// Infrastructure
Hosted in Europe. Answerable in Europe.
Holdstill keeps primary storage, processing, and backups for gallery delivery in European Union regions unless a documented exception applies under contract. This page explains what "EU hosting" means in practice for photographers, studios, and their corporate clients: where bytes live, how we think about subprocessors, how backups and deletion interact with residency, how we answer due diligence questionnaires, and how optional components such as transactional email or AI inference fit into the same posture. It complements our Privacy Policy and DPA and should be read together with them.
01What EU residency means for your galleries
When we say originals and derivatives remain in the EU, we mean the object storage buckets, compute regions used for transcoding and packaging, and databases that store gallery metadata and access rules are located in named EU data centres operated by vetted providers. We do not silently replicate your client-facing originals to multi-continent CDNs solely to shave milliseconds at the expense of predictable residency. Edge services that may sit closer to visitors are configured not to persist your imagery outside approved regions; where ephemeral caching occurs, it is time-bounded and documented internally.
02Why residency matters to your clients
Corporate and public-sector clients increasingly ask where wedding, portrait, and campaign imagery lives — not only which country your studio is in, but which cloud region holds backups and who can access them under subcontract. A clear EU posture simplifies answers in RFPs, school-board contracts, and GDPR accountability discussions. Holdstill's architecture is intentionally boring here: fewer regions, fewer surprises, and written commitments you can attach to your own privacy notices when you describe subprocessors.
03Subprocessors and transparency
We maintain a concise list of categories such as infrastructure-as-a-service, transactional email, observability, and optional AI inference. Each entry includes a functional description and the region used for personal data in scope of gallery delivery. We notify customers of material changes with advance notice so you can update your own registers of processing and object where data-protection grounds exist. We do not substitute unnamed "affiliates" for real engineering accountability.
04Backups, redundancy, and deletion
Backups are encrypted, co-located with production within the same residency commitment, and rotated on schedules aligned with recovery objectives and minimisation. When you delete a gallery or asset, active objects are removed promptly and backup copies expire on documented windows rather than indefinite retention. Cross-region backup copies outside the EU are not used for primary product data. If a future architecture change ever required them, we would amend this page, the DPA, and customer notices in advance.
05Transfers and legal mechanisms
If a strictly necessary subprocessor processes limited personal data outside the EU/EEA — for example because of a rare failover scenario — we rely on adequacy decisions, Standard Contractual Clauses, and supplementary technical measures such as encryption and strict access boundaries. We document transfer impact assessments where appropriate and can provide a summary for enterprise procurement teams under confidentiality.
06Performance without selling residency short
European hosting does not have to feel slow. We optimise transcoding pipelines, image renditions, and transport so typical gallery opens remain snappy on mobile networks common at venues. Where global anycast improves availability for DNS or static marketing pages, that layer does not become a loophole for storing your commissioned work in unspecified jurisdictions.
07AI and email in the same residency story
Optional AI inference is pinned to EU regions or EU-based providers as described in our AI Terms. Transactional email providers are selected for reliability and alignment with our DPA; message bodies contain only what you choose to send. Neither component is used to build unrelated advertising datasets.
08Logging, monitoring, and access
Operational logs that may contain personal data are stored in EU regions, access-controlled, and retained for periods proportionate to security investigations and compliance. Support staff access follows least privilege and is documented. We do not offer law-enforcement interfaces outside lawful process, and we push back on overbroad requests where permitted.
09Enterprise and custom deployments
Signature-tier customers with bespoke needs may negotiate additional contractual commitments, including named regions, stricter approval gates for subprocessors, or custom retention schedules where compatible with the product. Such terms, when executed, supplement this page for the named customer.
10Due diligence and questionnaires
Email privacy@holdstill.app with your security and residency questionnaire. We answer in writing with specifics rather than forwarding generic marketing PDFs. Typical artefacts include subprocessor lists, high-level architecture descriptions, and summaries of recent tests. Allow a few business days for first responses; complex reviews may iterate.
11What we ask of you
Accurate residency claims in your own client contracts depend on how you configure the product and any integrations you add outside Holdstill. If you export data to non-EU tools, that processing is outside our control and should be disclosed separately. Keep your account contact information current so we can reach you about material infrastructure changes.
12Telemetry minimisation
Product telemetry used to understand feature reliability is aggregated where feasible and avoids collecting message bodies or image pixels unless you submit them through explicit support flows. IP addresses in logs are truncated or rotated on schedules aligned with security investigations rather than indefinite behavioural dossiers.
13Maintenance windows and resilience
Planned maintenance may briefly affect availability; we schedule outside peak wedding-season windows where practical and publish status updates. Failover within EU regions may shift active processing between availability zones without changing residency commitments described here.
14Portability, exports, and leaving without regret
Residency is only half the story if you cannot leave with your originals and metadata intact. Holdstill provides export paths that bundle assets, gallery structure, and access configuration summaries suitable for migration to another stack or cold archive. Exports are generated from the same EU regions that host production data so you do not bounce files through opportunistic jurisdictions during retrieval. We document checksum expectations and retention of export jobs so your IT team can reconcile deliveries. If you need a one-time full account extract for corporate divestiture, contact privacy@holdstill.app with scope and we will schedule a window that respects rate limits and your own downstream storage policies.
15Schools, NGOs, and procurement language you can reuse
Public-sector and mission-driven clients often paste vendor answers directly into board packets. We therefore phrase residency statements conservatively: named regions, named categories of subprocessors, and explicit negation of silent multi-continent replication for gallery originals. When your questionnaire asks for data-flow diagrams, we provide simplified views that separate marketing site traffic from gallery delivery traffic so reviewers do not conflate static pages with client imagery. If a clause in your template conflicts with engineering reality, we flag it early rather than signing ambiguous language that your counsel cannot defend under audit.
16Photographer-owned integrations and scope boundaries
Holdstill's EU posture covers processing inside our product boundary. If you connect external CRMs, invoicing tools, or non-EU retouching platforms, those flows are your responsibility to disclose in your own privacy notices. We surface webhooks and API destinations clearly in settings so accidental forwarding of personal data to unreviewed endpoints is harder. When we ship first-party integrations, they inherit the same subprocessor discipline described in our DPA. If you need contractual assurance that a specific integration never stores pixels outside the EU, request a written addendum scoped to that integration ID.