Insights · hosting ·

EU-hosted vs US-hosted for Slovenian SMBs: 4 real trade-offs

Hetzner Frankfurt or Vercel in Ohio? What actually breaks around GDPR, latency, DDV invoicing, and 22:00 support — with real numbers from Gorenjska projects.

  • #hosting
  • #gdpr
  • #schrems-ii
  • #wordpress
  • #slovenia

TL;DR

  • Frankfurt to Ljubljana is 24-28 ms; Virginia is 108-115 ms — a real conversion hit for any WooCommerce checkout.
  • DPF works, but Privacy Shield died once and “Schrems III” is already circling — an EEA-hosted stack keeps your ROPA three columns shorter.
  • Hetzner issues an EU-VAT-compliant invoice with 22 % Slovenian DDV; US providers push you into reverse-charge every month.
  • Nobody at AWS or Vercel picks up the phone at 22:00 — for shops taking money after 20:00, that alone decides the argument.

Until 16 July 2020 nobody running a small business in Kranj thought about where their website actually lived. Then the CJEU handed down C-311/18 — better known as Schrems II — and Privacy Shield died overnight. Three years later, on 10 July 2023, the Data Privacy Framework arrived as the new roof over transatlantic data transfers. Sounds solved.

It isn’t.

A representative example, composited from cases we’ve handled (details anonymised): an SMB retailer got a note from their auditor pointing out that their Google Analytics 4 setup, running through us-central1, without a proper DPIA and without an updated ROPA, looked like a potential Art. 44 GDPR breach. The remediation — moving analytics to self-hosted Plausible and migrating hosting from a US provider to Hetzner Cloud CX22 in Frankfurt — came in as a low-four-figure invoice. Not catastrophic. Enough that the owner remembers the auditor’s name.

So “EU or US hosting” isn’t a technical question anymore. It’s legal, financial, and — at least for the two Slovenian auditors we know — procedural. Below we unpack four trade-offs that actually matter for small Slovenian businesses in 2026.

Trade-off 1 — Where the data lives and who’s allowed to read it

GDPR (Regulation EU 2016/679) Articles 44-46 require that transfers of personal data outside the EEA rest on “appropriate safeguards”. The Data Privacy Framework is a certification scheme a US provider has to sign up to explicitly. It’s not automatic. Cloudflare is certified. AWS is certified. Your obscure US provider called “SuperFastHost” — probably not.

What that means in practice for a DPO writing a ROPA under ZVOP-2 (Slovenia’s GDPR implementation) is three more columns. Provider name, DPF status on the signing date, and — because DPF might fall the way Privacy Shield fell — a plan B. If the hosting sits inside the EEA, those three columns aren’t needed at all; Art. 45 GDPR lets data flow freely within the bloc.

Bankart, the main Slovenian card processor, gave us a useful window into this last spring. Their legal team, when onboarding a new merchant for card processing, asks for a signed DPA and a subprocessor list with processing locations. If the hosting sits in us-east-1 and the merchant can’t explain the processor’s DPF certification, onboarding stretches to 6-8 weeks. Merchants hate it. Bankart isn’t doing anything wrong — they’re just protecting themselves from the same auditor that will come for them.

Practical test — can you get a signed DPA and a ROPA-ready line in three emails? Hetzner sends a DPA as PDF within 24 hours, no negotiation, directly from the Robot panel. AWS publishes its DPA openly; 47 pages, but it’s there. Vercel’s DPA is straightforward on Pro; on Enterprise you go through a call with their EMEA legal team.

IllustrationBar chart of round-trip time from Ljubljana to Frankfurt, Amsterdam, Virginia and Oregon
Latency budget: 26 ms to Frankfurt, 164 ms to Oregon. Every extra 100 ms of RTT costs about 1 % of checkout conversion (Amazon 2007, replicated since).

Trade-off 2 — Latency to your actual customers

Real numbers from our traceroute tests in June 2026, from Ljubljana over Telekom’s network:

  • Frankfurt (Hetzner fsn1/fra1) → Ljubljana: 24-28 ms
  • Amsterdam (DigitalOcean ams3) → Ljubljana: 32-36 ms
  • Dublin (AWS eu-west-1) → Ljubljana: 42-48 ms
  • Virginia (AWS us-east-1) → Ljubljana: 108-115 ms

For a marketing site with four static subpages the difference is cosmetic. For a WooCommerce checkout it’s not. Every extra round-trip — every AJAX cart update, every UPN-QR validation call, every hit to Stripe or Bankart’s Payten API — multiplies by RTT. Amazon’s 2007 study measured a 1 % drop in conversion per 100 ms of added latency. WPO Stats has been repeating that number since 2019. Our own dashboards say the same.

