EU data residency is a paid upgrade for half your SaaS stack

Most SaaS vendors put "GDPR-compliant" on a trust page and call it done. When you actually read the DPA and the subprocessor list, three things decide whether a tool is safe to put EU personal data into — and the trust badge tells you none of them.

I went through ten SaaS tools that show up in almost every EU company's stack (Salesforce, HubSpot, Atlassian, Intercom, Notion, Slack, Asana, monday.com, Zendesk, Calendly) and checked the same three questions for each. One pattern jumped out: EU data residency, the thing most buyers assume is table stakes, is gated behind a higher plan for half of them. One vendor gates the signed DPA itself behind a paid tier.

The three questions that actually decide it

When a DPO or a buyer vets a subprocessor, the marketing copy is noise. These three questions change the answer:

1. Can my data stay at rest in the EU? Not "do they have an EU office" — can you provision your tenant so personal data physically rests in an EU region. For some vendors this is a real toggle. For others it only exists on Enterprise.