Compliance and Hosting: GDPR, 152-FZ, and Other Acronyms That Affect Your Server Choice

Imagine: you're launching a SaaS platform for European clients, choose the cheapest VPS in Singapore, and celebrate the savings. Six months later, you receive a letter from the regulator with a €20 million fine for GDPR violations. Sounds like a nightmare? For dozens of companies, this is reality.

Compliance in hosting isn't just a checkbox in a security list. It's a fundamental requirement that determines where you can store data, how to process it, and how much it will cost your business. In 2025, ignoring regulatory requirements can cost more than all infrastructure expenses for a year.

Let's break down which regulations exist, why choosing a server location country is a legal decision, and how not to get fined simply because you "didn't know."

What is compliance in the hosting context

Compliance is adherence to legal requirements and industry standards for data processing and storage. Sounds boring, but in practice, these are answers to questions:

Where is your users' data physically located? A server in Germany and a server in the USA are different jurisdictions with different laws. For European users, this is a critical difference.

Who has access to this data? A US provider under the Cloud Act can transfer data to US intelligence agencies, even if the server is in Europe. For companies working with medical or financial information, this is a deal-breaker.

How is data protected? Encryption, access control, logging — all this isn't just best practices, but mandatory requirements of multiple regulations.

What happens during a breach? Notifying the regulator within 72 hours is a GDPR requirement. If your hosting provider can't ensure quick response, the problem becomes yours.

GDPR: European standard that's exported worldwide

General Data Protection Regulation is the most famous and strictest data protection law. Came into force in 2018 and has since become the de facto global standard.

Who GDPR affects

Any business working with EU residents' data, regardless of where the company is registered. You have a startup in California but users from Germany? GDPR applies to you.

Hosting providers as data processors. If you host a site, the provider becomes a data processor, and you're the data controller. Both parties are responsible for GDPR compliance.

Key hosting requirements

Data Processing Agreement (DPA) — mandatory contract between you and the provider, describing how data is processed. If a provider doesn't offer a DPA, that's a red flag.

Placement in EU or adequacy countries. GDPR doesn't require physical placement in Europe, but significantly simplifies compliance if data doesn't leave the EU. Cross-border transfers require Standard Contractual Clauses (SCCs) and risk assessment.

Right to erasure and data portability. Your hosting must allow quick deletion of a specific user's data upon request. For WordPress, this is solved with plugins; for custom applications — with architectural solutions.

Breach notification within 72 hours. The provider must have monitoring processes and security incident alerts.

Penalties: why it's serious

Up to €20 million or 4% of annual global turnover — whichever is greater. Amazon received a €746 million fine, Google — €90 million. These aren't theoretical figures.

For small businesses, fines are smaller, but even €10,000 can close an early-stage startup.

152-FZ: Russian approach to personal data protection

Federal Law "On Personal Data" has been in effect since 2006, but key amendments came into force in 2015. While GDPR focuses on user rights, 152-FZ emphasizes data localization.

Main requirement: localization

Personal data of Russian citizens must be collected, recorded, and stored on servers in Russia. This is part 5 of article 18. Not "desirable" — mandatory.

What counts as personal data: full name, phone, email, address, passport data, TIN, any information that allows identification of a person.

Cross-border transfer is allowed, but with a condition: data must first be collected and systematized in Russia. You can replicate to foreign servers, but the master copy stays in Russia.

Personal data categories

152-FZ divides personal data into 4 categories, each determining protection level:

Category 4 (publicly available) — data published with subject's consent. Example: marathon participants on a public site. Minimal requirements.

Category 3 — standard data (name, address, phone). Basic protection measures suffice. If you have an online store with up to 100,000 clients, you don't need FSB and FSTEC licenses.

Category 2 — biometric data (fingerprints, facial photos).

Category 1 (special) — data on race, nationality, beliefs (philosophical, religious, political), health information, criminal records. Requires maximum protection level (UZ-1) with certified software.