Concretely: in one representative migration we ran, moving a WooCommerce shop from DigitalOcean NYC1 to Hetzner CX22 Frankfurt, Time to First Byte from Ljubljana dropped from 340 ms to 78 ms. Checkout conversion during the season that followed went up 11 % — not exclusively due to hosting (we also added LiteSpeed 6.4 cache), but most of it was latency.

If your customers are in Gorenjska, Ljubljana, Maribor, or Koper — you want a server in Frankfurt or Amsterdam. End of debate. This is the same maths we walked through in our note on the GDPR-safe Slovenian checkout, and it’s why every online store we ship for a Slovenian client boots on an EU-region VM.

”For a typical Gorenjska SMB, US hosting is a solution without a problem.”

— This post’s thesis

Trade-off 3 — Night support and who picks up at 22:00

An online shop that falls over mid-Facebook-ad-campaign at 21:47 on a Friday — that’s a concrete problem. The question is who responds.

A Hetzner support ticket at 22:00 CET on a Friday: reply in 11-40 minutes, in English, from Nürnberg or Falkenstein. Their L1 checks the console, restarts, reports back with diagnosis. We tested it three times last year; one of them was a bad RAM stick on our VM and they migrated it to another host in 2 hours, no extra work from our side.

AWS support without a Business plan (from $100/month) is community forums plus documentation. With Business — 24/7 tickets, hour-ish response, but the agent is likely in Dublin or Cape Town. WordPress knowledge? Not technically their remit. They tell you “the EC2 instance is healthy, the issue is at application layer” and they’re right. And it doesn’t help you.

Slovenian providers are a separate story. Domenca has an SL-speaking phone line 08:00-20:00 weekdays. Neoserv offers 24/7 support on VPS plans with a competent L1 team — we tested twice, both callbacks arrived inside 20 minutes. ARNES is restricted to registered organisations (schools, public bodies, universities); irrelevant for SMBs. Suša Digital runs a smaller but responsive team — a test call on behalf of a Radovljica client at 23:00 came back within 40 minutes.

Our navigation for shops taking money after 20:00: either Neoserv (Slovenian-language support is worth the premium), or Hetzner with a third-party care plan (we act as your L1), or a combination. Going direct to AWS or Vercel for a micro-SMB — we don’t recommend it. You don’t ring them up. You open a case and wait.

ScreenshotAnonymised Hetzner Cloud invoice with the 22% Slovenian DDV line highlighted
A real Hetzner invoice: 22 % Slovenian DDV on a separate line, VAT ID validated via VIES, input VAT reclaimable like any domestic expense. No reverse-charge gymnastics.

Trade-off 4 — Cost and how DDV lands on the invoice

Real prices as of July 2026:

  • Hetzner Cloud CX22 (2 vCPU, 4 GB RAM, 40 GB NVMe): €4.51/month + 22 % Slovenian DDV = €5.50 total. Invoice in EUR, VAT ID validated, input VAT deductible.
  • DigitalOcean Droplet basic (2 vCPU, 4 GB, fra1): $28/month ≈ €26/month, reverse-charge VAT (DO has no SI VAT number; their EU seat is Amsterdam).
  • Vercel Pro: $20/month base, but function invocations and bandwidth pile up; a real invoice for a mid-sized SMB site lands between €40-90/month, also reverse-charge.
  • ARNES virtual server (if you qualify): €0 — but not available to commercial entities.

The key difference isn’t the gross price. It’s the DDV mechanics. Hetzner sends an EU-VAT-compliant invoice with 22 % DDV and your accountant treats it like any other domestic expense — input VAT is reclaimed in the monthly FURS return. A US provider sends an invoice without VAT (because you’re a B2B counterparty in another country), so your accountant has to self-report reverse charge — first calculate the VAT, then deduct it in the same line. Net difference in euros: zero. Extra accounting work: measurable.

For a micro-SMB under €50k annual turnover, this rounds to cosmetic. For a d.o.o. with a monthly DDV return, Hetzner saves about 30-40 minutes of accounting per month. In Gorenjska, an accountant’s hour runs €55-80. Do the maths yourself.

The one case where US-hosted still wins

If 80 % of your traffic is North American — a SaaS product, an English-language technical blog, e-commerce shipping to US buyers — Frankfurt kicks you in the shins. RTT from New York to Frankfurt is ~85 ms; from New York to us-east-1 is ~15 ms. For a marketing brochure it’s a wash. For an API-heavy app it’s decisive.

A concrete example: in another representative migration, a B2B SaaS with 92 % US customers moved from Hetzner fsn1 to AWS us-east-1. P95 API response dropped from 380 ms to 95 ms. Hosting cost doubled. For them it made sense.

For a typical Gorenjska SMB — a campsite in Bohinj, a dentist in Kranj, a joiner from Jesenice, a restaurant in Blejska Dobrava — US hosting is a solution without a problem. Frankfurt wins on all four trade-offs above.

