Data Localization

This document provides an overview of the geographical localization of the data and infrastructure operated by Obscreen. It complements the Privacy Policy, the Information Security Policy, the Systems Security and Integrity Policy, the Customer Data Encryption Policy, the Subprocessors page, and the Terms of Service.

1. Introduction

A precise knowledge of the localization of data is essential to ensure compliance with European data protection regulations, in particular the General Data Protection Regulation (GDPR), and to guarantee the security and confidentiality of the personal information of our customers and users.

This document describes the localization of the data and infrastructure for the services operated by Obscreen (Obscreen Cloud, license issuance, public websites). For self-hosted deployments, the localization of the customer's data is determined by the customer's own infrastructure choices and is the sole responsibility of the customer, in accordance with the Terms of Service.

2. Data and Infrastructure Localization

2.a Employees and Devices

• Localization: Mainland France.
• Devices: Laptops (macOS / Linux) used by employees and contractors.
• Usage:
  • Obscreen personnel work primarily from mainland France.
  • Laptops are configured to comply with the company's security policies (automatic screen locking, up-to-date operating system, MFA on services).
  • No customer or production data is stored locally on devices; laptops are used as secure access terminals.

2.b Application Runtime (Source Code and Compute)

• Primary Cloud Provider: Hetzner.
• Primary Region: Germany.
• Secondary / Auxiliary Providers: AWS (notably AWS S3 in Paris for database backups, AWS SES for email delivery, and optionally AWS CloudFront for additional frontend caching) and other subprocessors listed on the Subprocessors page, used for specific workloads where appropriate.
• Usage:
  • The application services (Studio control plane, license issuance, public APIs) are deployed on container-based infrastructure hosted in the European Union.
  • This localization ensures minimal latency for users in Europe and keeps processing within the EU.
  • Communications between services are protected within trusted network boundaries (see Customer Data Encryption Policy).

2.c Databases

• Provider: Hetzner.
• Technology: PostgreSQL on Hetzner-managed infrastructure.
• Primary Localization: Germany.
• Secondary Localization: A second region within the European Union for backups and disaster recovery.
• Usage:
  • Production databases store customer personal data (first name, last name, email, hashed credentials, billing metadata, license records).
  • All these data stores are located within the European Union, in line with the requirements of the GDPR.
  • Encryption at rest is enabled, as described in the Customer Data Encryption Policy.

2.d Primary Object Storage (Media and Exports)

• Provider: Cloudflare R2.
• Localization: Western Europe region (WEUR).
• Usage:
  • Cloudflare R2 hosts media files and exports related to Obscreen Cloud.
  • The WEUR jurisdiction restricts data placement to Cloudflare data centers located in Western Europe.
  • Encryption at rest is provided natively by Cloudflare R2.

2.e Database Backups

• Provider: Amazon Web Services (AWS) - Amazon S3.
• Localization: Paris (France) - AWS region eu-west-3.
• Usage:
  • AWS S3 in Paris is used to store backups of certain databases, providing an additional layer of redundancy on a separate provider, while remaining inside the European Union.
  • Backups are encrypted at rest.

2.f Content Delivery Network (CDN) and DNS

• Primary Provider: Cloudflare (CDN and DNS).
• Optional Provider: AWS CloudFront may be used for additional frontend caching where appropriate.
• Localization: Both providers operate global edge networks. The origin servers used by Obscreen are located in the European Union; cached static content (such as the public website, downloads, documentation) may be served from edge nodes worldwide for performance reasons.
• Personal data is not deliberately stored on the CDN; only cacheable, non-sensitive resources are served through the edge network.

2.g Email Delivery

• Provider: AWS (Amazon SES).
• Usage: Transactional emails (account notifications, license updates, support communications) are delivered through AWS SES.

2.h Diagnostic and Error Reports

• Provider: Sentry (when enabled by the user, in accordance with the Privacy Policy).
• Localization: Sentry processes anonymous error and crash reports under the safeguards described in their own privacy policy. Where the EU-region option is available and applicable, it is used.

2.i Other Subprocessors

A complete list of subprocessors is published on the Subprocessors page. Notable cases:

• Stripe (payment processing): Stripe processes payment data in accordance with its own data localization and compliance framework, with appropriate safeguards (Standard Contractual Clauses, encryption, PCI-DSS compliance) for any cross-border transfers.
• Google Workspace and Notion (internal collaboration tools): These services may process limited data (employee identifiers, internal documents) on infrastructure that includes regions outside the European Union, under appropriate safeguards.

3. Regulatory Compliance

• GDPR: All customer personal data processed by Obscreen Cloud is stored and processed within the European Union by default.
• International Transfers: Where a subprocessor (such as Stripe, Notion, Google Workspace, Cloudflare) processes limited data outside the EU, this is done under appropriate safeguards as recognized by the GDPR (Article 46), including:
  • Standard Contractual Clauses (SCC) approved by the European Commission.
  • Adequacy decisions where applicable (such as the EU–US Data Privacy Framework for certified providers).
  • Supplementary measures, such as encryption in transit and at rest, access controls, and contractual confidentiality commitments.
• Lead Supervisory Authority: The CNIL (Commission nationale de l'informatique et des libertés) is Obscreen's lead supervisory authority as a French entity.

4. Security of Data in Transit

• Encryption of Communications:
  • All communications between users, Players, services, and databases are encrypted using TLS 1.2 / 1.3.
  • Connections between Obscreen services across providers (Hetzner, Cloudflare, AWS, and others) are encrypted.
• Secure VPN:
  • Access to production databases is restricted and only possible through a secure VPN used by a limited number of authorized users (see Systems Security and Integrity Policy).

5. Redundancy and Backups

• Backups:
  • Backups of databases and critical storage are performed regularly, encrypted, and stored securely.
  • Backups remain within the European Union, in compliance with applicable legal obligations.
  • Daily backups are configured for the critical databases, in accordance with the Systems Security and Integrity Policy.

6. Benefits of the Current Localization

• Performance: The geographical proximity of servers ensures optimal response times for users in Europe.
• Legal Certainty: By keeping production data within the European Union and applying appropriate safeguards to limited international transfers, Obscreen reduces the risks associated with international data transfers.
• Availability: The cloud infrastructures of our subprocessors (Hetzner, Cloudflare, AWS, and others listed on the Subprocessors page) provide strong guarantees in terms of availability and resilience.

7. Self-Hosted Deployments

For self-hosted deployments of the Obscreen software:

• The localization of customer data is entirely determined by the customer's infrastructure.
• Obscreen does not host, store, or process Customer Content for self-hosted deployments, in accordance with the Terms of Service.
• The Obscreen-managed services that may still be reached by self-hosted instances (such as lic.obscreen.io for license verification, updates.obscreen.io for software updates, motd.obscreen.io for status messages) are subject to the localization described in this document. The data exchanged with these services is limited to the minimum required for license verification, status, and update checks. (plus all .com derived domains)

8. Conclusion

The localization of the data and infrastructure of Obscreen is carefully chosen to ensure security, performance, and regulatory compliance. By keeping production data within the European Union and by using trusted cloud service providers, we guarantee to our customers that their personal information is protected in accordance with the strictest standards. Where limited international transfers are unavoidable due to the nature of certain subprocessors, appropriate safeguards are put in place in accordance with the GDPR.

9. Contact

For any question regarding this Data Localization document, please contact us at [email protected].