The latest articles on DEV Community by Cadensa (@cadensa). https://dev.to/cadensa https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4003346%2F1452be8b-46b3-4d72-991b-8399a3c256d5.png https://dev.to/cadensa en Cadensa Fri, 26 Jun 2026 06:12:23 +0000 https://dev.to/cadensa/why-we-built-eu-native-time-tracking-and-what-schrems-ii-has-to-do-with-it-2e7o https://dev.to/cadensa/why-we-built-eu-native-time-tracking-and-what-schrems-ii-has-to-do-with-it-2e7o <p>In 2020, the Court of Justice of the European Union invalidated the EU–US Privacy Shield. The ruling — known as Schrems II — declared that US surveillance law makes it impossible for US companies to guarantee the privacy of EU citizens' data, even if that data is stored "in Europe."</p> <p>Most SaaS founders in the US probably shrugged. Most EU agency owners probably didn't notice at all. But the implications were significant: transferring personal data to a US-based processor became legally risky, even if those processors had EU data centers.</p> <p>I built Cadensa because I kept running into this exact problem while advising small EU agencies on their software stack.</p> <h2> The problem hiding in plain sight </h2> <p>Let's say you run a 12-person digital agency in Amsterdam. You use a popular US time tracking tool — one that has a "Frankfurt data center" checkbox. You tick the box, feel good about it, and move on.</p> <p>Here's what you might not know:</p> <ul> <li>The vendor is a US company subject to FISA Section 702 and CLOUD Act requests</li> <li>Even if your data sits on EU servers, US authorities can compel access</li> <li>Your DPA is using standard contractual clauses that post-Schrems II case law increasingly views as insufficient</li> <li>Your enterprise clients — especially in finance, healthcare, or public sector — are starting to ask for a data processing agreement that names the actual sub-processors</li> </ul> <p>None of this is FUD. It's just the current legal reality.</p> <p>And the truly ironic part: <strong>time tracking data is surprisingly sensitive</strong>. It contains project names, client names, employee working hours, task descriptions, and billing rates. It's exactly the kind of data that triggers GDPR Article 5(1)(f) — integrity and confidentiality.</p> <h2> What we built instead </h2> <p>Cadensa runs entirely on <strong>Hetzner Cloud, Frankfurt</strong>. Not "Frankfurt as a region on AWS." Hetzner is a German company, incorporated in Germany, subject to German law and the GDPR — not the CLOUD Act.</p> <p>GDPR compliance isn't a toggle you flip on the Enterprise plan. It's on every plan, including Free:</p> <ul> <li>Data stored in the EU (Germany)</li> <li>Right to erasure: full account deletion with 7-day reversible grace period</li> <li>Right to portability: JSON export of all your data, on demand</li> <li>Data processing agreement available at signup, not behind a sales call</li> </ul> <p>Multi-tenancy is database-level, not row-level. Each organizational unit gets its own isolated MongoDB database. A breach in one tenant can't cascade to another. This is more expensive to operate, but the security and compliance story is clean.</p> <h2> The technical part (for the devs reading this) </h2> <p>The stack: <strong>Express.js + TypeScript</strong> on the backend, <strong>React 18 + Vite</strong> on the frontend, <strong>MongoDB</strong> (multi-database architecture), <strong>Socket.io</strong> for real-time presence and live updates.</p> <p>The thing that surprised me most architecturally: implementing GDPR rights as first-class API citizens is genuinely hard. "Delete my account" sounds simple. In practice, it means:</p> <ol> <li>Soft-delete with a 7-day grace period (user can reverse)</li> <li>Hard-delete: cascade across multiple databases (global user record + all tenant databases)</li> <li>Anonymize data that legally must be retained (financial records, audit logs) rather than delete it</li> <li>Export: traverse the entire data graph and serialize it to a portable format</li> </ol> <p>We have a <code>gdprRights.service.ts</code> that handles this. It's one of the more complex parts of the codebase, and it's not optional — it's a legal requirement.</p> <p>Email hashing was another non-obvious decision: user emails in the global database are stored as SHA-256 hashes. We never store plaintext emails globally. This limits some email-based lookups, but it means a global DB dump leaks no PII.</p> <h2> What I'd tell other EU founders </h2> <p>If you're building a SaaS for European SMBs or agencies, <strong>EU data residency is becoming a selling point, not just a checkbox</strong>. We've had prospects come to us specifically because their enterprise clients required it.</p> <p>You don't need to be perfect on day one. But you do need:</p> <ol> <li>A clear answer to "where is my data?"</li> <li>A DPA you can actually show to a client's legal team</li> <li>No hand-waving about "we're GDPR compliant" without specifics</li> </ol> <p>The 12-person agency in Amsterdam doesn't have a dedicated compliance officer. They need a tool that makes the right answer easy to give.</p> <p>That's what we're building with Cadensa.</p> <p><strong>Cadensa</strong> is EU-native time tracking for agencies — free plan, no credit card required. If you're building something similar or have thoughts on GDPR + SaaS, I'd love to hear from you in the comments.</p> <p><a href="https://cadensa.io" rel="noopener noreferrer">cadensa.io</a> — building in public, one sprint at a time.</p> sass webdev buildinpublic gdpr