Regional hosting
Formspring runs in two regions: EU (Falkenstein, Germany) and US (Ashburn, Virginia). The default for new projects is EU. Region is tracked per project so agencies and teams can keep client work, environments, and residency obligations separated.
What's in each region
The same stack runs in both regions. The difference is purely geography.
| Component | EU region | US region |
|---|---|---|
| Primary database | Hetzner Cloud, Falkenstein | Hetzner Cloud, Ashburn |
| Object storage (file uploads) | Hetzner Storage Box, Falkenstein | Hetzner Object Storage, Ashburn |
| Background workers | Same region as database | Same region as database |
| Backups | Same region as database, encrypted | Same region as database, encrypted |
| Edge / CDN | Cloudflare global (cached pages only) | Cloudflare global (cached pages only) |
Submissions, files, and metadata never leave the team's region. The only data that travels:
- Stripe billing (US-hosted; legally required for card processing)
- Postmark email delivery (region depends on Postmark's routing)
- Akismet spam classification (US-hosted; only when the form has Akismet enabled)
- hCaptcha challenge verification (region depends on hCaptcha's routing)
Each of those is a separate sub-processor with its own DPA - see sub-processors.
Default region
New projects default to EU. We picked that because:
- The majority of our customers are European
- GDPR compliance is straightforward without needing SCC paperwork for the primary data store
- The latency is fine for non-EU teams that don't have hard residency requirements
If you're a US-only operation and want US residency from day one, choose the US region when creating the project.
Pinning a region
You can pin each project to a specific region two ways:
At project creation
The project create form has a Data region picker. Pick EU or US before collecting submissions. Forms, surveys, funnels, files, and submissions inside that project inherit the project residency requirement.
After project creation
You can change the project region from Project → Settings → Data region. For an empty or low-volume project, this records the new residency requirement immediately.
If the project already contains submissions or files, email info@pixelandprocess.de from the team owner's address with:
- Team slug
- Project slug
- Target region
- Reason (helps us prioritize; "GDPR residency requirement" or "customer contract requires US data" are common)
A project region migration involves:
- We schedule a maintenance window with you (usually 30-60 minutes, off-peak)
- We snapshot the project records, transfer the snapshot, restore in the target region
- We transfer object storage (this is the slow part - depends on volume; up to several hours)
- Routing for the affected project flips to the new region
- We run a verification pass, then unlock the team
During the window, the project is read-only - submissions are queued for replay after the cutover so no data is lost.
Region migration is included on Scale plans at no extra charge. On Pro and Team it may require a one-time migration fee depending on storage volume.
Confirming where your data is
Each project page shows the selected region in the project settings panel:
Project -> Settings -> Data region: EU - Falkenstein, Germany
When project metadata is exported or inspected by support, the stored value is the machine-readable key, for example eu-falkenstein or us-ashburn.
Sub-region considerations
We don't pin to specific data centers within a region. Within EU, that means any of Hetzner's German DCs (FSN1, NBG1, HEL1) - they're all inside Germany. Within US, any of Hetzner's US DCs (currently ASH1).
If you have a hard contractual requirement for a specific country (e.g. France-only), that's a Scale conversation - we don't currently offer single-country pins as a standard feature.
Cross-region backups?
No. EU backups stay in EU. US backups stay in US. We don't replicate across regions - that would defeat the purpose of regional hosting.
This means an entire-region outage at Hetzner could interrupt service for one region without affecting the other. We accept this trade-off because cross-region replication of personal data is what most data-residency clauses are written to prevent.
What's next
- Sub-processors → - third parties and where they operate
- GDPR → - the formal compliance posture
- Encryption → - what's encrypted in transit and at rest
- Data retention → - how long things stick around