EU Serverless PaaS Comparison 2026: Netlify vs Fly.io vs Heroku vs Northflank — CLOUD Act Risk Matrix
Post #5/5 in the sota.io EU Serverless PaaS Series
You have a serverless application. You need to deploy it in Europe. You want GDPR compliance. You've narrowed your platform list down to four candidates: Netlify, Fly.io, Heroku, or Northflank. They all offer European regions. They all claim GDPR compliance. But only one of them poses genuinely low risk to your EU data sovereignty.
This finale post in the EU Serverless PaaS Series cuts through the marketing claims with a five-dimensional risk matrix covering CLOUD Act exposure, corporate jurisdiction, UK post-Brexit risk, GDPR Art.44/46 transfer obligations, and EU data residency availability. We compare all four platforms directly — and show you three EU-native alternatives where no risk matrix entry reads red.
The EU Serverless PaaS Series — What We Covered
Before the comparison, here is what we found in the individual deep dives:
| Post | Platform | Corp. Jurisdiction | CLOUD Act Score | Key Risk |
|---|---|---|---|---|
| #1/5 | Netlify | Delaware Corp | 18/25 | AWS Lambda functions, Deno Deploy edge — both US-jurisdiction |
| #2/5 | Fly.io | Delaware Corp | 16/25 | US control plane, Tigris S3 storage (US entity) |
| #3/5 | Heroku | Salesforce LLC Delaware | 22/25 | PRISM participant, FedRAMP High, DoD/FBI/CIA contractor |
| #4/5 | Northflank | Northflank Ltd England & Wales | 3/25 | UK IPA 2016, Five Eyes GCHQ→NSA pathway, UK Adequacy Decision expiry risk |
| #5/5 | This post | — | — | Full comparison + EU-native alternatives |
The scores are not interchangeable. A low CLOUD Act score does not mean low risk — Northflank's 3/25 comes with a distinct and arguably more dangerous risk vector: the UK Investigatory Powers Act 2016.
Five-Dimensional Risk Matrix
Each platform was evaluated across five dimensions critical for GDPR-compliant EU deployments:
| Dimension | Netlify | Fly.io | Heroku | Northflank |
|---|---|---|---|---|
| 1. Corporate Jurisdiction | 🔴 US (DE) | 🔴 US (DE) | 🔴 US (DE) | 🟡 UK (E&W) |
| 2. CLOUD Act Score | 🟠 18/25 | 🟡 16/25 | 🔴 22/25 | 🟢 3/25 |
| 3. UK IPA 2016 / Five Eyes | 🟢 N/A | 🟢 N/A | 🟢 N/A | 🔴 HIGH — IPA 2016 Bulk Interception + GCHQ→NSA signal pathway |
| 4. GDPR Art.44/46 Transfer Risk | 🔴 SCCs required | 🔴 SCCs required | 🔴 SCCs required | 🟡 Adequacy Decision (expiring risk) |
| 5. EU Data Residency Available | 🟡 EU regions (functions still US) | 🟡 EU regions (control plane US) | 🟡 EU Dynos (controller US) | 🟡 EU infra (controller UK) |
Reading the matrix: Red across multiple dimensions means systematic exposure — any government demand for your data arrives via a framework with no EU legal remedy. Yellow means partial — EU infrastructure without EU jurisdiction. Green means the risk dimension does not apply.
Dimension 1: Corporate Jurisdiction
All four platforms are incorporated outside the European Union.
Netlify, Fly.io, and Heroku are Delaware C-corps or LLCs. Delaware incorporation creates US-person status for US law purposes. This means all US surveillance law — the Electronic Communications Privacy Act, FISA Section 702, Executive Order 12333, and the CLOUD Act — applies to the company's worldwide operations.
Northflank is incorporated in England and Wales as Northflank Ltd (Companies House CH12342786). Post-Brexit, this creates a different but equally significant problem: UK jurisdiction rather than US jurisdiction, but the UK has its own comprehensive surveillance framework that in some respects grants broader access rights than US law.
