481 verified · live Sign in Submit a product
Listing criteria

Three rules. Zero exceptions.

Every product on eubuilt.eu meets all three of the criteria below — verified manually, by hand, every six months. We don't bend the rules for paid placements, big names, or convenience. This is the bar.

01 / EU Headquartered

Legal HQ in an EU member state

The company's official legal headquarters is registered in one of the 27 EU member states. Switzerland and EEA-only countries are excluded.

Read in detail
02 / EU Jurisdiction

Operates exclusively under EU law

The company is not subject to conflicting foreign legislation — most importantly, the US CLOUD Act and equivalent extraterritorial powers.

Read in detail
03 / GDPR Compliant

Provable, documented compliance

Published privacy policy, available DPA, demonstrable processing in line with GDPR — with sub-processor transparency.

Read in detail
01 EU Headquartered

The company's legal headquarters must be in an EU member state.

Not the marketing claim, not the operational presence — the actual legal entity, registered with a public business register in one of the 27 EU member states. We verify against the company's imprint, terms of service, and the relevant national register (e.g. Handelsregister, Registre du Commerce, Registry of Estonian Businesses).

This rule exists because "a European company" is one of the most stretched marketing claims in tech. A US C-corp with a Berlin office is not an EU company. A Cayman holding with a Tallinn subsidiary is not an EU company. The legal entity that signs the customer contract — and that has the legal exposure under EU law — is the one we list.

We accept

  • GmbH, SARL, BV, OÜ, S.A., S.r.l. and equivalent EU corporate forms registered in any of the 27 member states
  • EU-headquartered companies that have offices outside the EU (a Paris HQ with a NYC sales office is fine)
  • Companies originally founded outside the EU that have genuinely relocated their HQ and tax residency
  • Open-source projects with a clear EU-registered commercial entity behind them

× We reject

  • Companies registered in Switzerland, the UK, Norway, Iceland, or Liechtenstein — these aren't EU member states
  • EU subsidiaries of US, Chinese, or UK parent companies (the parent's law applies under most contracts)
  • "EU-friendly" companies whose actual HQ is in Delaware, the Caymans, or Singapore
  • Open-source projects without a commercial legal entity (we list the company, not the project)
Edge case

Switzerland: often perceived as "EU-equivalent" because of its strong privacy regime. But Switzerland is not in the EU and not in the EEA, and Swiss companies remain subject to Swiss law — including national-security and intelligence cooperation arrangements that don't apply to EU companies. We may add a separate "EEA & adequacy" tier in a later phase, but Switzerland will never be conflated with the core EU listing.

02 EU Jurisdiction

The company must operate exclusively under EU law.

An EU HQ is necessary but not sufficient. We also check that the company isn't structurally exposed to non-EU law — most importantly, the US CLOUD Act, which lets US authorities compel American companies (and many of their foreign subsidiaries) to hand over data, even when stored on EU servers.

For a buyer in a regulated industry, "data is in the EU" means very little if the company's parent is required by US law to surrender it on request. We treat that as a structural disqualifier — not a comfort.

What we check

For each listing, the review covers:

Required

  • Ownership structure: no controlling US, UK, or Chinese parent company
  • No operating agreement that subordinates the EU entity to a non-EU parent's compliance regime
  • Public statement (in privacy policy or DPA) that the company is not subject to the US CLOUD Act or equivalent
  • EU-only governance: directors and officers operate under EU jurisdiction

× Disqualifiers

  • EU subsidiary of a US-headquartered company (CLOUD Act applies through the parent)
  • Recently acquired by a non-EU buyer — we deprecate within 90 days of the closing
  • Joint venture where the non-EU partner has data-access rights
  • Use of US sub-processors for production data without a valid Article 46 transfer mechanism
On Microsoft Sovereign / AWS European Sovereign Cloud

The "sovereign cloud" offerings from US hyperscalers do not meet our criteria. The legal entity providing the service is still subject to the CLOUD Act regardless of how the data is operationally siloed. EU-data-resident does not equal EU-jurisdiction. Read our full position →

03 GDPR Compliant

Documented and demonstrable GDPR compliance.

Every EU company is technically subject to GDPR — but that's a much weaker statement than meeting the standard a procurement team or DPO actually needs. We require three concrete artefacts for every listing.

The three artefacts we check

Published privacy policy

Available without authentication, identifying the data controller, lawful basis, retention periods, and EU representative.

Available Data Processing Agreement

Either pre-signed in the customer's account or available on request within 5 working days. Article 28 compliant.

Sub-processor list

Public list of all sub-processors with their location, role, and data categories. Updates communicated to customers.

Stated data residency

Bonus, not strictly required: explicit commitment to EU-only storage. Most products that meet our other criteria provide this anyway.

"GDPR badge" companies

A surprisingly large number of products advertise themselves as "GDPR compliant" without actually offering a DPA, a sub-processor list, or a privacy policy that names the controller. We do not list these. Marketing claims are not evidence.

