EU GDPR Article 27 Representative — Provider Comparison and Selection
Status: PENDING OPERATOR ACTION — provider must be selected and signed up before the first EU/EEA customer signs up.
Trigger: Before first EU customer signup (not a v1 US-only launch blocker). Owner: Kristerpher (operator / controller) Last updated: 2026-05-19 UTC Issue: #1648 BLR research: PR #1646 §§ 3.5, 5.1, 6.2
Legal Basis
GDPR Article 27 requires any controller or processor not established in the EU/EEA but subject to GDPR (Art. 3(2) — offering goods/services to EU data subjects, or monitoring EU data subjects' behaviour) to designate, in writing, a representative established in a member state where data subjects are located.
Raxx's obligation:
- Raxx is established in Pennsylvania, USA. Not in the EU/EEA.
- Raxx processes EU data subjects' personal data on an ongoing basis (subscription SaaS, continuous billing, strategy data retention). This is not "occasional" processing.
- GDPR Art. 27 applies as soon as Raxx accepts EU/EEA customers.
- Art. 27 obligations cannot be delegated to a DPO (Raxx does not require a DPO under Art. 37 — confirmed in BLR PR #1646 § 3.4) and cannot be satisfied by privacy policy text alone. A written, executed service contract with an EU-established vendor is required.
What the representative does:
- Acts as a named point of contact for EU data subjects exercising GDPR rights (access, erasure, portability, etc.).
- Acts as a named point of contact for EU supervisory authorities (DPAs) conducting inquiries or investigations.
- Does NOT provide legal advice. Does NOT replace an attorney relationship.
- Does NOT substitute for executing vendor DPAs (see
vendor-dpas-status.md). - The representative's name and contact details must appear in the published privacy policy.
EU Access Decision (Prerequisite)
Before selecting a provider, clarify the EU access posture:
| Option | Action | Art. 27 required? |
|---|---|---|
| A — Geo-block EU at signup (same as Quebec) | Block .eu TLD referrals + block IP ranges for EU member states at the WAF or app layer |
No — no EU data subjects means no Art. 27 obligation |
| B — Allow EU organic signups | No geo-block; EU users can sign up normally | Yes — designate representative before first EU signup |
| C — Active EU marketing | Paid ads, EU-language content, EU-targeted outreach | Yes — designate representative before launching marketing |
Current status (as of 2026-05-19): EU access posture not yet locked. The v1 launch (2026-05-23 UTC) is US-targeted. This card becomes blocking the moment the EU posture is set to Option B or C.
See ADR-0100 (docs/architecture/adr/0100-eu-art-27-rep-posture.md) for the formal
decision record once Kristerpher locks the EU access posture.
Provider Comparison
Three providers evaluated per the issue AC and BLR PR #1646 § 3.5.
Provider 1 — VeraSafe
Website: https://verasafe.com/public-resources/discuss-data-protection/
| Attribute | Detail |
|---|---|
| Headquarters | Washington DC (US) + Prague (EU) — EU establishment is Prague, Czech Republic |
| EU member state | Czech Republic (EU member; EEA member) |
| Art. 27 service name | "EU Representative" service |
| Pricing | Self-service contact form for quote; publicly cited range ~$100–$300/yr for small companies per BLR research PR #1646. VeraSafe does not publish a fixed price list — request quote via contact form. |
| Contract type | Written service agreement (satisfies Art. 27 written designation requirement) |
| Coverage | All EU/EEA member states — designates from Czech Republic but accepts inquiries from any EU supervisory authority |
| Privacy policy language | Provides template disclosure language for the privacy policy Art. 27 section |
| Signup path | Contact form at URL above → quote → countersigned contract |
| Turnaround | Typically 1–3 business days for contract execution |
| Known by | Cited in BLR PR #1646 § 3.5 as primary recommendation; referenced in Section 7 resources table |
| Notable | VeraSafe also offers EU-US Privacy Shield representation, DPO-as-a-service, and GDPR breach notification services — useful upsells later |
BLR recommendation: VeraSafe is the primary recommendation from PR #1646.
Provider 2 — DataRep
Website: https://datarep.com
| Attribute | Detail |
|---|---|
| Headquarters | Dublin, Ireland |
| EU member state | Ireland (EU member; EEA member) |
| Art. 27 service name | "EU Representative Service" |
| Pricing | Published pricing (as of 2026-05-19 research): starting at €145/yr (~$157 USD) for small companies; scales with volume. Transparent published price page. |
| Contract type | Written service agreement; DataRep provides a countersigned DPA/service contract |
| Coverage | All EU/EEA member states |
| Privacy policy language | Provides template disclosure text |
| Signup path | Online self-service signup at https://datarep.com → payment → contract |
| Turnaround | Claims same-day contract issuance via self-service flow |
| Known by | Cited in BLR PR #1646 § 3.5 and issue #1648 AC as secondary option |
| Notable | Ireland-based representative may be advantageous: Irish DPC (Data Protection Commission) is the lead supervisory authority for most large US tech companies operating in the EU. |
Assessment: DataRep's self-service signup and published pricing make it the fastest path to execution. Ireland-domiciled representative is a minor advantage for US companies.
