CPI-ControlCPI-ControlBlog
Best Practice

GDPR-Compliant Monitoring: Why Cloud-Based Tools Are a Risk

6 min read·
GDPR-compliant monitoring with local data storage

Your monitoring tool sees everything. Every request, every error, every log line. And buried in that data — often without anyone realizing it — is personal information. IP addresses in access logs. User IDs in error traces. Email addresses in failed authentication attempts. Request payloads containing names, addresses, and payment details.

Under GDPR, all of this is personal data. And the moment you send it to a cloud-based monitoring service, you’ve created a data processing relationship that requires legal agreements, documented safeguards, and the ability to prove exactly where that data lives and who can access it.

The Hidden Risk: Your Logs Contain Personal Data

Most developers don’t think of monitoring data as personal data. But consider what a typical error log contains: a timestamp, a request URL (which might include query parameters with user identifiers), a client IP address, a user agent string, and often a stack trace that includes the data being processed when the error occurred.

Kubernetes pod logs are even more revealing. Application logs frequently include database queries with user data, API request/response bodies, authentication tokens, and session identifiers. If you’re streaming these logs to a cloud monitoring service, you’re transmitting personal data to a third-party processor — potentially across international borders.

The GDPR doesn’t require you to avoid processing personal data. It requires you to know where it goes, who processes it, and on what legal basis. For most monitoring setups, the honest answer to these questions is: “We’re not entirely sure.”

Post-Schrems II: US Cloud Providers and Legal Uncertainty

The Schrems II ruling in 2020 invalidated the EU-US Privacy Shield, and the landscape hasn’t fully stabilized since. The EU-US Data Privacy Framework introduced in 2023 provides a mechanism for certified US companies, but legal challenges continue, and the framework’s long-term durability remains uncertain.

Standard Contractual Clauses (SCCs) are the fallback, but they require a Transfer Impact Assessment demonstrating that the recipient country provides adequate data protection. For US-based monitoring services, this assessment is complex: US surveillance laws like FISA Section 702 and Executive Order 12333 grant broad access to data held by US companies, regardless of where the data is physically stored.

This doesn’t mean you can’t use US-based monitoring tools. It means you need to document your legal basis, conduct impact assessments, and be prepared to defend your choices to a Data Protection Authority. For many small and medium-sized teams, this compliance overhead exceeds the value of the monitoring tool itself.

The Audit Problem

Article 30 of the GDPR requires a record of processing activities. Article 28 requires a Data Processing Agreement (Auftragsverarbeitungsvertrag, or AVV in German) with every processor. Article 32 requires appropriate technical and organizational measures to protect the data.

When a DPA asks “Where does your monitoring data go?”, you need a clear answer. With a cloud monitoring service, the answer involves the monitoring provider’s infrastructure, their sub-processors (often AWS, GCP, or Azure in various regions), their data retention policies, their encryption practices, and their employee access controls. You need to verify all of this, document it, and keep it updated as the provider changes their infrastructure.

This is manageable for large enterprises with dedicated compliance teams. For a 5-person development team, it’s a significant burden that often doesn’t get done properly — creating a compliance gap that surfaces only during an audit or, worse, a data breach investigation.

Local Monitoring Eliminates the Problem

Here’s the simple version: if your monitoring data never leaves your machine, there is no third-party processor. No DPA needed. No Transfer Impact Assessment. No sub-processor chain to audit. The data stays on your hardware, under your control, in your jurisdiction.

This isn’t a workaround or a loophole — it’s the architecturally cleanest solution. Local-first monitoring means your logs, metrics, health check results, and incident history are stored in a local database on your workstation. You can back it up, encrypt it, delete it, or move it — all without involving a third party.

For monitoring agents running on your own servers, the data path is equally clean: the agent collects metrics on your infrastructure and sends them to your desktop application over an encrypted connection. No cloud intermediary, no third-party storage, no cross-border transfer.

Credential Security: Keychain vs. Config Files

Monitoring tools need credentials: API tokens for GitHub and Vercel, kubeconfig files for Kubernetes, SSH keys for server access. How these credentials are stored matters enormously for both security and compliance.

Environment variables are common but risky — they’re visible to all processes, often logged accidentally, and persist in shell history. Config files are slightly better but still stored as plaintext on disk. Cloud monitoring services store your credentials on their servers, adding another attack surface.

The gold standard is the operating system’s native keychain: macOS Keychain, Windows Credential Manager, or Linux Secret Service. These provide encrypted storage, access control, and biometric authentication. Your monitoring tool should use the keychain by default — not as an optional feature, but as the only credential storage mechanism.

Five Questions Every Monitoring Tool Should Answer

Before choosing a monitoring solution, ask these five questions about data residency:

1. Where is the monitoring data stored?On your machine, in the provider’s cloud, or in a third-party cloud? Get specific: which region, which provider, which data centers?

2. Who has access to the raw data?Can the monitoring provider’s employees see your logs? Under what circumstances? Is access logged and auditable?

3. Where are credentials stored?In the provider’s cloud? In a config file? In the OS keychain? Are they encrypted at rest?

4. What happens when you delete your account?Is data actually deleted or just marked as inactive? What’s the retention period? Can you get a certificate of deletion?

5. Can you run it without an internet connection?If the monitoring tool requires a cloud connection to function, your data is being transmitted — even if the provider says it’s “processed locally.”

CPI-Control’s Architecture

CPI-Control was designed from the ground up for data sovereignty. All monitoring data is stored in a local SQLite database on your disk — health check results, incident history, deployment records, service metadata. Nothing is transmitted to any cloud service.

Credentials are stored in the macOS Keychain (or the platform-equivalent on Windows and Linux). API tokens for GitHub, Vercel, DigitalOcean, and Kubernetes never touch a config file or environment variable. They’re encrypted by the OS and protected by your login credentials.

The monitoring agent — if you choose to deploy it on your servers — communicates directly with your desktop application. There is no cloud relay, no intermediary storage, no third-party involvement. Your monitoring data stays in your infrastructure, under your control, fully GDPR-compliant without a single DPA.

Try CPI-Control Free

Monitor up to 50 services with zero cloud dependency.

Download for macOS
← Back to Blog