Key insight: EU data residency does not change corporate jurisdiction. Deploying on Netlify's Frankfurt PoP does not remove the data from Netlify Inc.'s Delaware legal obligations. The company — not the server — is the subject of surveillance law.
Dimension 2: CLOUD Act Score Analysis
The CLOUD Act (18 U.S.C. § 2713) compels US providers to produce data held anywhere in the world when served with a warrant. Our scoring methodology evaluates 25 factors including: corporate structure, government contracts, intelligence relationships, data processing architecture, and contractual protections available to EU customers.
Heroku: 22/25 — Highest Risk
Heroku is operated by Salesforce.com Inc., incorporated in Delaware with headquarters in San Francisco. The Salesforce risk profile combines multiple amplifying factors:
- PRISM participation (NSA PRISM slides, disclosed 2013): Salesforce is listed as a PRISM provider, meaning NSA can collect communications directly from Salesforce infrastructure without individual warrants under FISA 702.
- FedRAMP High authorization: Salesforce Government Cloud holds FedRAMP High, DoD Impact Level 4/5, and maintains contracts with the FBI, CIA, and DoD — creating an established technical pipeline for government data access.
- 2010 Heroku acquisition: Heroku was acquired for approximately $212M and fully integrated into Salesforce's infrastructure. Heroku Dynos run on AWS EC2 — meaning your data traverses both Salesforce's and Amazon's US-jurisdiction infrastructure.
- EU Private Spaces: Heroku offers EU-region Private Spaces at $250/month minimum. But the controller — Salesforce.com Inc. — remains a Delaware corporation subject to all US surveillance law regardless of where data physically resides.
Netlify: 18/25 — Significant Risk
Netlify's risk score reflects the compound exposure from its serverless infrastructure choices:
- Netlify Functions → AWS Lambda: Every serverless function on Netlify runs on AWS Lambda. Amazon Web Services Inc. is a Delaware subsidiary of Amazon.com Inc., itself a major US government cloud contractor (AWS GovCloud, CIA contract). Functions data enters Amazon's US-jurisdiction infrastructure.
- Edge Functions → Deno Deploy: Netlify's V8 isolate edge runtime is powered by Deno Deploy, a US-entity service, adding a second layer of US-jurisdiction exposure at the edge.
- Netlify Forms, Identity, Analytics: All three subsidiary services process data through US-infrastructure with no EU-jurisdiction option.
- Mitigation available: Static site deployments with no functions, no forms, and CDN-only usage significantly reduce (though do not eliminate) the risk profile.
Fly.io: 16/25 — Moderate Risk
Fly.io Inc. is a Delaware corporation. The moderating factors relative to Netlify and Heroku:
- No major government contractor relationships confirmed in public disclosures — lower amplification of base CLOUD Act risk.
- Own Firecracker VM infrastructure in many regions — Fly.io does not run on AWS/GCP/Azure in most deployments, which removes the secondary cloud provider exposure.
- Tigris Object Storage: Fly.io's managed storage service is operated by Tigris Data Inc., a separate US entity, adding full CLOUD Act exposure for any S3-compatible storage workloads.
- US control plane remains: All deployment management, API calls, authentication, and configuration data flows through Fly.io's US-jurisdiction control plane regardless of where application VMs run.
Northflank: 3/25 CLOUD Act — But UK IPA 2016
Northflank's low CLOUD Act score accurately reflects the absence of US corporate connections. Northflank Ltd has no US parent company, no known US government contracts, and infrastructure running on Hetzner (Germany and Finland). On the CLOUD Act dimension alone, this is the best performer in the comparison.
But the CLOUD Act score is not the whole story.
Dimension 3: UK Investigatory Powers Act 2016 — The Northflank Wildcard
The UK Investigatory Powers Act 2016 (IPA 2016) is the most expansive surveillance legislation currently in force in any English-speaking country. It creates three risk vectors that CLOUD Act analysis entirely misses:
Bulk Interception Warrants (IPA s.136): The Home Secretary can authorise bulk interception of international communications flows — including all communications transiting UK infrastructure — without identifying specific targets or requiring reasonable suspicion. This is structurally different from the US warrant regime which targets specific individuals or accounts.
