Grafana Cloud EU Alternative 2026: Delaware C-Corp, CLOUD Act Exposure for Metrics/Logs/Traces, GDPR Observability Risk
Post #2 in the sota.io EU Monitoring Tools Series
Grafana began as a single open-source dashboard tool, created in 2014 by Torkel Ödegaard, a Swedish developer who wanted a better way to visualise Graphite metrics. The project grew into one of the most widely used observability frontends in the world, adopted by CERN, Bloomberg, PayPal, and tens of thousands of organisations running self-hosted infrastructure. For years, "Grafana" meant a file you deployed on your own server, owned your data, and controlled your dashboards. That story has substantially changed.
Today, Grafana Labs, Inc. is a Delaware C-Corp backed by GIC (Singapore's sovereign wealth fund), Sequoia Capital, and Lead Edge Capital. The company offers Grafana Cloud, a fully managed observability platform covering metrics (Mimir), logs (Loki), traces (Tempo), profiling (Pyroscope), and front-end monitoring. Grafana Cloud is a US-controlled SaaS service. For European engineering teams, the distinction between the open-source project and the commercial cloud product is the most important compliance fact in this analysis.
Grafana Labs Corporate Structure
| Attribute | Value |
|---|---|
| Legal Entity | Grafana Labs, Inc. |
| Incorporation | Delaware C-Corp |
| Global HQ | San Francisco, CA, USA |
| EU Office | Stockholm, Sweden (engineering) |
| Founder | Torkel Ödegaard (Swedish citizen) |
| Notable Investors | GIC, Sequoia Capital, Lead Edge Capital |
| Valuation | ~$6B (2021 Series D) |
| Key Products | Grafana Cloud, Grafana OSS, Mimir, Loki, Tempo |
Grafana Labs has engineering offices in Stockholm and other European cities, and several of its core products originated as open-source projects under permissive licences. None of this changes the legal entity. Grafana Labs, Inc. is the data controller for Grafana Cloud, and it is incorporated in Delaware. The US Stored Communications Act (18 U.S.C. § 2703) and the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) apply to the company regardless of where customer data is physically stored.
The Swedish engineering presence is a development team, not an independent legal entity with data controller authority over customer observability data. The contract is with the US parent.
The Grafana OSS vs Grafana Cloud Distinction: The Compliance Fork
This is the most important section of this post. Many European teams run Grafana and assume compliance because they associate the name with the open-source project. The compliance picture splits sharply at the point of deployment:
Grafana OSS (Self-Hosted): No CLOUD Act Exposure
If you deploy Grafana OSS on EU infrastructure — Hetzner, OVHcloud, Scaleway, Ionos, or your own servers — Grafana Labs never receives your data. The software is Apache 2.0 licensed. The company has no access to your dashboards, metrics, or configuration. There is no CLOUD Act exposure because there is no US entity with custody of your data.
Self-hosted Grafana, combined with Prometheus (metrics), Loki (logs), and Tempo (traces), provides the full observability stack with zero data transfer to a US company. This is the gold standard for EU data sovereignty in observability.
Grafana Cloud: US-Controlled SaaS
Grafana Cloud is a different product category. When you send metrics, logs, or traces to Grafana Cloud, that data is:
- Transmitted to Grafana Labs infrastructure
- Processed and stored by Grafana Labs, Inc. (Delaware C-Corp)
- Potentially hosted on GCP and AWS backends — both US companies with their own CLOUD Act exposure
- Subject to US government requests under the CLOUD Act without requiring EU court authorisation
Grafana Cloud offers EU-hosted regions. However, an EU region hosted by a US company does not solve the CLOUD Act problem. The CLOUD Act explicitly covers data held by US-incorporated companies regardless of server location. The US Department of Justice can compel Grafana Labs, Inc. to produce customer data held on Frankfurt or Dublin servers without obtaining an EU court order.
