0.015/GB storage, €0.01/GB egress after 75 GB/month free

OVHcloud Object Storage

Score: 1/25 | Price: €0.0085/GB/month

OVH SAS is headquartered in Roubaix, France. Founded 1999. Public (Euronext Paris: OVH) but majority family-held (Klaba family). No US parent.

The 1/25 score reflects a small US investor presence (US institutional shareholders post-IPO) that creates a theoretical CLOUD Act hook — but OVH has no US-incorporated subsidiaries and the US institutional ownership does not create a CLOUD Act obligation.

• Swift API + S3-compatible API
• Data centers: Gravelines FR, Roubaix FR, Strasbourg FR, Frankfurt DE, Warsaw PL, Beauharnois CA (avoid for EU use)
• Price: €0.0085/GB storage, €0.011/GB egress — cheapest EU-native option at 10TB scale
• 10TB/month: storage €85/month vs B2 EU-Central $60/month, but zero jurisdiction risk

MinIO Self-Hosted

Score: 0/25 | Price: infrastructure only

MinIO is an open-source, Apache 2.0-licensed S3-compatible object store. Deployed on any EU cloud (Hetzner, Scaleway, OVH, any EU VPS) under your full control.

# Deploy MinIO on Hetzner CX21 (€5.83/mo, 2vCPU 4GB RAM, 40GB SSD)
docker run -d --name minio \
  -e MINIO_ROOT_USER=admin \
  -e MINIO_ROOT_PASSWORD=secure-password-here \
  -p 9000:9000 -p 9001:9001 \
  -v /data/minio:/data \
  quay.io/minio/minio server /data --console-address ":9001"

For production: MinIO Operator on Kubernetes, distributed mode (4+ nodes), TLS, erasure coding.

Cost Comparison at Scale (10TB Stored, 1TB Egress/Month)

*Within Hetzner/OVH network; public egress rates apply for external traffic. **After 75 GB/month free tier.

Backblaze B2 EU-Central is genuinely cheaper than Scaleway for pure storage cost. The gap narrows significantly against OVHcloud. MinIO self-hosted beats all on raw cost but adds operational overhead. The decision is not purely on price — it is on whether $70/month of B2 is worth the 13/25 CLOUD Act exposure for your EU users' data.

GDPR Compliance Assessment

For EU companies processing GDPR-regulated personal data:

Backblaze B2 EU-Central:

• ✅ EU data residency (Amsterdam physical location)
• ✅ DPA available with SCCs
• ❌ US-incorporated parent (CLOUD Act applies)
• ❌ No EU legal entity as data controller
• ❌ Metadata processed in US
• ❌ SCCs insufficient without adequate protection (Schrems II)

Verdict: B2 EU-Central provides geographic data residency but not legal data sovereignty. For processing under GDPR Art. 44, the SCC-based DPA is likely insufficient if a supervisory authority applies the Schrems II framework to assess actual CLOUD Act exposure.

For NIS2 (Directive 2022/2555) obligated entities: Essential and important entities in critical infrastructure sectors should treat CLOUD Act-exposed US cloud providers as elevated risk. NIS2 Art. 21 requires documented supply chain risk management — B2's 13/25 score should be documented and accepted as a residual risk or mitigated by migration.

Migration Checklist: B2 → EU-Native Object Storage

Week 1: Audit

• Inventory all B2 buckets (region, size, object count)
• Identify bucket contents: personal data per GDPR Art. 4(1)?
• Map application integrations (boto3, rclone, direct SDK)
• Assess: EU-Central or US-West buckets? (US-West: migrate first)

Week 2: Target Setup

• Create Hetzner/Scaleway/OVH account
• Create target buckets with matching lifecycle policies
• Configure IAM policies matching existing B2 permissions
• Test S3-compatible endpoint with your SDK version

Week 3: Migration

# rclone sync from B2 EU-Central to Hetzner
rclone sync \
  --config rclone.conf \
  b2:your-eu-bucket \
  hetzner:your-hetzner-bucket \
  --progress \
  --transfers 16 \
  --checkers 32 \
  --b2-chunk-size 96M

# rclone.conf
[b2]
type = b2
account = YOUR_B2_KEY_ID
key = YOUR_B2_APP_KEY

[hetzner]
type = s3
provider = Other
access_key_id = YOUR_HETZNER_KEY
secret_access_key = YOUR_HETZNER_SECRET
endpoint = s3.eu-central-003.hetznercloud.com
region = eu-central-003

Week 4: Cutover

• Update application endpoint configuration
• Blue-green validation (parallel read from both for 48h)
• Monitor error rates (S3 404s, permission errors)
• Update DPA references in privacy documentation
• Decommission B2 buckets after 30-day retention

The Series: EU Object Storage 2026

Summary

Backblaze B2 EU-Central (Amsterdam) delivers genuine cost savings and genuine EU data residency. It does not deliver legal data sovereignty. As a California corporation listed on NASDAQ, Backblaze Inc. is subject to the CLOUD Act — meaning a sealed US court order can compel disclosure of your EU-stored objects without notifying you or requiring EU judicial approval.

CLOUD Act score: 13/25 — lower than AWS or Google because Backblaze has no documented government intelligence relationships and no PRISM participation, but structurally identical in terms of US jurisdiction exposure.

For EU teams where GDPR Art. 44 compliance is a genuine requirement — not a checkbox — the migration to Hetzner Object Storage (0/25, €0.0115/GB), OVHcloud (1/25, €0.0085/GB), or self-hosted MinIO (0/25) eliminates the jurisdictional exposure. The S3-compatible API means the migration is a configuration change, not a code rewrite.

For teams where cost is the primary driver and CLOUD Act exposure is an accepted residual risk: B2 EU-Central is a defensible choice with a documented DPA and SCC framework. Document the risk acceptance in your GDPR Article 30 records and your NIS2 supply chain risk assessment.

sota.io publishes EU cloud sovereignty analysis for engineering and compliance teams. For questions about GDPR data transfer assessments, contact your EU-based legal counsel.