Technical Capability Notices (IPA s.253): The Secretary of State can compel any "telecommunications operator" — including a UK PaaS provider — to maintain permanent, covert interception capability for government use, under a strict non-disclosure obligation. The company cannot legally inform customers that such a capability has been installed.
Five Eyes UKUSA Pathway: GCHQ and NSA operate under the 1946 UKUSA Agreement (SIGINT sharing). GCHQ-collected intelligence on Northflank infrastructure can be shared with NSA without a US CLOUD Act warrant. This creates a practical bypass of the CLOUD Act protections that Northflank's low score represents.
EDPB Concern (Opinion 28/2023): The EU Data Protection Board published formal concerns about the UK surveillance framework in the context of the EU-UK Adequacy Decision (adopted June 2021 under GDPR Art.45). The Adequacy Decision was granted for a limited four-year initial period. The UK Data Protection and Digital Information (DPDI) Bill 2023, which weakened data protection standards, adds additional uncertainty about renewal.
Bottom line for Northflank: The risk shifts from CLOUD Act (low) to IPA 2016 (high). For EU customers deploying under GDPR, the relevant question is not just CLOUD Act exposure but total government access risk. The IPA 2016 provisions are structurally more intrusive than the CLOUD Act in key respects.
Dimension 4: GDPR Art.44/46 Transfer Risk
All four platforms create international data transfers under GDPR Chapter V.
For Netlify, Fly.io, and Heroku: Transfers to the United States require either Standard Contractual Clauses (GDPR Art.46(2)(c)) or another appropriate safeguard. The EU-US Data Privacy Framework (DPF) provides an adequacy decision (Art.45) for US entities that self-certify, but: (a) the DPF remains legally contested following Schrems II dynamics, (b) US surveillance law provisions were not modified by the DPF, and (c) FISA 702 reauthorization (2024) expanded rather than constrained surveillance authority.
Practical impact:
- You must execute SCCs with all three platforms for GDPR compliance if EU personal data is processed.
- SCCs are administrative burden but do not prevent actual government access — they shift legal liability.
- Under GDPR Art.46(1), transfers relying on SCCs require a Transfer Impact Assessment (TIA) documenting that the receiving country's law does not impair SCC effectiveness. For US law, TIAs typically conclude that SCCs provide limited practical protection.
For Northflank: Transfers to the UK currently rely on the EU-UK Adequacy Decision (Art.45). No SCCs required during the adequacy period. But the adequacy decision's renewal is not guaranteed, and EDPB concerns (Opinion 28/2023) mean contingency SCC planning is prudent for any long-term Northflank deployment.
Dimension 5: EU Data Residency — What It Actually Delivers
Each platform offers European infrastructure. Here is what EU regions actually protect — and what they do not:
| Platform | EU Regions Available | What EU Region Protects | What EU Region Does NOT Protect |
|---|---|---|---|
| Netlify | Frankfurt, CDN PoPs | Static asset delivery latency | Function execution (AWS Lambda), forms, analytics |
| Fly.io | Frankfurt, Amsterdam, London, Stockholm, Paris | Application VM execution locality | Control plane API, Tigris storage, deployment pipeline |
| Heroku | Frankfurt, Dublin (Private Spaces) | Dyno process execution, Postgres storage | Salesforce controller, management API, monitoring |
| Northflank | Frankfurt, Helsinki (Hetzner) | Application container execution | UK control plane, UK controller jurisdiction |
The pattern is consistent: EU infrastructure is not the same as EU jurisdiction. The controller — the legal entity that determines processing purposes and means — retains jurisdiction in its country of incorporation regardless of where data physically resides.
Under GDPR Art.4(7), the controller is always subject to GDPR if processing EU data subjects' data. But GDPR compliance and CLOUD Act compliance are not mutually exclusive claims — a US controller can be GDPR-compliant while simultaneously being obligated to hand data to US government under CLOUD Act warrant.
