Grafana Cloud EU Alternative: Why Delaware Incorporation Overrides EU Region Selection — What GDPR-Conscious Teams Use Instead

Post #894 in the sota.io EU Cyber Compliance Series

Grafana occupies a unique position in the observability market: it is simultaneously one of the most widely deployed open-source tools in European infrastructure and a US-incorporated SaaS platform used by teams that believe they have made an EU-sovereign choice.

The confusion is structural. The Grafana project is open source (Apache 2.0 licensed). Self-hosting Grafana, Loki, Tempo, and Mimir on EU-controlled infrastructure is a genuinely EU-sovereign observability approach — no US company controls the data, no US law applies to the infrastructure. But Grafana Cloud, the SaaS offering from Grafana Labs, is a different legal entity entirely. Grafana Labs, Inc. is incorporated in Delaware, USA, and is subject to the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2713) regardless of which geographic region you select during signup.

The EU region option in Grafana Cloud controls where your data is physically stored. It does not change the corporate nationality of the entity that controls the SaaS platform. For CLOUD Act analysis, corporate nationality is the only variable that matters.

What Grafana Cloud Telemetry Data Is GDPR-Relevant

GDPR's definition of personal data under Article 4(1) — "any information relating to an identified or identifiable natural person" — has broad application to observability telemetry. Before examining Grafana Labs' corporate structure, it is worth understanding specifically what categories of Grafana Cloud data routinely qualify as personal data under GDPR and consistent EDPB guidance.

Metrics. Grafana Cloud's metrics backend (Grafana Mimir, Prometheus-compatible) stores time-series metric data from application and infrastructure instrumentation. Raw metrics — CPU percentage, request latency, error rate — are generally not personal data. But teams routinely attach labels to metrics that create identification paths: user_id, tenant_id, customer_region, account_tier. Under GDPR Recital 26 and EDPB guidance, labelled metrics with user-identifiable dimensions are personal data. The threshold for GDPR applicability in metrics is not high if your instrumentation follows standard application telemetry practices.

Logs (Grafana Loki). Loki is a log aggregation system optimised for querying labels rather than full-text indexing. Grafana Cloud ingests logs from your applications, Kubernetes clusters, and infrastructure. Application logs routinely contain personal data: login events that include usernames or email addresses, validation errors that include the input value, transaction records that reference customer identifiers, and authentication events. Even logs that do not explicitly log PII often contain session tokens (personal data under GDPR Recital 30) and IP addresses (personal data under GDPR Recital 30, confirmed by EDPB and multiple DPA decisions including the German DSK's 2020 guidance on IP address logging).

Traces (Grafana Tempo). Tempo stores distributed traces in OpenTelemetry-compatible format. Distributed traces capture the path of a request through your system — from the initial HTTP request through internal service calls to database queries. When that request originates from an authenticated user action, the trace payload inherits the context of that action: the request URL (which may include user identifiers), HTTP headers (which may include bearer tokens or user agent strings), span attributes that your instrumentation explicitly attached (user ID, session ID, account region), and error messages that may include the data that triggered the error. Traces that touch user-facing operations are GDPR-relevant by default unless explicitly instrumented to exclude personal data.

Grafana Frontend Observability (Real User Monitoring). Grafana Cloud includes a frontend observability product built on Faro, Grafana's open-source RUM SDK. Frontend observability captures user browser interactions: page load performance, JavaScript errors with stack traces, user sessions with navigation paths, and the HTTP requests made by the browser. Real User Monitoring always processes IP addresses — it is architecturally required to receive the browser session. IP addresses are personal data under GDPR Article 4(1) and Recital 30. Grafana's frontend observability is therefore processing personal data by design.

Grafana Incident (On-Call Data). Grafana Cloud's incident management feature (formerly Grafana Incident and Grafana OnCall) processes information about who is on-call, who was paged, and who acknowledged alerts. On-call schedules contain named individuals, phone numbers for SMS escalation, and timestamps of individual responses to production incidents. This is unambiguously personal data under any GDPR interpretation. Teams using Grafana OnCall via Grafana Cloud are sending personal data about their operations team members to Grafana Labs' SaaS infrastructure.