What Grafana Cloud Collects: The GDPR Data Inventory
Metrics (Grafana Mimir Backend)
Grafana Cloud's metrics backend is Mimir, a highly scalable Prometheus-compatible time-series database. Metrics sent to Grafana Cloud often include personal data through labels:
user_id,tenant_id,customer_idlabels on business metrics- Per-session request duration metrics from application instrumentation
- Cardinality-heavy metrics that include user-identifying attributes
Under GDPR Article 5(1)(c), data minimisation applies to labelling strategies. In practice, many organisations send labelled metrics to Grafana Cloud that are linkable to identified natural persons — crossing the personal data threshold.
Logs (Grafana Loki Backend)
Log ingestion carries the highest GDPR risk in the Grafana Cloud stack. Application logs routinely contain:
- Authentication events: usernames, email addresses, IP addresses, session tokens
- Request logs: HTTP paths including user IDs, query strings, and API keys
- Error messages: stack traces that may expose query parameters containing personal data
- Business events: order IDs, payment references, customer identifiers
Grafana Loki stores logs as compressed streams with label-based indexing. Without explicit log sanitisation pipelines, it is routine for production application logs to contain GDPR-regulated personal data. When those logs are shipped to Grafana Cloud, a US company becomes the data processor under GDPR Article 28.
The Grafana Agent (now Alloy) — the recommended log shipper — is configured to forward all matching log streams by default. There is no automatic PII detection at the shipper level without additional configuration.
Traces (Grafana Tempo Backend)
Distributed traces collected in Grafana Cloud (via Tempo) record request flows across services. Trace data frequently contains:
- HTTP headers including
Authorization,Cookie,X-User-ID,X-Forwarded-For - Database query spans with WHERE clause parameters (which may contain personal data)
- Service-to-service propagation headers carrying user context
- Custom span attributes set by application code (frequently including user identifiers)
The OpenTelemetry automatic instrumentation libraries — which Grafana recommends for trace collection — capture HTTP headers and query spans without requiring explicit configuration. Teams that have not audited their trace pipelines commonly discover they are exporting personal data through span attributes.
Profiling (Grafana Pyroscope)
Grafana acquired Pyroscope, a continuous profiling tool, in 2023. Pyroscope data includes function-level execution profiles that may contain:
- Stack traces referencing application code handling personal data
- Memory profiling data that could capture in-memory personal data under specific conditions
- Execution timing data that correlates with user request patterns
Continuous profiling is emerging as a new observability category. GDPR DPAs have not yet issued specific guidance on profiling data, but the general principle under Article 5(1)(b) (purpose limitation) applies: profiling data sent to a US company for infrastructure monitoring cannot be repurposed for other uses without a fresh legal basis.
Real User Monitoring (Frontend Observability)
Grafana's frontend observability product (Faro) collects:
- Browser session data and page load timings
- JavaScript error logs including stack traces
- Core Web Vitals measurements correlated with user sessions
- Navigation timing events
Faro sessions can be linked to user identifiers if the application sets user context. This creates a GDPR Article 6(1) lawful basis requirement: the user must have consented to performance monitoring data being sent to a US-controlled SaaS platform.
GDPR Articles Most Relevant to Grafana Cloud
| Article | Issue |
|---|---|
| Art.28 | Grafana Labs must be a GDPR-compliant data processor — DPA required |
| Art.46 | International transfer requires SCCs or adequacy decision |
| Art.5(1)(c) | Data minimisation: raw logs with PII violate this principle |
| Art.5(1)(b) | Purpose limitation: monitoring data must not be repurposed |
| Art.32 | Appropriate technical measures including encryption, access controls |
| Art.17 | Right to erasure: customer logs/traces must be deletable on request |
Grafana Labs offers a Data Processing Agreement and relies on Standard Contractual Clauses (SCCs) for EU-to-US data transfers. SCCs are currently valid under GDPR but do not override the CLOUD Act. A valid SCC does not prevent a US government request to Grafana Labs, Inc. — it only creates contractual obligations that may conflict with US law. The fundamental tension between SCCs and the CLOUD Act has been documented by the Austrian DSB, French CNIL, and German DSK in the context of other US SaaS platforms.