EU-Native Alternatives — Zero CLOUD Act Exposure
For teams that need to eliminate US jurisdiction exposure entirely, three platforms offer genuine EU sovereignty:
Scalingo SAS — 0/25 CLOUD Act
Headquarters: Strasbourg, France Legal form: SAS (Société par Actions Simplifiée) Parent company: None (independent, French-owned) Infrastructure: 3DS Outscale (French cloud, Dassault Systèmes subsidiary), supplementary Hetzner CLOUD Act Score: 0/25
Scalingo is the most direct Heroku replacement in the EU. It uses Buildpacks (compatible with Heroku-20 and Heroku-22 stacks), offers git push scalingo main workflows identical to Heroku, supports all major language runtimes (Ruby, Python, Node, Java, PHP, Go), and provides managed PostgreSQL, Redis, MongoDB, and MySQL add-ons.
GDPR position: Entirely French jurisdiction. No EU-US transfer required. No SCCs needed for the platform itself.
Pricing: From €7/month for small containers, managed databases from €7/month.
Migration from Heroku: Change the git remote, update Procfile if needed, migrate database with pg_dump/pg_restore. Most Heroku applications run on Scalingo without code changes.
Koyeb SAS — 1/25 CLOUD Act
Headquarters: Paris, France Legal form: SAS Parent company: None (independent, VC-backed EU company) Infrastructure: Bare metal in Paris (FR), Frankfurt (DE), Amsterdam (NL), Singapore, São Paulo CLOUD Act Score: 1/25 (one minor sub-processor with US ties)
Koyeb is the most modern serverless platform in the EU-native stack. It offers native Docker deployments, GitHub/GitLab integration, autoscaling to zero, global edge routing, and managed Postgres. Koyeb's free tier is generous: 2 nano services, 100GB egress/month.
GDPR position: French SAS, no US parent, all processing within EU. Sub-processor disclosure lists one US-adjacent tool with minimal exposure (score: 1/25).
Best for: Containerized applications, microservices, teams migrating from Fly.io or Railway.
Pricing: Free tier available; production from €10/month.
sota.io GmbH — 0/25 CLOUD Act
Headquarters: Germany Legal form: GmbH (Gesellschaft mit beschränkter Haftung) Infrastructure: Hetzner Online GmbH (Nuremberg/Falkenstein/Helsinki) — 100% German-owned cloud CLOUD Act Score: 0/25
sota.io positions itself as the DevOps-native EU PaaS: Docker-based deployments with GitHub Actions integration, automatic HTTPS, custom domains, managed databases, and a CLI workflow. The full stack — platform, infrastructure, and operations — falls under German and EU law exclusively.
GDPR position: German GmbH on Hetzner infrastructure. No SCCs required. Hetzner Online GmbH itself scores 0/25 on CLOUD Act analysis.
Pricing: From €9/month. All-inclusive (compute + storage + bandwidth).
Decision Framework: Which Platform for Which Use Case
| Use Case | Recommended Platform | Rationale |
|---|---|---|
| EU startup, GDPR-first, simple PaaS | Scalingo or sota.io | 0/25 risk, buildpack/Docker workflows, German/French jurisdiction |
| Serverless-native, Docker, free tier | Koyeb | Modern serverless, EU-native, free tier, autoscale to zero |
| High-traffic JAMstack, no EU data | Netlify | Acceptable for static sites with no personal data processing |
| Global edge + EU apps | Fly.io | Best multi-region if you accept US control plane exposure |
| Enterprise Heroku migration, EU-only | Scalingo | Drop-in Buildpack compatibility, managed add-ons, EU sovereignty |
| UK business, UK data | Northflank | UK jurisdiction acceptable if UK→EU adequacy holds, use SCCs as fallback |
| DORA-regulated financial entity | sota.io or Scalingo | EU jurisdiction mandatory for ICT third-party risk (DORA Art.28) |
| NIS2-regulated operator | Scalingo or sota.io | Supply chain risk assessment (NIS2 Art.21(2)(d)) favours EU-native ICT providers |
GDPR Compliance Checklist by Platform
If You Stay on Netlify, Fly.io, or Heroku
- Execute Standard Contractual Clauses with the platform (most offer DPA/SCC templates — check their legal pages).
