EU Data Residency for Event Photos: Why It Matters for B2B Procurement

A photo-sharing tool for your next conference looks, on the surface, like a low-stakes purchase. Guests scan a QR code, upload from their phones, and you get the album. It is the kind of thing an event manager can sign up for in an afternoon — until it reaches the desk of whoever owns vendor risk, and the first question comes back: where is the data actually stored?

For an EU enterprise, that question is not bureaucratic friction — it determines whether the tool can be approved at all. The photos are personal data of identifiable employees, clients, and guests, and the moment they leave a phone and land on a server, the jurisdiction of that server pulls the purchase into a body of law — the GDPR's rules on international transfers — that procurement is obliged to clear before signing.

This guide is for the people who answer that question: procurement, IT, and legal gatekeepers evaluating an event photo platform. It explains what "EU data residency" actually means (and how it differs from "GDPR compliant"), why it removes a specific legal burden from your team, how the EU–US transfer rules stand in mid-2026, and how to verify a vendor's residency claim instead of trusting the badge. It is written for the EU/EEA context.

Not legal advice. This article explains the relevant GDPR provisions and is for general guidance only. It cites the regulation directly so you can verify each point, but it is not a substitute for advice from your own data protection officer or counsel on your specific situation.

Data residency is the answer to which country's servers physically hold and process your data. For an event photo platform, that data is the uploads themselves — photos, videos, voice messages — plus the database records and any backups that describe them.

It is worth separating three things vendors often blur together in marketing copy:

This distinction matters to procurement because residency is the single fact that decides whether a transfer of personal data outside the EU has happened at all. Keep the data in the EU, and the transfer rules in Chapter V of the GDPR never come into play. Move it to a third country, and they do — with everything that follows.

Because the GDPR makes leaving the EU a regulated act, and the burden of proving it was done lawfully sits with you — the controller — not the vendor.

Under Chapter V, a transfer of personal data to a third country is lawful only if it rests on an adequacy decision (Article 45) or, failing that, on appropriate safeguards such as the European Commission's Standard Contractual Clauses (Article 46(2)(c)), with enforceable data-subject rights and effective remedies. That is not a box a vendor ticks for you. If your conference photos are processed in the United States, your organisation has to show which mechanism made that lawful — and, after Schrems II, that you assessed the destination and documented supplementary measures (more on the current rules below).

In practice that is concrete work a US-hosted tool creates and an EU-hosted tool removes: a transfer-impact assessment to perform and document, a defensible legal basis on file ready for a supervisory authority, and ongoing exposure to a legal status that has shifted more than once in the last decade — each shift a re-assessment for every US vendor you use. Keeping the data in the EU collapses all of that to nothing: no transfer, so no mechanism to choose, no impact assessment, and no adequacy decision whose fate you have to track. For a team trying to clear a low-value tool without a month of legal review, that is the value of residency — the difference between a quick approval and an open compliance file.

A Data Processing Agreement and data residency answer two different questions, and you generally need both. When an external tool processes personal data on your behalf and on your documented instructions, Article 28(3) requires a binding written contract — the DPA — governing how the processor handles the data. But that contract does not, by itself, answer where the data lives or whether a cross-border transfer is lawful; that is the separate Chapter V question above. A vendor can hand you a perfectly good Article 28 DPA and still process your photos in a third country, leaving the transfer question open. So the procurement checklist is not "DPA or EU residency"; it is "DPA and a clear answer on residency." (For what an Article 28 DPA must actually contain, see our companion guide, Data Processing Agreements for Event Tech, linked below.)

This is the part that makes residency attractive as a simplification. The short version: transfers to the US are currently possible, but the ground has shifted before and an appeal is live, so a US-hosted tool is an ongoing assessment rather than a settled one. The state of play as of mid-2026:

None of this is a reason to panic about US tools. It is a reason to recognise that choosing one means owning a question whose answer has changed before and may change again — and re-papering every affected vendor each time it does. Choosing an EU-resident tool means the question never opens, and takes you out of the line of fire of the next Schrems-style decision.

Check where these tools actually host data and the market divides into three camps. The following reflects each provider's own publicly available company and privacy information as captured on 2026-06-08 — the gaps are as telling as the claims.

Explicitly US-based. Several popular tools state plainly that data sits in the United States, with no EU option: GuestCam (hosted on US-based cloud storage, no EU/European hosting), Kululu (primary content on Google Cloud / Firebase servers in the US), Fotify (operated by Lumenlio, LLC, a Delaware company), and Wedibox (a US company, Wedibox LLC). For any of these, an EU enterprise processing employee or guest photos is squarely in third-country-transfer territory and owns the full assessment.

Explicitly EU-resident. A smaller set names EU/EEA hosting directly: EventPics (run by an Austrian company, Aigner Software e. U., hosting in an EU region), JoinMyMoment (EU/EEA hosting, with sub-processors in Germany (Hetzner), France (Scaleway), and AWS Frankfurt), and Lense (servers in the European Union, personal data primarily stored and processed there). These are the tools where the transfer question does not arise.

Unstated or unclear — which is its own red flag. A meaningful share of tools do not clearly say where data lives. Several Germany- or EU-marketed apps lean on "Made in Germany" or "European servers" language without an explicit server statement; others — with an undisclosed company location, or running on Google Cloud with no stated EU region — leave the jurisdiction genuinely unknown. For procurement, unstated residency is a finding, not a neutral. If a vendor cannot tell you the hosting jurisdiction in writing, you cannot complete your transfer analysis, and the tool should not clear review until it does.

One caution: an EU residency claim on a marketing page is a starting point, not proof. The next section closes that gap.

"DSGVO-konform" on a homepage is a marketing assertion. A procurement team needs evidence it can put in a file. Five questions turn a claim into something verifiable:

Answer all five cleanly and in writing, and you have residency you can defend. Point only to a badge, and you have a claim you can't.

Gathmo is built for exactly the procurement question this article is about. Its data residency is in the EU, with object storage in the EU jurisdiction, the primary database in Frankfurt, EU-based compute, and Data Processing Agreements in place with its processors. A DPA is available on request across the per-event tiers and is included on the B2B Studio, Agency, and Enterprise subscriptions. Retention is defined and finite rather than open-ended (the per-event tiers run from a 14-day window up to 365 days, depending on tier), which is the storage-limitation posture Article 5(1)(e) looks for. For a procurement or IT team whose default question is "does this keep our event data in Europe?", that is a yes that comes with the proof — a named data centre and processor DPAs — not a marketing badge alone.

Two points of honesty, because procurement should hear them from us rather than discover them later. First, Gathmo does not offer facial recognition or face-search at launch — it is a Phase 2 roadmap item, not a live feature. For a corporate buyer that is a feature in itself: ordinary photo galleries that do not build face templates avoid the heightened, separate biometric-consent obligation that face-matching triggers under Article 9. Second, residency is becoming a crowded claim — several vendors advertise European servers — so we would frame Gathmo's edge not as "the only EU option" but as EU residency you can verify: a named jurisdiction, a sub-processor story, and a signed DPA. Run the five-question check above against us; that is what it is for.