If you host Odoo for EU-based customers — or process EU residents' personal data — GDPR compliance is not optional. The regulation applies to where data is stored, who processes it, how long it's retained, and how you respond to data subject requests. This guide covers the specific requirements for Odoo hosting and what you need to have in place.
EU Data Residency
GDPR doesn't explicitly require data to be stored in the EU, but it does prohibit transferring personal data to countries without an "adequate level of data protection" unless specific safeguards are in place (Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions). In practice, choosing EU-based servers for EU customer data is the cleanest approach — it avoids the complexity of transfer mechanisms entirely.
For Odoo hosting, this means choosing a VPS provider with EU datacenter options. Hetzner (Germany and Finland datacenters), OVHcloud (France, Germany), and DigitalOcean (Amsterdam, Frankfurt) all offer EU-based infrastructure. When provisioning a server for EU customer data, always select a EU region explicitly — not a US or APAC region.
With BYOS hosting like DeployMonkey, you control the server location entirely. You select the datacenter when you provision the VPS, and it never changes without your action. This is a meaningful difference from SaaS hosting where the provider controls data location and may move data for infrastructure reasons.
Data Processing Agreement (DPA) with Your Hosting Provider
Under GDPR Article 28, any third party that processes personal data on your behalf must sign a Data Processing Agreement. Your hosting provider is a data processor — they have access to the infrastructure where personal data is stored, even if they don't access the data content directly.
Check whether your hosting provider offers a DPA:
- Hetzner: DPA available, GDPR-compliant, German company subject to German data protection law
- DigitalOcean: DPA available through their Data Protection Addendum
- Vultr: DPA available on request or through their legal documents
- OVHcloud: GDPR-compliant, French company, DPA available
DeployMonkey also offers a DPA for customers who require one. As a managed hosting operator with access to your infrastructure, we fall under the processor definition and can execute a DPA to document the data processing relationship appropriately.
Keep signed DPAs on file. They're required documentation for demonstrating GDPR compliance if you're ever audited or face a data subject complaint.
Personal Data Handling in Odoo
Odoo stores personal data across many models by design: contacts (res.partner), CRM leads, employees, sale orders, invoices, and more. Understanding what's stored and where is the foundation of a GDPR compliance posture.
Data inventory: Document what categories of personal data Odoo processes for your business — names, email addresses, phone numbers, payment information, IP addresses (in logs), browsing behavior (website module). This is your Record of Processing Activities (ROPA) required under GDPR Article 30.
Data minimization: Odoo is configurable. If you're collecting fields that you don't need, disable or hide them. Don't collect date of birth if it's not relevant; don't require personal phone numbers when business numbers suffice.
Access controls: Odoo's record rules and security groups should be configured so that staff can only access personal data they need for their role. A sales rep doesn't need access to HR data; a warehouse picker doesn't need access to customer financial history.
Retention policies: Define how long different categories of data are retained. Inactive customer records shouldn't sit in the system indefinitely. Odoo doesn't enforce retention automatically — you need to build or schedule archiving/deletion processes.
Right to Erasure (Right to Be Forgotten)
GDPR Article 17 gives data subjects the right to request deletion of their personal data under specific circumstances. In Odoo, implementing erasure requires care — records are interconnected, and deleting a contact can break accounting records that have legal retention requirements.
A practical approach for Odoo erasure requests:
- Identify all records linked to the data subject (res.partner and all related models)
- For records with legal retention requirements (invoices, contracts), anonymize rather than delete — replace identifying fields with generic placeholders
- Delete or anonymize records that have no legal retention requirement (CRM leads, marketing contacts, website form submissions)
- Remove the contact from all marketing lists and communication sequences
- Document the erasure action and date
Odoo's "Anonymize" function (available in some versions under the contact form) handles basic anonymization. For thorough erasure, a custom script or module that handles all linked records is more reliable.
Encryption at Rest and in Transit
In transit: All Odoo traffic should be served over HTTPS with a valid TLS certificate. Let's Encrypt provides free certificates. DeployMonkey handles SSL certificate provisioning and auto-renewal automatically. There is no acceptable reason to run a production Odoo instance over plain HTTP.
At rest: Encrypting the data volume on your VPS adds a layer of protection if the physical server is compromised. Most VPS providers support encrypted volumes. Hetzner, for example, supports LUKS encryption on volumes. Note that database-level encryption and application-level encryption are separate concerns — at-rest encryption protects against physical media theft, not against an attacker with server access.
Backups: Backups must be encrypted if they contain personal data. Unencrypted database backups stored in a cloud bucket are a compliance risk. Configure backup encryption before storing any personal data. GPG encryption of backup files before upload is straightforward and widely supported.
Choosing EU Servers with DeployMonkey
DeployMonkey is a BYOS (bring your own server) platform, which means you provision the VPS in any datacenter you choose. For GDPR compliance, provision your server in an EU datacenter — Hetzner Falkenstein or Helsinki, DigitalOcean Amsterdam or Frankfurt, or OVHcloud Gravelines. The server location is your choice, and it never changes without your action.
We offer a DPA for customers who need it. SSL is handled automatically (Let's Encrypt, auto-renewed). Backup encryption can be configured through our backup settings. Audit logging records all platform actions for compliance documentation.
For a broader security overview, read our Odoo security best practices guide. For questions about hosting architecture, see deploying Odoo on Hetzner.
Frequently Asked Questions
Does GDPR require data to be stored in the EU?
Not explicitly, but transferring personal data outside the EU requires specific legal mechanisms (Standard Contractual Clauses, adequacy decisions). Storing data in the EU avoids this complexity entirely and is the recommended approach for EU-focused businesses.
Is Odoo itself GDPR compliant?
Odoo SA as a company is GDPR-compliant for data they process. The Odoo software includes features to support compliance (access controls, activity logs, anonymization tools), but compliance is your responsibility as the data controller. The software is a tool; compliance comes from how you configure and use it.
Do I need a DPA with Odoo SA for self-hosted?
If you're self-hosted and not using Odoo Online or Odoo.sh, Odoo SA is not processing your data — your hosting provider is. You need a DPA with your VPS provider and with any other third party that has access to your infrastructure or data, including managed hosting providers like DeployMonkey.
How do I handle a Subject Access Request (SAR) in Odoo?
A SAR requires you to provide the data subject with all personal data you hold about them within 30 days. In Odoo, this means querying all relevant models (contacts, orders, invoices, CRM leads, support tickets, website form submissions) and compiling the results. There's no automated SAR export in standard Odoo — this typically requires a manual or scripted process.
Are Odoo logs covered by GDPR?
Yes. Odoo server logs may contain IP addresses and user identifiers, which are personal data under GDPR. Configure log retention periods and ensure logs are stored securely. Access logs should be rotated and deleted after your defined retention period (commonly 90 days for access logs, shorter for debug logs).