EU Alternatives to Grafana Cloud
Option 1: Self-Hosted Grafana + Prometheus + Loki + Tempo (Best for EU Sovereignty)
The most GDPR-compliant approach for organisations already using Grafana tooling: run the same stack on EU infrastructure.
| Component | Purpose | Host On |
|---|---|---|
| Grafana OSS | Dashboards and alerting | EU VM |
| Prometheus | Metrics collection and storage | EU VM |
| Loki | Log aggregation | EU VM |
| Tempo | Distributed tracing | EU VM |
| Pyroscope (self-hosted) | Continuous profiling | EU VM |
| OpenTelemetry Collector | Telemetry routing | EU VM |
Legal status: No CLOUD Act exposure. Data never leaves EU infrastructure. Grafana Labs has no access to any monitoring data. Full GDPR compliance achievable with proper log sanitisation.
Operational overhead: You manage availability, storage, retention policies, and upgrades. For teams with existing Kubernetes or VM infrastructure, this is a well-understood operational model. Grafana's open-source deployment is documented extensively.
Suitable EU hosters: Hetzner (Germany), OVHcloud (France), Scaleway (France), Ionos (Germany), UpCloud (Finland).
Option 2: VictoriaMetrics
VictoriaMetrics is a high-performance time-series database and monitoring solution, originally developed as a Prometheus-compatible alternative. It supports metrics, logs (VictoriaLogs), and traces (VictoriaTraces).
| Attribute | Value |
|---|---|
| Open Source | Yes (Community Edition MIT licence) |
| Cloud Offering | VictoriaMetrics Cloud |
| EU Deployment | Self-hosted on EU infrastructure |
| Prometheus Compatibility | Full drop-in replacement |
| Performance | 10-30x lower resource usage vs Prometheus at scale |
VictoriaMetrics can be self-hosted on EU infrastructure with no US-company data exposure. The VictoriaMetrics Cloud offering is hosted by the VictoriaMetrics team — check their current legal entity and DPA before using the managed service. For EU sovereignty, the self-hosted community edition is the recommended approach.
Option 3: Better Stack (EU-Native Managed Observability)
Better Stack (formerly Logtail) is headquartered in Vienna, Austria — within the EU. The company offers managed log management, uptime monitoring, and infrastructure monitoring under a single platform.
| Attribute | Value |
|---|---|
| Legal Entity | Better Stack, s.r.o. (Czech Republic) |
| HQ | Vienna, Austria |
| Data Centres | EU regions |
| GDPR Jurisdiction | EU |
| Pricing | Free tier available, paid from ~$25/mo |
| Prometheus Integration | Yes |
Better Stack is EU-incorporated and stores data in European data centres. There is no US parent company creating CLOUD Act exposure. This makes it one of the cleanest managed alternatives to Grafana Cloud for teams that need a SaaS product without self-hosting overhead.
Note: Always verify the current legal entity and data processing terms with Better Stack before signing a DPA, as company structures can change.
Option 4: SigNoz (Open-Source OpenTelemetry Backend)
SigNoz is an open-source observability platform built natively on OpenTelemetry. It provides metrics, logs, and traces in a single interface, self-hosted on any infrastructure.
| Attribute | Value |
|---|---|
| Licence | Open-source (AGPL) |
| Architecture | OpenTelemetry-native |
| Self-Hosted | Yes — full Docker/Kubernetes support |
| Grafana Replacement | Yes — native dashboarding |
| EU Deployment | Self-hosted on EU infrastructure |
SigNoz accepts OpenTelemetry Protocol (OTLP) natively and does not require Prometheus or Loki as separate components. For teams building a greenfield observability stack, SigNoz on EU infrastructure provides a coherent, EU-data-sovereign alternative to the full Grafana Cloud feature set.