Provider 3 — Data Privacy Manager (DPM)
Website: https://dataprivacymanager.net/eu-representative/
| Attribute | Detail |
|---|---|
| Headquarters | Zagreb, Croatia |
| EU member state | Croatia (EU member; EEA member) |
| Art. 27 service name | "EU Data Protection Representative" |
| Pricing | Not publicly published; request quote via contact form |
| Contract type | Written service agreement |
| Coverage | All EU/EEA member states |
| Privacy policy language | Provides template language |
| Signup path | Contact form → quote → contract |
| Turnaround | Not publicly stated |
| Known by | Cited in issue #1648 AC as third option to evaluate |
| Notable | DPM is primarily a privacy software company (consent management, RoPA tooling). Art. 27 rep service is an add-on to their software suite. May be bundled if Raxx adopts DPM's consent management tools later. |
Assessment: DPM's Art. 27 service is secondary to their software product. For a standalone Art. 27 representative without consent management tooling, VeraSafe or DataRep are cleaner choices.
Comparison Summary
| Attribute | VeraSafe | DataRep | Data Privacy Manager |
|---|---|---|---|
| EU member state | Czech Republic | Ireland | Croatia |
| Published price | No (quote required) | Yes (~€145/yr) | No (quote required) |
| Self-service signup | No | Yes | No |
| Turnaround | 1–3 business days | Same-day (self-service) | Unspecified |
| BLR-cited | Yes (primary) | Yes (secondary) | Yes (tertiary) |
| Contract type | Written service agreement | Written service agreement | Written service agreement |
| Privacy policy template | Yes | Yes | Yes |
Recommendation
DataRep for speed-to-execution; VeraSafe if quote comes in equal or lower.
The deciding factor at v1 is execution speed: DataRep's self-service online signup and same-day contract issuance means the Art. 27 obligation can be satisfied within hours of the EU access posture decision. VeraSafe requires a quote cycle (1–3 business days).
If Kristerpher prefers to request quotes from both simultaneously and pick the lower cost, that is a valid approach given the €100–300/yr price band — the delta is at most $150/yr.
Ireland domicile (DataRep) is a minor advantage: the Irish DPC is the most common lead supervisory authority contact for US SaaS companies with EU users. There is no hard requirement to be in any specific member state, but Ireland is a defensible choice.
Operator Action Steps (after EU access posture decision)
- If Option A (geo-block): no Art. 27 action required. Document the decision in ADR-0100. No rep needed.
- If Option B or C (EU customers accepted):
a. Go to
https://datarep.comand complete self-service signup (estimated 30 minutes). b. Alternatively, contact VeraSafe athttps://verasafe.com/public-resources/discuss-data-protection/for a quote. c. Once contract is countersigned:- Save confirmation email + invoice to Google Drive at
legal/GDPR/art27-representative/. - Update the privacy policy EU/EEA Representative section in
docs/legal/privacy-policy-draft-2026-05-14.mdwith the representative's name, address, and email. - Update this document's status from
PENDING OPERATOR ACTIONtoEXECUTED. - Update ADR-0100 status from
PendingtoAccepted.
- Save confirmation email + invoice to Google Drive at
Privacy Policy Text (post-execution)
Once a provider is selected, replace the current placeholder in Section 1 of the privacy policy with the following template (fill in bracketed fields from the provider's contract):
**EU/EEA Representative (GDPR Article 27):**
In accordance with Article 27 of the General Data Protection Regulation (GDPR),
MooseQuest LLC dba Raxx has designated the following representative in the European Union:
[REPRESENTATIVE LEGAL NAME]
[REPRESENTATIVE ADDRESS — include street, city, country]
[REPRESENTATIVE EMAIL ADDRESS]
EU/EEA data subjects and supervisory authorities may contact our representative directly
for GDPR-related inquiries. Correspondence may also be directed to us at support@raxx.app.
Drive Storage Reference
After execution, store artifacts at:
Google Drive: legal/GDPR/art27-representative/
- <provider>-art27-contract-<year>.pdf (countersigned service agreement)
- <provider>-confirmation-email-<date>.pdf (signup confirmation)
- <provider>-invoice-<year>.pdf (first invoice / payment receipt)
Version History
| Date | Change | By |
|---|---|---|
| 2026-05-19 UTC | Initial provider comparison created | raxx-dev-bot (feature/eu-art-27-rep-posture) |