- Complete a Transfer Impact Assessment (TIA) documenting US surveillance law exposure and your risk mitigation measures.
- Review sub-processor lists: All three platforms have extensive US sub-processor chains. Your TIA must cover the full chain.
- Document in your GDPR Art.30 Records of Processing Activities (RoPA) the transfer mechanism and legal basis for each data category.
- Consider data minimisation: Route only data that must be processed to serverless functions. Keep personal data processing in EU-jurisdiction tiers where possible.
If You Stay on Northflank
- Check Adequacy Decision status: Monitor EDPB and European Commission announcements on EU-UK adequacy renewal (current decision under review for renewal in 2026).
- Prepare SCC fallback: Draft SCCs with Northflank ready to execute if adequacy lapses. Waiting until adequacy is revoked creates a compliance gap.
- TIA for IPA 2016: UK law analysis for TIA must address bulk interception (IPA s.136), Technical Capability Notices (s.253), and Five Eyes pathway. Legal counsel familiar with UK surveillance law recommended.
- Alternative control plane: If you use Northflank for infrastructure (Hetzner compute) but need to mitigate UK control plane risk, evaluate whether migrating to direct Hetzner or Scalingo eliminates the jurisdictional exposure.
If You Migrate to Scalingo, Koyeb, or sota.io
- No international transfer analysis required for the platform itself — EU → EU transfers under GDPR Art.44 do not require special safeguards.
- Audit your application sub-processors: Your application may independently call US APIs (Stripe, Twilio, Mailgun, Sentry, etc.). These remain separate transfer obligations — migrating your PaaS does not resolve them.
- Update your Art.30 RoPA: Remove the old platform as data processor, add the new one.
- Privacy Notice update: If your privacy notice names the hosting provider, update it.
Migration Paths
Heroku → Scalingo (Easiest, 0/25 Risk)
# Install Scalingo CLI
curl -O https://cli-dl.scalingo.com/install && bash install
# Login and create app
scalingo login
scalingo create my-app --region osc-fr1
# Add git remote
scalingo --app my-app git-setup
# Deploy (same Procfile workflow as Heroku)
git push scalingo main
# Migrate Postgres
heroku pg:dump --app old-heroku-app > backup.dump
scalingo --app my-app addons-add postgresql postgresql-starter-512
scalingo --app my-app run bash
# Inside: pg_restore --no-owner --no-acl -d $DATABASE_URL backup.dump
Fly.io → Koyeb (Modern Serverless, SAS Paris)
# Install Koyeb CLI
brew install koyeb/tap/koyeb
# Login
koyeb login
# Create service from existing Docker image
koyeb service create \
--name my-service \
--docker ghcr.io/myorg/myapp:latest \
--port 8080:http \
--region par \
--instance-type nano
# Koyeb reads fly.toml's port/health check config
# Update DNS to point to koyeb.app subdomain
Netlify → sota.io (Static + Functions)
# Install sota CLI (or use GitHub Actions integration)
npm install -g @sota-io/cli
sota login
# Create project from existing repo
sota project create --name my-project --repo github.com/org/repo
# For functions: sota.io uses Docker containers
# Wrap your Netlify functions in a lightweight Express server
# sota.io provides automatic HTTPS, custom domains, and zero-config TLS
Cost Comparison: EU-Native vs US Platforms
| Platform | Entry Price | Database | Bandwidth | Jurisdiction |
|---|---|---|---|---|
| Heroku Eco | $5/mo (sleeps) | $9/mo Postgres | Included | 🔴 US |
| Netlify Starter | $0/mo (limits) | Via add-ons | 100GB/mo | 🔴 US |
| Fly.io | ~$3-5/mo | $5/mo Postgres | Charged | 🔴 US |
| Northflank | $5/mo | $15/mo Postgres | Charged | 🟡 UK |
| Scalingo | €7/mo | €7/mo | Included | 🟢 EU (FR) |
| Koyeb | €0 (free tier) | Managed Postgres | 100GB free | 🟢 EU (FR) |
| sota.io | €9/mo | Included | Included | 🟢 EU (DE) |
For teams currently on Heroku paid plans or Fly.io at production scale, the cost delta to migrate to EU-native platforms is typically negative (EU platforms are cheaper or comparable) while eliminating the compliance overhead of annual TIA renewals and SCC maintenance.
