GDPR Compliance: We Scored 92.3/100 (Here's How)
We practice what we preach. So we ran our SVAR compliance scanner on our own website. Then we scanned a competitor in our space. The results? A 38-point gap that comes down to infrastructure decisions most companies never think about.
Why We Scanned Ourselves
At Bright Interaction, we help companies achieve data sovereignty and GDPR compliance. But how do we stack up against our own standards? We decided to find out, and to compare ourselves against a similar B2B technology company operating in Europe.
Using our automated SVAR scanner, we analyzed both websites across 13 compliance and security dimensions. The results tell a story about how small infrastructure choices create massive differences in legal exposure.
The Scorecard
| Metric | Bright Interaction | Competitor |
|---|---|---|
| Overall Score | 92.3/100 (A) | 53.8/100 (C) |
| Tests Passed | 12/13 | 7/13 |
| Pre-Consent Tracking Violations | 0 | 3 |
| US CDN Dependencies | 0 | 3 |
| Estimated Illegal Transfers/Month | 0 | ~2,700 |
| Cookie Banner | Yes (CookieProof, consent-gated) | Yes (fires before consent) |
| Privacy Policy GDPR Compliance | 100% | 40% |
| TLS/NIS2 Score | 100/100 | 100/100 |
| Web Hosting Location | EU (Germany) | US (Cloudflare) |
The Critical Difference: Pre-Consent Tracking
The biggest gap? Our competitor loads Google Tag Manager and Google Ads tracking scripts that fire before any consent is given.
When a visitor loads their homepage, three tracking requests are sent to US servers before they've clicked anything. Under GDPR Article 6(1)(a), processing personal data (including IP addresses) requires consent before the processing occurs—not after.
The Math of Non-Compliance
With approximately 900 monthly visitors and 3 tracking violations per visit, our competitor generates roughly 2,700 illegal data transfers per month. Each of these is a potential GDPR violation.
At Bright Interaction, we use Google Analytics but gate it behind our own consent banner, CookieProof. No tracking scripts fire until the visitor explicitly opts in. The difference is simple: our competitor tracks first and asks later. We ask first and only track after consent.
The Hidden CDN Problem
Our competitor loads fonts, JavaScript, and map widgets from Google's CDN servers. These requests broadcast visitor IP addresses to US servers on every page load—even if they removed all tracking scripts.
This is what we call the "backdoor GDPR violation": a compliance gap that most companies miss entirely because they focus on obvious trackers while ignoring infrastructure dependencies.
Competitor's CDN Dependencies
- Google Maps API (googleapis.com)
- Google Fonts (fonts.gstatic.com)
- Google Tag Manager (googletagmanager.com)
Our Approach
- Self-hosted fonts
- Google Analytics, consent-gated via CookieProof
- Zero scripts fire before explicit opt-in
The CLOUD Act Exposure
Both companies have some US infrastructure exposure, but the nature differs significantly.
Our Setup
Our web hosting is on EU servers in Germany (Hetzner). Our only US exposure is email via Google Workspace—meaning internal communications could theoretically be subpoenaed under the CLOUD Act, but customer-facing web traffic stays entirely in Europe.
Competitor's Setup
Their web hosting is on Cloudflare (US company). Every visitor interaction, form submission, and page view passes through US-controlled infrastructure. Under the CLOUD Act, US authorities can compel Cloudflare to hand over this data without the company's knowledge.
Post-Schrems II Reality
Since the Schrems II ruling invalidated Privacy Shield, companies transferring EU personal data to US infrastructure need "adequate safeguards," which is increasingly difficult to demonstrate when using US cloud providers.
Consent Done Right: CookieProof
Both companies use a cookie consent banner. The difference is what happens before the visitor makes a choice.
Our competitor loads tracking scripts that fire immediately, then shows a banner asking for consent after the data has already been sent. That sequence violates GDPR Article 6(1)(a).
We built CookieProof, our own consent engine. It blocks Google Analytics and every other tracking script until the visitor explicitly opts in. No scripts, no cookies, no network requests to third parties until consent is given. The banner is not decoration. It is the gate. CookieProof serves as a privacy-focused cookiebot alternative for businesses that want consent management without third-party data sharing.
The result: we get the analytics data we need for business decisions while maintaining zero pre-consent tracking violations. You do not have to choose between useful analytics and GDPR compliance. You just need to get the order right. For a full breakdown of what Swedish law requires, see our guide on cookie consent requirements in Sweden 2026.
What We Both Got Right
It's not all bad news for our competitor. Both companies demonstrate strong practices in:
- TLS/SSL Configuration: Both achieved 100/100 on NIS2 cryptographic requirements
- Email Authentication: Both have DMARC policies set to "reject"
- No Exposed Secrets: Neither company leaked sensitive paths or credentials
- No PDF Metadata Leaks: No personally identifiable information in document metadata
The Fine Exposure
Under GDPR Article 83, violations can result in fines up to 20 million EUR or 4% of global annual turnover. Based on the violations detected:
| Company | Estimated Fine Range | Primary Violation |
|---|---|---|
| Bright Interaction | 10,000 - 500,000 EUR | Email infrastructure on US cloud |
| Competitor | 100,000 - 10,000,000 EUR | Unlawful data transfers |
The 20x difference in potential exposure comes down to the nature of the violations. Processing without consent falls under Article 83(5)—the higher tier of penalties.
What We're Working On
We're not perfect. Our one failed test is:
- Email infrastructure: We use Google Workspace, which creates CLOUD Act exposure for internal communications. Our 5 MX records point to Google's US servers, meaning client emails could theoretically be subpoenaed under US law.
We're evaluating EU-sovereign email providers like Proton Mail Business and self-hosted Mailcow to eliminate this final US exposure and achieve 100% sovereignty.
Key Takeaways
- 1. Infrastructure choices matter: Where your servers are located determines your legal exposure.
- 2. Tracking before consent is illegal: Every script that fires before consent is a GDPR violation.
- 3. CDNs are often overlooked: Loading fonts from Google is a data transfer, even if you don't think of it that way.
- 4. Consent-first analytics works: You can use Google Analytics and stay compliant. Block everything until the visitor opts in.
- 5. The CLOUD Act is real: US-hosted data is subject to US law, regardless of where your company is located.
Get Your Free GDPR Compliance Scan
Want to know where your company stands? Our website audit service analyzes 13 compliance and security dimensions. See your score, understand your risks, and get actionable recommendations. We also help businesses remediate the issues we find -- see our services or get in touch.