FeatureEU-hosted (Hetzner Frankfurt)US-hosted (AWS us-east-1)
Data residency & GDPRArt. 45 free flow inside EEA; no extra ROPA columnsDPF certification required; SCCs + DPIA on top
Latency Ljubljana → server24-28 ms108-115 ms
Invoice & Slovenian DDVEUR invoice, 22 % DDV, input VAT deductibleUSD, reverse-charge every month
Night support (22:00 CET)Reply in 11-40 min, human on consoleCommunity forum, or $100/mo Business plan
Monthly cost, plain WordPress€12-18 all-in€40-90 typical

Our default recommendation for Gorenjska SMBs

Hetzner Cloud CX22 or CX32 in fra1, PHP 8.3, MariaDB 10.11, LiteSpeed Web Server (not WP Rocket — we’ve tested both, LiteSpeed is about 30 % faster under matched conditions), Cloudflare Free or Pro in front for WAF (DPF-certified, so ROPA-friendly). Backup to Hetzner Storage Box, roughly €4/month for 100 GB with 30-day retention. All in: €12-18/month for a plain WordPress site, €25-40/month for a serious WooCommerce store expecting 500-2,000 daily visitors.

If you want to move this from “I know I should sort that out” to “sorted”, drop us a note. The Numen care team takes over the migration, the DPA paperwork and the night pager as part of the plan. If you’re still choosing between a rebuild and a migration, browse our recent work or ask for a free mockup on your own domain first.

FAQ

Is US hosting illegal now? No. It’s paperwork. If the provider is DPF-certified (AWS, Cloudflare, Google Cloud, Microsoft Azure), you can document the transfer properly. If they aren’t certified, you need Standard Contractual Clauses and a DPIA. Doable — just work. And documentation.

Does the Data Privacy Framework fix this permanently? Probably not. Privacy Shield lasted four years. DPF has structurally similar weaknesses — Max Schrems at NOYB has already floated “Schrems III”. Until the next court decision, we’re in the legal state of “valid until it isn’t”. Plan accordingly.

Can I still use Cloudflare? Yes. Cloudflare is DPF-certified, has EU billing entities, and offers Regional Services for EU-only routing if you want extra peace of mind. For CDN and DDoS protection it stays our default even in front of EU-hosted origins.

What about my Google Analytics? GA4 out of the box ships hits to us-central1. Slovenia’s Information Commissioner, following the Austrian and French DPAs, has held that GA4 without IP anonymisation and without proper SCCs isn’t compliant. The fixes: GA4 with a server-side proxy in the EU, or migrate to Plausible / Umami hosted in the EU. The second option is less painful in practice and runs about €9/month.

How do I invoice DDV on Hetzner? Hetzner auto-validates your VAT ID (SI + 8 digits) through VIES; once confirmed they issue a B2B invoice with 22 % Slovenian DDV. Enter it in your incoming invoices book like any domestic expense, input VAT deducts as normal. Do pull the PDFs down monthly — Hetzner only keeps them for 12 months.

How fast is fast enough for a marketing site? Target Time to First Byte under 200 ms and Largest Contentful Paint under 2.5 s on a 3G mobile connection. Frankfurt to Ljubljana clears that with headroom. Google PageSpeed Insights is free and honest enough for a self-check.

What if Hetzner Frankfurt goes down? Happened once in the four years we’ve been running there — about 3 hours in October 2023, router failure. Redundancy: Hetzner offers fsn1 and nbg1 as alternative DCs inside Germany; or DigitalOcean fra1 as an independent standby. For a micro-SMB, off-site backup plus a clear restore playbook is enough. For a shop over €50k monthly revenue or with a Black Friday dependency — active secondary DC.

Do I need a DPA with my hosting provider? Yes, always. GDPR Art. 28 is unambiguous — anyone processing personal data on your behalf is a “processor” and needs a contract. Hetzner’s DPA ships in the standard package, accessible from Robot > Server > DPA. AWS publishes theirs. Vercel too. If a provider can’t tell you where their DPA is within three emails, that’s a red flag — skip them.


If this guide leaves you somewhere between “I should look at that” and “done”, that’s normal. Our care team does exactly this for Gorenjska SMBs — first call is free, written proposal, no follow-up gauntlet.

Let's talk

Ready to fix, build,
or scale?

30 minutes, with me personally. I'll read your system like a log file and tell you what I'd do first. No pitch deck, no sales funnel.

Davor Majc, founder, Numen

What you get on call
→ a one-page diagnosis
→ 2–3 fix shapes, ranked by leverage
→ rough cost + timeline for each
→ yes/no — am I the right fit
+386 40 828 474 · Blejska Dobrava, SI