Northflank EU Alternative 2026: Why UK Incorporation Changes Your GDPR Risk

Post #4 in the sota.io EU Serverless & PaaS Series

Northflank is a developer-favourite DevOps platform. Docker, Kubernetes, persistent volumes, managed databases — all wrapped in one clean interface. If you have tried Heroku and wanted more control, or tried raw Kubernetes and wanted less complexity, Northflank fills that gap elegantly.

But Northflank Ltd is incorporated in England and Wales. That single fact has real GDPR consequences in 2026 — consequences that Frankfurt servers and Hetzner infrastructure cannot fix.

Who Owns Northflank?

Northflank Ltd — Companies House registration CH12342786, incorporated England and Wales. Private company. No US parent — that is the good news. But post-Brexit, the UK is a third country under GDPR Art.44. And the UK has its own surveillance law: the Investigatory Powers Act 2016 (IPA 2016), which grants UK intelligence agencies far-reaching bulk data collection powers.

The CLOUD Act score is 3/25 — low compared to Heroku (22/25) or Zscaler (23/25), but the IPA 2016 creates its own category of risk that CLOUD Act analysis does not fully capture.

Key Corporate Facts

CLOUD Act Score: 3/25

Northflank's CLOUD Act score is low because there is no US parent and no direct US law jurisdiction:

Total: 3/25 — far below Heroku (22/25), but not the 0/25 that a French or German entity achieves.

The Real Risk: UK Investigatory Powers Act 2016

The IPA 2016 (sometimes called the "Snoopers' Charter") gives UK intelligence agencies three major powers:

1. Bulk Interception Warrants (IPA 2016 Part 6)

GCHQ can intercept entire communications streams, not just targeted individuals. Section 136 authorises bulk equipment interference — essentially state-sponsored hacking of entire platforms or data centres if deemed necessary for national security.

2. Technical Capability Notices (IPA 2016 s.252)

The UK Home Secretary can compel any "telecommunications operator" to maintain technical capabilities for lawful interception — including decryption of end-to-end encrypted communications. A Northflank Technical Capability Notice would require them to decrypt your data on request.

3. National Security Notices (IPA 2016 s.229)

These can compel a company to maintain data in a specific form for interception. Unlike a CLOUD Act warrant, these notices carry a blanket secrecy obligation: Northflank could not even tell you a notice had been received.

Five Eyes Intelligence Sharing

The UK is a founding member of the UKUSA Agreement (Five Eyes): UK, USA, Canada, Australia, New Zealand. Under this agreement, GCHQ and NSA routinely share signals intelligence. In practice, this means a UK IPA 2016 bulk interception can make data accessible to the NSA without a CLOUD Act warrant. It is a different legal pathway to the same destination.

Why Frankfurt Infrastructure Does Not Help

Northflank offers EU regions: Frankfurt (Hetzner HEL1 and FSN1 equivalents) and Amsterdam. At first glance, this looks like a GDPR solution. It is not — for two reasons:

Reason 1: Jurisdiction follows the entity, not the server. GDPR Art.3 applies to controllers and processors established in the EU. Northflank Ltd is established in the UK. This makes Northflank a third-country processor under GDPR Art.44. You need a transfer mechanism (Standard Contractual Clauses or UK Adequacy Decision reliance) even if your data never leaves a Frankfurt data centre.

Reason 2: The UK Adequacy Decision has an expiry problem. After Brexit, the EU Commission granted the UK an adequacy decision (Art.45 GDPR) in June 2021 — valid for four years. This adequacy decision expires in June 2025 and must be renewed. As of this writing (May 2026), the UK adequacy decision has been extended, but EDPB has raised concerns about IPA 2016 compatibility with EU fundamental rights (EDPB Opinion 28/2023). Future renewal is not guaranteed. If adequacy lapses, every Northflank deployment in the EU requires immediate SCCs re-papering.

Reason 3: Control plane is UK. The Northflank dashboard, API, build system, deployment orchestration, and secrets management run from UK-controlled infrastructure. Even if your workloads run in Frankfurt, the control plane that configures and accesses them is under UK jurisdiction.

What Northflank Is Great For

To be fair: Northflank's developer experience is genuinely excellent.

• GitOps-native: Push-to-deploy with branch-based environments, preview deployments, build pipelines
• Kubernetes without the ops overhead: Managed clusters, no kubeconfig juggling
• Managed databases: PostgreSQL, MySQL, MongoDB, Redis — with backups and scaling
• Persistent volumes: Unlike many serverless platforms, real block storage with snapshots
• Secrets management: Built-in secrets store with environment variable injection
• Team collaboration: Role-based access, project isolation, audit logs
• Price: From $20/month — cheaper than Heroku's comparable offerings

For UK-based companies, UK government projects, or UK-exempt data: Northflank is a strong choice. The IPA 2016 risk is your government's own law, which simplifies the legal picture.

For EU-headquartered companies handling EU personal data: the third-country status introduces compliance overhead that EU-native alternatives avoid.

GDPR Compliance Analysis

Data Processing Agreement

Northflank offers a DPA. But a DPA with a UK entity does not eliminate the transfer mechanism requirement — it implements it. You need a DPA and SCCs (or adequacy decision reliance) and a Transfer Impact Assessment under Art.44.

Transfer Impact Assessment (TIA) Requirements

EDPB recommendations 01/2020 require a TIA when transferring to third countries. For Northflank (UK):

• Assess IPA 2016 scope and your data category
• Document why IPA 2016 bulk interception powers do not apply to your use case (if you can)
• Assess Five Eyes sharing likelihood for your data type
• Document adequacy decision reliance + contingency if adequacy lapses

This is not impossible, but it adds compliance overhead that a French SAS or German GmbH controller avoids entirely.

