Your website probably has more US data processors than you realize

Under GDPR, a data processor is any third party that handles personal data on your behalf. Personal data includes IP addresses, and virtually every external service your website contacts receives your visitors' IP addresses as part of the HTTP request.

That means the following are all potential US data processors if they are US-owned and you have not established an appropriate legal basis for the transfer:

• Google Fonts (loaded from fonts.googleapis.com)
• Google Analytics and Google Tag Manager
• Cloudflare, even when the data center is in Frankfurt
• Meta Pixel and LinkedIn Insight Tag
• HubSpot, Intercom, and Zendesk chat widgets
• Typeform and other embedded form tools
• reCAPTCHA on contact forms and login pages
• Stripe.js on any page that includes a checkout element

Each one is a data transfer. Each one, technically, requires either Standard Contractual Clauses, a Data Transfer Impact Assessment, or coverage under the EU-US Data Privacy Framework (DPF).

The obvious trackers are easy to spot. Google Analytics shows up in most audits. But a few common ones genuinely catch people off guard.

Google Fonts. WordPress themes, website builders and frontend frameworks have been shipping Google Fonts by default for years. Unless you self-host those fonts, your site pings Google on every page load and shares your visitor's IP address. Self-hosting fonts removes this issue entirely. (Note: if you use Next.js, next/font/google already self-hosts fonts automatically at build time — no external Google request is made in production.)

Cloudflare. It is the world's largest CDN, and it is a US company. Even if data passes through a Frankfurt data center, Cloudflare's privacy policy allows access from the US. Whether this is a problem depends on what data flows through it and how you document it, but it belongs in your vendor inventory.

Stripe.js. If you have a payment form, you probably load Stripe's JavaScript on every page that contains a checkout element, not just at the point of payment. Stripe uses that script for fraud detection, which means it runs before any payment is initiated. StackPatrol uses Stripe for billing and has a DPA in place. It is one of the cleaner examples: a US processor you cannot easily replace, covered by the DPF, properly documented.

reCAPTCHA. Google's bot-detection tool sends behavioral data to Google servers. Many contact forms and login screens use it without the site owner realizing it is a Google product.

Between 2022 and 2023, data protection authorities in Austria, France, Italy, Denmark and several other EU member states declared Google Analytics non-compliant for transferring data to the US without adequate safeguards.

The EU-US Data Privacy Framework, adopted in July 2023, restored a legal basis for many of these transfers. Google has self-certified under it, and so have most major US tech companies. So as of 2026, using US vendors covered by the DPF is technically defensible.

The complication: the DPF is the third attempt at a transatlantic data transfer arrangement, after Safe Harbor (struck down in 2015) and Privacy Shield (struck down in 2020). Legal challenges to the DPF are already underway. If it is invalidated, every website relying on it faces immediate compliance questions.

Having a clear vendor inventory now means you know exactly what would need to change. That preparation is far easier to do on a quiet Tuesday than in the week after a court ruling.

1. Run a scan. Before you can fix anything, you need to know what is there. Scan your site with StackPatrol to get a full vendor list with ownership regions. It is free and takes under a minute.

2. Self-host where you can. Google Fonts is the easiest win. Download the font files and serve them from your own domain. This removes one US data transfer and typically improves page load time.

3. Find European alternatives. For analytics, tools like Plausible (Estonian) or Pirsch (German) eliminate the US transfer entirely. Our guide to European analytics tools covers the main options and how to migrate.

4. Document what you keep. Not every US vendor can be replaced. For those that stay, record the legal basis (DPF self-certification, SCCs, or a legitimate interest assessment) and keep records in your ROPA. The goal is not to eliminate every external service, but to know what is running and have a documented reason for each one.