04 Verification process

How we actually verify a listing.

For each listing, the same four-step process is run end to end. It takes 30–90 minutes per product on first review, 15–30 minutes on re-verification.

STEP 01
Identify the legal entity

Imprint + business register check. Must be a registered company in an EU member state.

STEP 02
Check ownership & jurisdiction

Parent company, board, controlling stake. Disqualify on US/UK/CN parent or CLOUD Act exposure.

STEP 03
Audit GDPR artefacts

Read the privacy policy. Confirm DPA availability. Check the sub-processor list for non-EU exposure.

STEP 04
Editorial write-up

Write the description. Add the “replaces” alternatives. Set the verification date and pin if exceptional.

Re-verification cycle

Every listing is re-verified at least every six months. Re-verification covers the same four steps, plus a check for any company news (acquisitions, leadership changes, breach disclosures) that might change the eligibility picture.

Routine: every 6 months

Default cycle. Editorial re-runs the four-step process on every active listing.

Triggered: community flags

Anyone can flag a listing. Flags are triaged within 48h; concerning ones trigger an out-of-cycle review.

Triggered: news monitoring

Acquisitions, ownership changes, GDPR enforcement actions — these auto-flag the relevant listings.

Verified date is public

Every listing displays its last-verified date. If you see something stale, the system has failed — please flag it.

05 Deprecation

What gets a listing deprecated.

If a listing fails any criterion at re-verification — or sooner, if news warrants — it is deprecated. Deprecated listings remain accessible at their original URL with a clear banner explaining what happened, but are removed from search, category, and country pages.

The deprecation page records the reason, the date, and a short editorial note. We don't quietly delete listings.

Common deprecation reasons

× Structural failures

  • Acquired by a non-EU parent (CLOUD Act exposure)
  • HQ moved outside the EU
  • Switched to a US-headquartered processor for production data
  • Removed the DPA or made it gated behind enterprise plans only

× Editorial failures

  • Failed re-verification (criterion no longer met, no remediation in 30 days)
  • Confirmed misrepresentation of compliance posture
  • Out of scope (product retired or fundamentally changed)
  • Major regulatory enforcement action with un-remediated findings
06 Frequently asked

Common questions about the criteria.

Switzerland is neither in the EU nor in the EEA. While its data-protection regime is well-regarded, Swiss companies aren't subject to GDPR directly and operate under Swiss law — including national-security and intelligence-cooperation arrangements that don't apply to EU companies.

The UK left the EU in 2020 and is now a "third country" with its own UK GDPR. The Investigatory Powers Act gives UK authorities broad data-access powers comparable to the US CLOUD Act, which is why we treat UK-headquartered companies as outside the core listing.

We may add a separate "EEA & adequacy" tier in a future phase, but it will be clearly labelled and never conflated with the core EU listing.

Excluded. The CLOUD Act applies to US-headquartered companies and their foreign subsidiaries wherever the data is located. Operationally siloing the EU data is not a substitute for being legally outside the CLOUD Act's reach. This is why we don't list AWS, Microsoft, or Google's "sovereign cloud" offerings.

No. The criteria are non-negotiable. A company that meets them gets listed for free; a company that doesn't, doesn't — regardless of money. We may introduce paid "featured" placement in a later phase, but featured products will still need to meet all three criteria, and any sponsored placement will be clearly labelled.

We list the commercial entity behind a product, not the open-source project itself. If a project has no commercial company (e.g. a pure community project), it's out of scope for now — but we encourage maintainers to flag projects that have or are forming an EU legal entity, and we'll list those as soon as the entity exists.

Some US sub-processors are unavoidable in 2026 — for example, no fully-EU equivalent of Stripe exists for global card processing. We accept some US sub-processors if (a) they're genuinely necessary, (b) they're disclosed in the public sub-processor list, and (c) the company has a valid Article 46 transfer mechanism (typically Standard Contractual Clauses + supplementary measures).

What we don't accept: US sub-processors for the core production data path (e.g. shipping all customer data through Cloudflare, hosting on AWS US-East). For those, the company is structurally exposed and disqualified.

Submit it through the submission form. Editorial review SLA is one week. We approve, request more information, or reject with an explanation.

Tip: have your DPA, sub-processor list, and privacy policy URLs ready — these are the artefacts we'll check first.

Click "Flag listing" on the product page or email contact@eubuilt.eu. We triage flags within 48h and respond within a week with what we found and what we changed.

Possibly — for example, if EU adequacy decisions or sub-processor case law shift the legal landscape. Any change will be announced publicly with at least 30 days' notice, and we'll re-verify all existing listings against the new criteria. The criteria you see today have been the same since launch.

Build something that passes the criteria?

If you make EU software that meets all three rules, we'd like to know about it. Submit it via the form below — it usually takes us under a week to respond.

Submit a product About eubuilt.eu