Grafana Profiles (Pyroscope). Grafana Cloud Profiles uses Pyroscope for continuous profiling — capturing CPU and memory profiles of running applications. Profiles themselves are generally not personal data. However, the label sets attached to profiles routinely include pod names, service names, and environment tags that may overlap with other data in ways that create identification paths under GDPR's broad "relating to" criterion.

The pattern across all Grafana Cloud features is consistent with observability tools generally: personal data enters the system incidentally through instrumentation of user-facing application behaviour, through operational metadata about the people running systems, and through RUM collection of browser sessions. Teams that have used Grafana Cloud for years may have a large volume of personal data stored in Grafana Labs' SaaS infrastructure without having deliberately sent any of it.

Grafana Labs Corporate Structure: Delaware and US Venture Capital

Grafana Labs was founded in 2014 by Torkel Ödegaard (Swedish) and Anthony Woods (Australian) in New York. The company is incorporated as Grafana Labs, Inc., a Delaware corporation.

Despite its non-US founding team and globally distributed workforce, Grafana Labs has raised its venture funding through US venture capital firms, further cementing its US corporate character. Investors include Lightspeed Venture Partners (Silicon Valley), GV (Google Ventures, Alphabet subsidiary), Sequoia Capital (Menlo Park), J.P. Morgan Asset Management, and Coatue Management. The company's most recent reported valuation was approximately $6 billion (2022 Series D round). All of this capital was structured through US corporate vehicles in the standard VC model.

Grafana Labs maintains significant engineering presence in Europe and has European operating entities used for local employment and contracting. These European entities do not control the Grafana Cloud SaaS platform. Grafana Labs, Inc. (Delaware) operates the SaaS platform, enters customer agreements, controls the cloud infrastructure, and holds the data processing relationships with Grafana Cloud customers.

For CLOUD Act analysis, the relevant entity is unambiguously a US company. The geographic diversity of the engineering team, the non-US origin of the founders, and the existence of European subsidiaries do not affect CLOUD Act applicability.

CLOUD Act Exposure: Why "EU Region" Is Not a Legal Remedy

Grafana Cloud allows customers to select their data region at workspace creation. The EU region option routes data storage and processing to Grafana Labs' cloud infrastructure in Europe (AWS eu-west-1 for most deployments). Teams selecting the EU region can configure their Grafana Cloud workspace such that all telemetry data is physically stored within the EU.

This is the point where many EU developers conclude their CLOUD Act analysis, incorrectly.

CLOUD Act 18 U.S.C. § 2713 requires US companies to preserve and disclose data "regardless of whether such communication, record, or other information is located within or outside of the United States." The geographic location of the data is explicitly not a limiting factor in CLOUD Act obligations. A US law enforcement agency seeking Grafana Cloud data related to a US legal proceeding can compel Grafana Labs, Inc. to produce that data from its EU data centres. The data's physical location in Frankfurt or Dublin does not prevent a valid CLOUD Act order from reaching it.

Selecting the EU region in Grafana Cloud serves two legitimate purposes: it may help with GDPR data transfer compliance by reducing the need for cross-border transfer mechanisms, and it reduces the latency of data ingestion for EU-based infrastructure. It does not serve as a CLOUD Act defence.

Standard Contractual Clauses (SCCs) similarly do not address CLOUD Act exposure. SCCs govern your organisation's transfer of personal data to Grafana Labs as your data processor. They establish contractual obligations that Grafana Labs accepts regarding how it handles your data. They do not — and cannot — modify what US domestic law requires Grafana Labs to do when served with a CLOUD Act order. CLOUD Act obligations run to Grafana Labs as a US-incorporated entity under US law. Your contractual relationship with Grafana Labs does not alter Grafana Labs' obligations under its own domestic law.

The practical risk for EU controllers is concrete: any US law enforcement or regulatory proceeding that involves data stored in your Grafana Cloud workspace — because your customers include US-connected entities, because your US-incorporated parent is subject to US proceedings, or because Grafana Labs itself receives a broad CLOUD Act demand — could result in compelled disclosure of observability data including personal data of EU data subjects. You would not be notified. Your GDPR exposure as controller would not be mitigated by Grafana Labs' SCCs or EU region selection.

The Genuine EU-Sovereign Alternative: Self-Hosted LGTM

The most important characteristic of the Grafana ecosystem for EU compliance purposes is that all of Grafana Labs' core observability components are open source under permissive licences. The entire LGTM stack — Loki (logs), Grafana (visualisation), Tempo (traces), and Mimir (metrics) — can be deployed on infrastructure you control, in EU jurisdiction, without any data leaving your environment.