Regulatory Context: DORA and NIS2
Two EU regulations coming into full effect in 2025-2026 have direct implications for PaaS platform choice:
DORA (Digital Operational Resilience Act) — full effect January 17, 2025 Financial entities regulated under DORA must conduct ICT third-party risk assessments (Art.28) for all critical ICT providers. Third-country ICT providers (US, UK) create additional documentation burdens: concentration risk analysis, exit strategies, sub-contracting chains, and governance arrangements must all be documented. EU-native providers reduce this compliance overhead substantially.
NIS2 (Network and Information Security Directive 2022/0383) — transposition deadline October 2024 NIS2 Art.21(2)(d) requires operators of essential and important entities to address "supply chain security" including security in procurement. Choosing a non-EU ICT provider requires documenting the supply chain risk and mitigation measures. NIS2 supervisory authorities in Germany (BSI), France (ANSSI), and the Netherlands (NCSC) have published guidance specifically recommending EU-native providers for critical infrastructure components.
Summary: The Honest Verdict
After five deep dives, the picture is clear.
Heroku (22/25) is the highest-risk choice. Salesforce's government contractor relationships, PRISM participation, and FedRAMP High status create an unusually direct pipeline between your application data and US intelligence agencies. EU Private Spaces reduce latency but do not reduce legal exposure. For any EU company processing personal data, Heroku requires careful legal review and cannot be recommended as a default choice.
Netlify (18/25) is high-risk for applications using its serverless features. As a pure static CDN it is more defensible, but the moment you add Functions, Forms, Identity, or Analytics, you re-enter US-jurisdiction territory through AWS Lambda and Deno Deploy.
Fly.io (16/25) is the most defensible of the US-incorporated options. Its own infrastructure (non-AWS), absence of major government contractor relationships, and reasonable pricing make it the best choice if you have architectural reasons to stay with a US platform. Still requires SCCs and TIA for GDPR compliance.
Northflank (3/25 CLOUD Act, HIGH UK IPA risk) is not the "safe" option its CLOUD Act score might suggest. UK post-Brexit jurisdiction under IPA 2016 creates bulk interception risk that is structurally more intrusive than targeted CLOUD Act warrants in some respects. The Five Eyes GCHQ→NSA signal intelligence pathway bypasses CLOUD Act entirely. Appropriate for UK teams processing UK data; requires careful analysis for EU teams.
Scalingo, Koyeb, and sota.io are the only platforms in this comparison where a GDPR Data Protection Officer can confirm: there is no international data transfer, no SCCs required, no government-access framework outside EU law, and no legal ambiguity about data sovereignty. For EU companies that can use these platforms — and most can — they are the correct choice in 2026.
About This Series
This is post 5/5 in the sota.io EU Serverless PaaS Series:
- Netlify EU Alternative 2026 — JAMstack CLOUD Act 18/25
- Fly.io EU Alternative 2026 — Containers & Edge CLOUD Act 16/25
- Heroku EU Alternative 2026 — Salesforce CLOUD Act 22/25
- Northflank EU Alternative 2026 — UK IPA 2016 GDPR Risk 3/25
- This post — Full Comparison & EU-Native Alternatives
See Also
- Railway EU Alternative 2026 — Railway and Render: two more US-incorporated developer PaaS platforms with similar CLOUD Act implications
- EU Managed Kubernetes Comparison 2026 — For teams outgrowing PaaS: GKE (20/25) vs AKS (21/25) vs Scaleway Kapsule (0/25)
- EU DevOps & CI/CD Comparison 2026 — The CI/CD layer above your PaaS: GitHub Actions, CircleCI, and EU-native alternatives
sota.io is a German PaaS built for EU data sovereignty. Deploy your Docker applications on Hetzner infrastructure in Germany with zero CLOUD Act exposure. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.