Sub-processors

Northflank's sub-processor list includes services from multiple jurisdictions. Each sub-processor used in your Northflank deployment extends the transfer chain. Review their DPA Schedule for current sub-processor geography.

DORA and NIS2 Considerations

DORA Art.28 — Third-Country ICT Providers

For financial entities subject to DORA (banks, investment firms, payment processors), using a third-country ICT provider triggers additional scrutiny under Art.28(2). Competent authorities can request exit strategy documentation. The UK's adequacy uncertainty amplifies this risk: an adequacy lapse mid-contract creates a potential DORA compliance event.

NIS2 Art.21(2)(d) — Supply Chain Security

NIS2 requires essential and important entities to address supply chain security. A UK-incorporated PaaS provider represents a supply chain dependency under non-EU jurisdiction. Article 21(2)(d) requires policies to address security in network and information systems acquisition — including provider jurisdiction assessment.

EU-Native Alternatives

These platforms achieve 0-1/25 CLOUD Act score because they have no US parent and no US incorporation:

Scalingo SAS — Paris, France 🇫🇷

Best Northflank alternative for buildpack compatibility.

• Entity: Scalingo SAS — French Société par Actions Simplifiée (Strasbourg)
• Jurisdiction: French commercial law, GDPR Art.27 directly applicable
• CLOUD Act: 0/25 (no US nexus)
• Infrastructure: Outscale (3DS OUTSCALE SAS, subsidiary of Dassault Systèmes — French) + OVH France
• Buildpack support: Full Heroku-buildpack compatibility — same Procfile/buildpack workflow
• Database: Managed PostgreSQL, MySQL, MongoDB, Elasticsearch, Redis
• Pricing: From €7.20/month (512 MB containers)
• Certifications: ISO 27001, HDS (Hébergeur de Données de Santé — French health data compliance)

If your team comes from Heroku, Scalingo has the lowest migration friction of any EU-native platform.

Koyeb SAS — Paris, France 🇫🇷

Best for containerised serverless workloads.

• Entity: Koyeb SAS — French SAS (Paris)
• Jurisdiction: France, GDPR directly applicable
• CLOUD Act: 1/25 (minor US infrastructure dependency for some edge PoPs)
• Infrastructure: Paris, Frankfurt, Washington DC (eu regions are EU-only)
• Deployment model: Docker containers + Buildpacks + GitHub/GitLab auto-deploy
• Free tier: 512 MB RAM, 0.1 vCPU, 256 MB SSD — genuinely useful for dev/staging
• Pricing: From €0 (free), production from ~€25/month
• Special strength: Edge PoPs for low-latency global distribution

sota.io — Germany 🇩🇪

Best for GDPR-zero-risk EU deployment with Hetzner compute.

• Entity: German GmbH (EU incorporated)
• Jurisdiction: German law, GDPR Art.27 directly applicable, no adequacy decision needed
• CLOUD Act: 0/25 (no US parent, no US incorporation, no US infrastructure)
• Infrastructure: Hetzner Germany (same provider Northflank uses for EU regions — but under EU legal control)
• Deployment: Any language, any framework — Docker or buildpack workflow
• Pricing: From €9/month
• DORA/NIS2: No supply chain third-country risk — EU-incorporated provider is in-scope under EU law directly

The key difference from Northflank: same Hetzner infrastructure, but sota.io's control plane is under EU jurisdiction — no IPA 2016, no Five Eyes, no adequacy decision dependency.

Migration Guide: Northflank → EU-Native

If you are currently on Northflank and need to migrate for GDPR compliance, the path depends on your stack:

Buildpack-based apps (Node.js, Python, Ruby, PHP, Java)

→ Scalingo is the fastest path. Scalingo supports Heroku buildpacks. Your Procfile works as-is. Environment variables map 1:1. Managed add-ons (PostgreSQL, Redis) have direct equivalents.

Steps:

1. git remote add scalingo git@ssh.osc-fr1.scalingo.com:<app-name>.git
2. git push scalingo main
3. Provision add-ons via Scalingo dashboard
4. Point DNS

Containerised apps (Docker/docker-compose)

→ Koyeb or sota.io. Both accept Dockerfile or docker-compose.yml.

For Koyeb: Connect GitHub/GitLab repo → select Dockerfile → deploy. Persistent volumes attach via NFS mount.

For sota.io: Same pattern — Docker-based deploy with persistent volume support.

Database migration

Both Scalingo and sota.io offer managed PostgreSQL with pg_restore import. Northflank allows pg_dump export from managed PostgreSQL instances.

The Bottom Line

Northflank is an excellent platform for teams outside EU GDPR scope. For EU companies handling EU personal data — especially those subject to DORA, NIS2, or sector-specific regulation — the IPA 2016 exposure and UK adequacy uncertainty create compliance overhead that 0/25 alternatives avoid.

See Also

• Heroku EU Alternative 2026 — Salesforce-owned PaaS with highest CLOUD Act risk in the series (22/25); useful contrast to Northflank's UK risk profile
• Fly.io EU Alternative 2026 — Container-first PaaS with similar DevOps focus; US jurisdiction vs Northflank's UK jurisdiction
• EU Managed Kubernetes Comparison 2026 — Northflank targets similar workloads; EU-native Kubernetes options like Scaleway Kapsule (0/25)
• EU Serverless PaaS Comparison 2026 — Full risk matrix across all four platforms in this series

Next in the series: EU Serverless PaaS Comparison Finale 2026 — Netlify, Fly.io, Heroku, Northflank, and EU-native alternatives side-by-side in a complete risk matrix.