Get help on Discord

Schrems II compliance of Sanity's CDN for procurement processes in EU

6 replies
Last updated: Oct 26, 2022
Hi, has anyone experience in procurement processes where Sanity has been used as the main database in EU? If so, wonder if Sanity is classified as the Cloud Service Provider, or if this is Google Cloud as the underlaying infrastructure?
AI Update

For EU procurement processes, the classification depends on your contractual relationship and how you're using Sanity:

In most cases, Sanity is the Cloud Service Provider (CSP), not Google Cloud. Here's why:

  • Sanity is the data controller/processor you contract with directly for content management services
  • Google Cloud Platform is Sanity's subprocessor - they provide the underlying infrastructure where Sanity hosts your data
  • From a procurement perspective, your contract is with Sanity, and Sanity is responsible for the service delivery

Key points for EU procurement:

  1. Data Residency: Sanity offers EU data residency with Belgium as a primary location for the Content Lake. You can configure your project to store data in EU regions.

  2. GDPR Compliance: Sanity is GDPR-compliant and provides:

  3. Security & Compliance: Sanity maintains security certifications including ISO and SOC 2, which are often required for procurement.

  4. Subprocessor Transparency: In your procurement documentation, you should note:

    • Primary CSP: Sanity AS (Norwegian entity) / Sanity US Inc.
    • Infrastructure subprocessor: Google Cloud Platform
    • Data location: EU (Belgium) when configured

For procurement documentation, classify it as:

  • Main vendor/CSP: Sanity
  • Infrastructure provider: Google Cloud (as subprocessor)
  • Data processing location: EU/Belgium (when configured)

This is the standard model for SaaS platforms - similar to how you'd classify Salesforce as the CSP even though they use AWS/their own infrastructure underneath.

Hi
user Q
are you asking concerning Schremms II compliance of Sanity?
Yes indeed,
user J
– if you have any more info, it could be helpful
I will get things for you…
CDN Access LogsThe CDN has edge nodes across the globe, but even if a request is routed via US infrastructure (e.g. a request originating in the US that is routed to an edge node in the US, because it is geographically closest),
all access logs are stored in Europe. This is the most important thing to note: no access logs are ever stored in the US.In addition to that, no requests originating in Europe should ever be routed to the US. They will instead be routed to a nearby edge node.“anycast” IP addresses
The CDN uses “anycast” IP addresses, which means a single IP represent multiple servers across the globe. *It is a red herring that testing tools indicate these requests are routed to the US.*There is no definitive way to determine the geographical location of a server based on an IP address. When reporting location information, tools will often fall back to the where the company that owns the IP address is registered. Another cause of inaccuracy is that the test itself will be dynamically routed to the closest server: if the tool conducts testing from a server located in the US, it will be handled by infrastructure in the US.

traceroute
There is a technical way we can investigate how CDN requests originating in Europe are being routed. 
traceroute
is a tool to inspect the route a request takes through the network. Requests make multiple “hops” on the way to their final destination, and 
traceroute
reports the duration each hop takes.Here is an example of a 
traceroute
for 
<http://cdn.sanity.io|cdn.sanity.io>
from my office in the UK, the output shows the IP address of each network hop and, more importantly, the duration of time each hop took. A transatlantic hop would take at least 70ms, but we can see each hop is well below that. We can therefore determine that the request is not being routed to the US. If you run a 
traceroute
from your location, you should see similar results.
Services built on Sanity’s CDN are Schrems II compliant because:
• No access logs are ever stored in the US.
• Requests originating in Europe are routed to CDN edge nodes that are also located in Europe.
Thank you so much,
user J
, really appreciate it!
I know how it is to navigate EU rules and we did a lot of experimens

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?