Self-hosted LGTM is not a degraded alternative to Grafana Cloud. For most team sizes, it is functionally equivalent or superior in customisability. The performance characteristics of a well-configured self-hosted LGTM deployment match Grafana Cloud at comparable data volumes. The tooling for deployment has matured significantly: Grafana Labs maintains official Helm charts, Docker Compose configurations, and Kubernetes operators for all components.

Loki handles log aggregation. Unlike Elasticsearch, Loki indexes only metadata (labels) rather than full log content, making it highly cost-efficient for storage at scale. A standard three-component Loki deployment (distributor, ingester, querier) handles millions of log lines per day on modest hardware.

Grafana (OSS) provides the visualisation layer. Grafana OSS is identical to the Grafana available in Grafana Cloud's frontend — the dashboarding, alerting, and panel capabilities are the same. The difference is in the managed backend services, which you replace with self-hosted components.

Tempo handles distributed traces in OpenTelemetry, Jaeger, and Zipkin formats. Tempo's object-storage backend model — storing traces in S3-compatible object storage rather than a traditional database — makes it exceptionally cost-efficient for high-volume trace retention.

Mimir is Grafana Labs' horizontally scalable Prometheus-compatible metrics backend, released as open source in 2022. Mimir supports multi-tenancy, long-term metric retention, and the full Prometheus query API. For teams currently using Prometheus directly, Mimir provides a drop-in remote-write target with improved scalability characteristics.

The complete LGTM stack deployed on a single EU-hosted VM handles production workloads comfortably for teams up to around 50 engineers. Larger deployments scale horizontally using Kubernetes.

Additional EU-Native Alternatives

For teams that do not want to operate the LGTM stack themselves, there are EU-native managed observability options that do not carry CLOUD Act exposure:

VictoriaMetrics. VictoriaMetrics is a high-performance time-series database and monitoring platform developed by a team originally based in the EU. The open-source version handles Prometheus-compatible metrics with significantly better query performance and storage efficiency than Prometheus itself. VictoriaMetrics provides both a self-hosted option and a managed cloud offering through European infrastructure providers.

SigNoz. SigNoz is an open-source observability platform built natively on OpenTelemetry. It provides unified metrics, logs, and traces in a single interface. SigNoz is self-hostable and can be deployed on EU infrastructure. Its OpenTelemetry-first architecture means instrumentation is fully portable — migrating from Grafana Cloud to SigNoz requires only a collector endpoint change, not re-instrumentation.

Netdata. Netdata provides real-time infrastructure monitoring with a self-hosted agent model. While its feature set is narrower than the full LGTM stack, it provides immediate visibility into infrastructure health with no SaaS dependency.

For incident management (replacing Grafana OnCall), Grafana OnCall open source (released 2022) provides the full on-call scheduling and alerting functionality as a self-hosted application. Alertmanager (from the Prometheus ecosystem) handles alert routing and escalation without any cloud dependency.

Migration from Grafana Cloud to Self-Hosted LGTM

The Grafana ecosystem's open-source nature makes migration straightforward compared to proprietary SaaS alternatives.

Step 1: Deploy the LGTM stack. The recommended deployment path for most teams is Docker Compose for development and small production deployments, or Grafana Labs' official Helm charts for Kubernetes. The grafana/lgtm-distributed Helm chart deploys all four components with sensible defaults. For object storage, EU-sovereign options include Hetzner Object Storage, Scaleway Object Storage, or self-hosted MinIO.

Step 2: Redirect the Grafana Agent or Alloy. Grafana Labs' telemetry collector, now branded as Grafana Alloy (replacing the older Grafana Agent in 2024), is open source. Migrating from Grafana Cloud data ingestion to self-hosted LGTM requires changing endpoint URLs in your Alloy configuration — the same collector, same scraping and pipeline logic, different destination.