Who doesn't need to notify Roskomnadzor

If you collect data only for contract fulfillment (for example, name and email for order delivery), notifying Roskomnadzor isn't required. But data protection requirements remain.

Penalties under 152-FZ

Individual: from 1,500 to 50,000 ₽
Official: from 6,000 to 800,000 ₽
Legal entity: from 30,000 to 18,000,000 ₽

Plus criminal liability for malicious data use — up to 10 years in prison.

HIPAA: when data concerns health

Health Insurance Portability and Accountability Act — American law from 1996 regulating medical information processing.

Who HIPAA affects

Covered entities: hospitals, clinics, insurance companies, pharmacies — all who work with Protected Health Information (PHI).

Business associates: cloud providers, medical software developers, billing companies — anyone with PHI access as part of service.

Even if you're not a medical organization but develop telemedicine or store medical records — HIPAA applies to you.

Technical requirements

Business Associate Agreement (BAA) — mandatory contract between covered entity and hosting provider. A provider without BAA cannot store PHI.

PHI encryption both at rest and in transit. HIPAA calls this an "addressable requirement" — you must either implement it or document why it's impossible.

Access control: unique user IDs, automatic logoff, logging of all data actions.

Physical security: data center access control, video surveillance, protection from physical data destruction.

Feature: no formal certification

HIPAA is a law, not a standard with a certificate. A provider may claim "HIPAA compliant," but you must verify compliance through audits and self-assessments.

Penalties

From $100 to $50,000 per violation, maximum $1.5 million per year. With malicious PHI use — criminal liability up to 10 years in prison.

PCI DSS: payment data protection

Payment Card Industry Data Security Standard — standard created by major payment systems (Visa, Mastercard, American Express) to protect bank card data.

Who PCI DSS affects

Anyone who processes, stores, or transmits bank card data. Online store, payment gateway, cloud provider storing card tokens — all under PCI DSS.

Even if you use Stripe or PayPal and don't store cards yourself, some PCI requirements still apply.

12 PCI DSS requirements

Install and maintain firewall
Don't use default passwords and settings
Protect stored cardholder data
Encrypt data transmission in open networks
Use antivirus software
Develop and maintain secure systems
Restrict data access on need-to-know basis
Assign unique ID to each user
Restrict physical data access
Track network resource access
Regularly test security systems
Maintain information security policy

Compliance levels

Level 1: more than 6 million transactions/year — requires QSA (Qualified Security Assessor) audit.

Level 2-4: fewer transactions — Self-Assessment Questionnaire (SAQ) suffices.

Penalties

From $5,000 to $100,000 per month until violations are remedied. Plus possible loss of card acceptance rights.

Overlap: when multiple regulations apply simultaneously

Reality of 2025: most businesses fall under several regulations at once.

Case 1: Telemedicine with card payments

Medical platform in the USA accepting card payments. Must comply with:

HIPAA (medical data)
PCI DSS (payment data)
GDPR (if there are EU patients)

Good news: many requirements overlap. Encryption, access control, logging, staff training — these are common controls for all standards.

Case 2: E-commerce with international audience

Online store selling to Russia and EU:

152-FZ (Russian buyers)
GDPR (European buyers)
PCI DSS (card processing)

Practical solution: servers in Russia for Russian data with replication to EU for European data. Payment data is processed by PCI-compliant processor (Stripe, Adyen), you only work with tokens.

Case 3: SaaS for B2B with global clients

Solution architecture:

Multi-regional placement: EU (Germany), Russia (Moscow), USA (Virginia)
Data residency by client choice
Single control panel, but physically isolated instances
DPA/BAA contracts with each client

Complex? Yes. But this is standard enterprise-level practice.

