If your business operates in the EU and processes personal data, GDPR governs how and where that data can be processed. Tunneling traffic through a US-hosted service creates a data transfer that needs legal justification.
The Legal Landscape
The Schrems II ruling in 2020 invalidated the EU-US Privacy Shield — the primary mechanism that allowed EU data to flow to US companies. What remains are Standard Contractual Clauses (SCCs), which require a case-by-case assessment of whether the receiving country provides adequate data protection. For the US, that assessment is complicated by laws like the CLOUD Act and FISA Section 702, which allow US authorities to compel access to data even if it is stored outside the US.
The Problem With US-Based Tunneling
When you route traffic through a US-based tunneling service — ngrok, Cloudflare, or others — your data transits infrastructure controlled by a US entity. Even if they operate EU data centers, the corporate entity is subject to US jurisdiction.
Most tunneling providers log at least some traffic data. Request URLs, response codes, connection metadata, IP addresses. This logging serves their product features — dashboards, analytics, debugging tools. But under GDPR, this logged data about EU citizens becomes personal data subject to transfer restrictions.
Scenario: The DPO's Risk Assessment
Your Data Protection Officer needs to evaluate the risk of using a US-based tunneling provider. The assessment requires documenting:
- Where data is processed (multiple US and EU data centers, unclear routing)
- What data is logged (request URLs, headers, IPs, response codes)
- Legal basis for international transfer (SCCs with supplementary measures)
- Risk of government access (CLOUD Act applies, no technical countermeasure)
- Technical safeguards (traffic inspection is a core product feature, not avoidable)
This assessment takes weeks of legal review and results in a multi-page risk document with conditions and caveats.
With ProxyPass, the same assessment looks like this: data processed in Germany, operated by an Austrian company, no traffic logging, no international transfers, no US jurisdiction. Half a page, no conditions, no caveats.
The ProxyPass Alternative
ProxyPass eliminates this exposure entirely. The infrastructure runs on IONOS servers in Germany, operated by QSP in Austria. Both are EU entities under EU jurisdiction exclusively. No US parent company. No US subsidiary. No legal pathway for US authorities to compel data access without going through EU judicial cooperation processes.
Additionally, ProxyPass does not log traffic content — so even in a hypothetical legal request, there is no traffic data to produce.
For DPOs and compliance teams completing Data Protection Impact Assessments, ProxyPass provides a straightforward answer: EU operator, EU infrastructure, no traffic logging, no international data transfers. That is a shorter section in your DPIA than explaining SCCs, transfer impact assessments, and supplementary measures for a US-based provider.