# Grafana Alloy config snippet: redirect from Grafana Cloud to self-hosted
loki.write "local" {
  endpoint {
    url = "http://loki.internal:3100/loki/api/v1/push"
    # Remove Grafana Cloud credentials block
  }
}

prometheus.remote_write "local" {
  endpoint {
    url = "http://mimir.internal:9009/api/v1/push"
  }
}

otelcol.exporter.otlp "tempo" {
  client {
    endpoint = "tempo.internal:4317"
    tls { insecure = true }
  }
}

Step 3: Migrate dashboards. Grafana dashboards are JSON-exportable. All dashboards created in Grafana Cloud can be exported and imported into self-hosted Grafana OSS directly. The JSON format is identical between Grafana Cloud and Grafana OSS — no conversion is required.

Step 4: Migrate alerts. Grafana alerts defined in Grafana Cloud's managed alerting system export as alert rule YAML compatible with Grafana OSS's unified alerting system. Alert notification channels (PagerDuty, Slack, email) are reconfigured in the self-hosted contact points configuration.

Step 5: Migrate historical data. Grafana Cloud does not provide a bulk data export API for historical metrics and logs. For teams with long retention requirements, the practical approach is running both systems in parallel — the self-hosted stack ingests new data while Grafana Cloud retains historical data until its retention window expires. Most teams find that 30-90 days of historical data covers their active debugging needs.

The total migration effort for a 10-20 engineer team is typically two to three days of engineering time. The ongoing operational overhead of a self-hosted LGTM deployment on container infrastructure is low once the initial configuration is stable.

Grafana Cloud vs. Self-Hosted LGTM: GDPR and CLOUD Act Comparison

The cost differential between Grafana Cloud and self-hosted LGTM at medium scale is significant. Grafana Cloud's pricing is consumption-based with costs that scale quickly with log volume and active series count. Self-hosted LGTM's costs are bounded by infrastructure and scale predictably with hardware rather than data volume. For teams with high observability data volumes, self-hosting is often less expensive as well as more compliant.

Deploying Self-Hosted LGTM on EU-Sovereign Infrastructure

EU-sovereign container platforms provide the infrastructure layer for self-hosted LGTM without introducing new US cloud dependencies. Running LGTM on AWS Frankfurt or Google Cloud Belgium routes your observability data through EU data centres but leaves the infrastructure under US corporate control — the same structural CLOUD Act exposure at the infrastructure layer that Grafana Cloud has at the SaaS layer.

A fully EU-sovereign LGTM deployment requires infrastructure operated by EU-incorporated entities: European PaaS providers, dedicated servers at EU-based providers (Hetzner, OVHcloud, Contabo), or managed Kubernetes from EU-incorporated cloud providers (Exoscale, UpCloud, Infomaniak).

sota.io provides EU-sovereign container deployment for the self-hosted LGTM stack and other observability components. German infrastructure, EU-incorporated entity, no US parent company, no CLOUD Act exposure at the infrastructure layer. Teams migrating from Grafana Cloud can deploy Loki, Grafana, Tempo, and Mimir on sota.io with the same Helm charts used locally — the infrastructure boundary moves, the tooling stays the same.

For developers and teams evaluating their observability stack under GDPR and CLOUD Act compliance criteria, the distinction between Grafana (open source, deployable anywhere, genuinely EU-sovereign) and Grafana Cloud (US SaaS, CLOUD Act-exposed regardless of EU region selection) is the most important architectural decision point. Grafana Labs has made the right architectural choice available: all the tools needed for a complete, production-grade observability stack are open source and freely deployable. The compliance question is simply where you choose to deploy them.

Summary: What EU Developers Should Know About Grafana Cloud

Grafana Cloud is operated by Grafana Labs, Inc., incorporated in Delaware. It is subject to the US CLOUD Act regardless of EU region selection. Selecting the EU region in Grafana Cloud is good practice for GDPR data transfer compliance but does not constitute a CLOUD Act defence.

The self-hosted LGTM stack — Loki, Grafana, Tempo, Mimir — is open source, Grafana Cloud-equivalent in capability, and genuinely EU-sovereign when deployed on EU-controlled infrastructure. Migration from Grafana Cloud to self-hosted LGTM involves redirecting the Grafana Alloy collector to self-hosted endpoints, exporting dashboard JSON, and migrating alert rules.

For EU teams building compliance-grade observability infrastructure in 2026, the choice is not between Grafana and something else. It is between Grafana as a service from a US company and Grafana as open source on infrastructure you control. Those are structurally different products with different legal profiles. Only the second option provides the CLOUD Act isolation that EU data protection regulators increasingly expect.