You have just added a contact form to your boutique website, started collecting email addresses, and the next thing on your to-do list is a GDPR audit. The form works, the design is live, but you are not sure whether the server you are about to press "go live" on actually satisfies the law.
Below is the checklist we use every month at TrueCore Hosting to verify that a hosting environment is truly GDPR-compliant. It separates the responsibilities that fall on the provider from the actions you must take as a data controller.
What GDPR Actually Requires from Your Host
GDPR does not give a blanket "hosting is compliant" label. It demands concrete technical and organisational safeguards:
- Data residency - Personal data of UK residents must stay in a jurisdiction with an adequacy decision. For most UK businesses that means the data should reside on servers physically located in the United Kingdom, the EU, or another approved country.
- Encryption at rest - Encryption keys must be stored separately from the data. If a breach occurs, the stolen data must be unreadable without the key.
- Secure backups - Backups must be encrypted before leaving the host's network and must be retained only as long as needed.
- Access control - Only authorised accounts may read or modify personal data. Every privileged action must be logged.
- Auditability - You need to be able to produce logs that show who accessed data, when, and from where, within a reasonable retention period.
- Breach notification - The host must have a clear process to alert you within 72 hours of a security incident that could affect personal data.
These points translate into a handful of technical features you can verify on any hosting provider.
What TrueCore Provides
Our stack is built around transparency. All of the following items are visible in the control panel or via a simple command line check.
- Physical location - All customer sites run on our primary node ember, which sits in a Netcup facility in Nuremberg, Germany. That is not UK soil — "hosted in the UK" here means jurisdiction: TrueCore is a UK-registered company operating under UK law and GDPR, with UK-based support. Germany is covered by the UK adequacy decision, so your data stays in an approved jurisdiction. We also run spark in Sofia, Bulgaria, and litespeed in Dallas, US, but these are fleet infrastructure (DNS, failover) — customers do not choose a node, and no plan relocates your site off ember.
- Encryption - Backups are taken with
resticand encrypted before they are uploaded to per-node Backblaze B2 buckets, so backup data is encrypted at rest. The encryption password never leaves the server. - Backups - Backup intervals match the plan tier:
- Flameling - daily (24 h) - Ember - 12-hourly - Blaze - 6-hourly - Inferno - 30-minute
- Access logs -
flame-watchmanrecords every login attempt, container start, and privileged command. Logs are retained on a rolling basis and can be reviewed from the service log (Alpine runs OpenRC, so there is nojournalctl):
``bash rc-service flame-watchman status # or read the service log directly ``
- Database isolation - For Ember-level plans and above, each customer receives a dedicated PostgreSQL 16 instance. The database runs under its own
flame-bubblecontainer with strict cgroup limits, reducing the risk of cross-tenant data leakage. - Email - Email is provided through PurelyMail, a specialist email host. As with any external processor, treat it as part of your data map and confirm its own GDPR posture.
- TLS - Every site gets an auto-issued Let's Encrypt certificate, renewed automatically. The private key never leaves the host VM.
- Network security -
flame-guardian(nftables) andguardian-x(XDP) block malicious traffic at the kernel level. The firewall rules are version-controlled and can be inspected via the panel.
All of these pieces satisfy the technical "security of processing" article of the UK GDPR. The only thing we do not provide is a formal certification such as ISO 27001; we rely on the openness of our configuration and the adequacy of the EU jurisdiction.
What You Must Do - The Customer Checklist
Even with a compliant host, ultimate responsibility for personal data rests with you, the data controller. Tick each item before you launch.
- Map the data - List every piece of personal information you collect (email, name, address, payment token). Identify where it is stored: file system, PostgreSQL, mail inbox.
- Enable HTTPS everywhere - Verify that every page, including admin panels, uses HTTPS. A quick test is to run:
``bash curl -I https://yourdomain.com | grep -i strict-transport-security ` If the header is missing, add the Strict-Transport-Security` directive in your site's nginx config.
- Configure cookie consent - Ensure that any tracking or analytics scripts are only loaded after explicit consent. Use a simple JavaScript banner that blocks non-essential cookies until the visitor agrees.
- Define a retention policy - Decide how long you need to keep each data type. Set up automatic deletion in PostgreSQL or via a cron job that runs
DELETE FROM users WHERE created_at < NOW() - INTERVAL '30 days'. - Limit access - Create separate SSH keys for each team member. On the panel, assign the "read-only" role to anyone who does not need to edit files or databases.
- Document the process - Keep a record of how you obtained consent, how you handle data subject requests, and how you would notify authorities of a breach. This does not need to be a legal brief; a simple markdown file in your repo is enough.
- Test backups - Perform a restore test at least once per month. Use the
restic restorecommand to pull a snapshot into a temporary directory and verify that the decrypted files match the original data. - Monitor logs - Set up a daily email from
flame-watchmanthat summarises login attempts and privileged commands. Spotting a strange IP early can save you from a larger incident. - Update software - Keep PHP (8.3), nginx (1.28), and PostgreSQL (16) up to date with security patches. TrueCore updates the underlying OS automatically, but you must apply application-level updates yourself.
- Review third-party services - If you embed a payment gateway, analytics platform, or CRM, confirm that they also meet GDPR standards. The host cannot guarantee compliance for external APIs.
Quick Verification Script
Below is a small Bash script you can drop into your deployment pipeline. It checks three core items: TLS, encrypted backup presence, and PostgreSQL access restrictions.
#!/usr/bin/env bash
# 1. Verify HTTPS with HSTS
if curl -sI https://$1 | grep -qi "strict-transport-security"; then
echo "✅ HSTS header present"
else
echo "❌ HSTS header missing"
fi
# 2. List encrypted restic snapshots
echo "🔐 Restic snapshots:"
restic snapshots --repo b2:mybucket/backup | grep -i encrypted
# 3. Check PostgreSQL role permissions
echo "🔒 PostgreSQL role check:"
psql -U $PGUSER -d $PGDATABASE -c "\du" | awk '/^ \w+ / {print $1, $2}'
Run it with ./gdpr-check.sh yourdomain.com. If any step fails, address the specific issue before you go live.
Bottom Line
GDPR compliance is a shared responsibility. TrueCore provides encrypted backups, regular snapshots, granular logging, and EU-based data residency — all customer sites live on ember in Nuremberg, under UK jurisdiction — out of the box. Your job is to manage consent, limit data collection, enforce access controls, and keep your application stack patched.
Follow the checklist, run the verification script, and you will have a hosting environment that meets the UK GDPR's technical requirements without chasing vague "certifications". The result is a site that respects user privacy and keeps your business on solid legal ground.