How to choose hosting considering compliance

Step 1: Determine applicable regulations

Ask questions:

Where are your users located? (geography determines GDPR/152-FZ)
What data do you collect? (data type determines HIPAA/PCI)
Which industry do you work in? (healthcare, fintech, e-commerce)

Step 2: Check your provider

Documentation. Search the provider's website:

Privacy Policy with a detailed description of data processing
DPA/BAA templates
List of certifications (SOC 2, ISO 27001)
Information about the physical location of the DC

Red flags:

The provider cannot give the exact address of the data center.
Refuses to sign the DPA
No information about backup and disaster recovery
Vague wording about "compliance with standards"

Step 3: Assess technical capabilities

Encryption at rest and in transit. Check what your provider uses:

TLS 1.3 for data transmission
AES-256 for storage
Encryption key management

Access controls. Must be:

Multi-factor authentication for administrators
Role-based access control (RBAC)
Audit logs of all actions

Incident response. Find out:

How quickly will the provider notify me of the incident?
Is there an SLA for response time?
Are regular security audits conducted?

Step 4: Check Data Processing Agreements

Any reputable provider has a DPA in place. Please note:

Description of data processing purposes
List of subprocessors (if the provider uses subcontractors)
Breach notification procedures
Terms for deleting data upon termination of the contract

Step 5: Consider future growth

Compliance is not a one-time task. Choose a provider that:

Supports multi-regional deployment
Allows easy migration between locations
Updates certifications regularly
Communicates policy changes transparently

Common myths about compliance

Myth 1: "If data is in the cloud, it is automatically protected."

Reality: Shared responsibility model. The provider is responsible for the infrastructure, and you are responsible for configuration and access control. AWS may be HIPAA-compliant, but if you leave your S3 bucket public, that's your problem.

Myth 2: "The GDPR requires data to be stored only in the EU."

Reality: GDPR does not prohibit data storage outside the EU, but requires adequate protection during transfer. You can use a US provider with the EU-US Data Privacy Framework or Standard Contractual Clauses.

Myth 3: "152-FZ prohibits foreign hosting"

Reality: The law requires that data be collected in the Russian Federation first. Cross-border transfer is permitted to countries that have signed Council of Europe Convention ETS No. 108.

Myth 4: "Small businesses don't need compliance."

Reality: Penalties are proportional to the violation, not the size of the company. A single data leak can shut down a startup forever.

Practical checklist

Before choosing a hosting provider:

Determine which countries' data you are processing.
Make a list of applicable regulations
Classify data types (medical, payment, personal)
Estimate the volume of data and the number of entities
Determine the budget for compliance (including audits)

When choosing a provider:

Check the physical location of the DC
Request a list of certifications
Learn Privacy Policy and DPA
Clarify procedures backup and disaster recovery
Check SLA on uptime and incident response
Learn about subprocessors (if any)

After selecting a provider:

Sign DPA/BAA
Configure encryption at rest
Implement access controls and MFA
Configure audit logging
Develop incident response plan
Train your team in the basics of compliance
Schedule regular security audits

The cost of compliance: what it will cost

Direct costs:

Hosting in a compliance-certified data center: +20-50% to the regular price
Certifications (SOC 2, ISO 27001): $15,000 to $50,000 per year
Legal review: from $5,000 for small businesses
Security measures (SIEM, DLP, encryption): from $10,000/year

Hidden costs:

DevOps time for configuration and support
Staff training
Regular audits and penetration testing
Documentation and processes

But remember: the cost of compliance is insurance. A single GDPR fine can exceed your annual infrastructure budget.

Conclusion: compliance as a competitive advantage

In 2025, compliance is not a bureaucratic burden, but part of product-market fit. Corporate clients check SOC 2 before signing a contract. Healthcare providers require HIPAA compliance. European users want to see a GDPR-compliant privacy policy.

Choosing the right hosting provider in light of regulations is not a technical decision, but a strategic business decision. It is a matter of customer trust, market access, and protection from legal risks.

Start by understanding which regulations apply to your business. Choose a provider that has not just "heard something about GDPR," but has documented processes and certifications. Invest in the right architecture from day one—migrating under pressure from regulators will cost you many times more.

And remember: compliance is not a destination, but a continuous process. Laws change, new requirements emerge, threats grow. A provider that helps you meet standards today must help you adapt to new realities tomorrow.