ADR-0100 — EU GDPR Article 27 Representative Posture
Status: Accepted (Option A locked)
Date: 2026-05-19 UTC
Deciders: Kristerpher (operator / controller)
Issue: #1648
Related: ADR-0099, BLR PR #1646, docs/legal/compliance/art27-rep-selection.md
Decided 2026-05-19 UTC — operator (Kristerpher) selected Option A: geo-block EU/EEA at signup. Rationale: mirrors the Quebec decision ([[project_quebec_geoblock_decision]]), eliminates Art. 27 + 4 sub-processor DPA scopes (#1647) from v1 launch, fully reversible when EU market entry is planned post-launch.
EU/EEA geo-block code already shipped via #1649 (closed 2026-05-11) — FLAG_SIGNUP_GEOBLOCK_EU exists in backend_v2/api/feature_flags.yaml. Operator action: flip FLAG_SIGNUP_GEOBLOCK_EU=1 on both raxx-api-staging + raxx-api-prod before launch (2026-05-23 UTC).
Context
GDPR Article 27 requires any data controller or processor not established in the EU/EEA, but subject to GDPR (Article 3(2)), to designate in writing a representative in a member state where data subjects are located. Raxx is incorporated as MooseQuest LLC in Pennsylvania, USA — not established in the EU/EEA.
The obligation is triggered as soon as Raxx processes EU personal data on a non-occasional basis. Raxx's SaaS subscription model (ongoing billing, strategy-configuration storage, session data) qualifies as non-occasional processing. The "occasional" exemption under Recital 14 does not apply to a subscription service with a continuing user relationship.
The companion issue for Quebec (#1608) was resolved by choosing geo-block (Path A), which eliminated the GDPR Art. 27 obligation for Québec data subjects. The same structural decision applies to the EU/EEA.
Two options presented to the operator
Option A — Geo-block EU/EEA at signup: Apply the same mechanism used for Quebec — block EU/EEA jurisdictions at the signup flow (WAF IP-range block + jurisdiction check). No EU data subjects means no Art. 27 obligation. This is the lowest-effort, lowest-risk path for v1 US-only launch.
Option B — Allow EU/EEA customers and designate a representative: Accept EU/EEA organic signups. Designate a written Art. 27 representative before the first EU customer signs up. Procure from DataRep (~€145/yr, self-service) or VeraSafe (~$100–$300/yr, quote-required). Representative contact details must appear in the published privacy policy.
Decision Options
Option A — Geo-block EU/EEA
| Attribute | Detail |
|---|---|
| Art. 27 obligation | Eliminated — no EU data subjects |
| Implementation | WAF-level IP block (Cloudflare) + signup-form jurisdiction check; mirrors Quebec geo-block |
| Privacy policy | No rep section required; add short notice: "Service not available in the EU/EEA at this time." |
| Cost | Engineering time only (~1–2 hours, same pattern as Quebec) |
| Revenue impact | Forecloses EU customer acquisition until geo-block is lifted |
| Reversibility | Reversible — lifting the block requires designating a representative (Option B) at that time |
| v1 timing | Can be implemented before 2026-05-23 UTC launch |
Option B — Accept EU customers + designate representative
| Attribute | Detail |
|---|---|
| Art. 27 obligation | Satisfied by written service contract with EU-established vendor |
| Provider | DataRep (Ireland, ~€145/yr, self-service same-day) or VeraSafe (Czech Republic, ~$100–$300/yr, 1–3 day quote cycle) |
| Privacy policy | Must include representative's name, address, and email in Section 1 and footer |
| Cost | ~$100–$300/yr ongoing + 30–60 minutes to execute |
| Revenue impact | EU customers can sign up from day one |
| Additional obligations triggered | Vendor DPAs (Stripe, Heroku, Sentry, Postmark) must also be executed before first EU customer — see vendor-dpas-status.md |
| v1 timing | Executable before 2026-05-23 UTC with DataRep self-service; tight but feasible |
Recommendation
Option A (geo-block) is the lower-risk path for a v1 US-only launch.
The reasoning mirrors the Quebec decision:
- v1 launch is explicitly US-targeted. There is no EU marketing plan. EU organic signups at launch are expected to be zero or negligible.
- Option A eliminates not just the Art. 27 obligation but also the vendor-DPA requirement for EU data subjects — reducing legal risk surface at launch.
- Option A is reversible. When Raxx is ready to enter the EU market, lift the geo-block, execute the Art. 27 representative contract (30–60 min, ~€145/yr), execute vendor DPAs (~2–4 hrs), and update the privacy policy. Total effort: ~1 day.
- Option B is viable — but stacking a new vendor contract, privacy policy update, and four vendor DPA executions in the T-4 window (four business days to 2026-05-23 UTC) introduces unnecessary timeline risk for a customer cohort that does not yet exist.
Caveat: This recommendation is docs-only and does not constitute legal advice. Kristerpher should confirm with counsel before the EU market entry decision.
Decision
OPERATOR TO COMPLETE — choose one:
-
[ ] Option A — Geo-block EU/EEA at signup. No Art. 27 representative required. Engineering card to be filed for WAF + signup-form jurisdiction block. Update this ADR status to
Accepted (Option A)and close #1648. -
[ ] Option B — Accept EU customers. Designate Art. 27 representative. Execute provider signup per
docs/legal/compliance/art27-rep-selection.md. Update privacy policy Section 1 with representative contact details. Update this ADR status toAccepted (Option B)and close #1648.
Consequences
If Option A is chosen
- No EU data subjects at launch → no Art. 27 obligation → no Art. 28 DPA obligation for EU-subject-facing vendors.
- Vendor DPAs (Stripe, Heroku, Sentry, Postmark) are still good hygiene and required before first EU customer post-geo-block-lift, but are not a v1 blocker.
- Privacy policy should note EU/EEA service unavailability.
- Future EU expansion requires: geo-block lift + Art. 27 rep + vendor DPAs in the same release window.
If Option B is chosen
- Art. 27 representative's details must be live in the published privacy policy before first EU customer signup — not after.
- Vendor DPAs (Stripe, Heroku, Sentry, Postmark) become co-triggers: all four must be executed before first EU customer.
- Annual representative contract renewal must be tracked (calendar reminder or #1648 child card for annual renewal).
- If representative changes, privacy policy must be updated immediately.
Non-goals
- This ADR does not address DPO appointment (Raxx does not require a DPO under GDPR Art. 37 — confirmed BLR PR #1646 § 3.4).
- This ADR does not address lead supervisory authority selection (not applicable to a US-domiciled controller without EU establishment — DPAs contact the representative directly).
- This ADR does not address SCCs/transfer mechanisms (separate concern; noted as an open question in BLR PR #1646 § 8 for attorney review).
References
- GDPR Art. 27 full text:
https://gdpr-info.eu/art-27-gdpr/ - GDPR Recital 80 (representative):
https://gdpr-info.eu/recitals/no-80/ - BLR research PR #1646 §§ 3.5, 5.1, 6.2
- Issue #1648
docs/legal/compliance/art27-rep-selection.md(provider comparison)docs/legal/compliance/vendor-dpas-status.md(DPA tracking — co-triggered by Option B)project_quebec_geoblock_decision.md(precedent for geo-block approach)