Option 5: Netdata
Netdata provides real-time infrastructure monitoring with both a self-hosted Agent and a cloud dashboard option.
| Attribute | Value |
|---|---|
| Agent | Open-source (MIT, self-hosted) |
| Cloud Dashboard | Netdata Cloud (SaaS) |
| EU Operations | Check current legal entity |
| Prometheus Compatibility | Export via prometheus exporter |
The self-hosted Netdata Agent collects ~2,000 metrics per second with zero configuration on Linux systems. For pure infrastructure monitoring without custom application metrics, Netdata Agent on EU infrastructure provides excellent out-of-box coverage with no data leaving the EU.
The CLOUD Act Is Not Solved by EU Regions
This point merits emphasis because it is the most common misconception in observability compliance discussions.
Grafana Cloud offers data hosted in eu-west or eu-central regions. This is not sufficient for CLOUD Act compliance. The relevant legal test is not where data is stored but who controls it. Under 18 U.S.C. § 2703(a), a US company must produce data "in its possession, custody, or control" — regardless of physical location.
Grafana Labs, Inc. (Delaware C-Corp) has possession, custody, or control of all data in Grafana Cloud, regardless of whether it is stored in Frankfurt or Oregon. A US government request under the CLOUD Act does not require an EU court order. Grafana Labs cannot lawfully refuse such a request by citing GDPR, and a compliance conflict between US law and GDPR creates a situation where the customer — not Grafana Labs — bears the regulatory risk under EU law.
The European Data Protection Board (EDPB) has been clear: a US company processing EU personal data remains subject to US surveillance law regardless of contractual SCCs. This was the basis for Austrian DSB, French CNIL, Italian Garante, and Swedish IMY rulings on Google Analytics — a different product but the same structural analysis.
Compliance Verdict
| Deployment Model | CLOUD Act Exposure | Recommended |
|---|---|---|
| Grafana Cloud (any region) | YES — US C-Corp data controller | No |
| Self-hosted Grafana (EU infra) | NO — no US company custody | Yes |
| Self-hosted SigNoz (EU infra) | NO | Yes |
| VictoriaMetrics Cloud | Check current legal entity | Verify |
| Better Stack | NO — EU-incorporated | Yes |
| Netdata Agent (self-hosted) | NO | Yes |
Practical Migration Path from Grafana Cloud to Self-Hosted
If your organisation currently uses Grafana Cloud and wants to migrate to EU-sovereign observability:
- Audit your current data: identify which Grafana Cloud products you use (metrics, logs, traces, RUM, profiling)
- Stand up EU infrastructure: a 3-node cluster on Hetzner or OVHcloud can run the full stack for mid-size teams
- Deploy OpenTelemetry Collector: configure it to route to your EU-hosted Loki/Tempo/Prometheus backends
- Export Grafana dashboards: Grafana OSS uses the same JSON dashboard format — export from Cloud, import to self-hosted
- Migrate alert rules: Grafana alerting rules are portable between Cloud and OSS
- Update Grafana Alloy/Agent configuration: redirect remote_write endpoints from Grafana Cloud to your EU endpoints
- Decommission Cloud: after verifying EU stack is operational, cancel Grafana Cloud and request data deletion under GDPR Art.17
The migration from Grafana Cloud to self-hosted Grafana is technically straightforward because the underlying components (Mimir, Loki, Tempo) are open-source and available for self-hosting. The operational investment is the primary cost.
sota.io Context
sota.io is an EU-native managed PaaS (Hetzner, Germany) for deploying applications — including observability stacks. You can deploy self-hosted Grafana, Loki, Prometheus, Tempo, and VictoriaMetrics on sota.io with a single configuration file, keeping all monitoring data within EU jurisdiction with no CLOUD Act exposure.
This post is Post #2 in the sota.io EU Monitoring Tools Series. Post #1 covered Datadog EU alternatives. Coming next: Elastic Observability, Splunk, and AppDynamics.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.