EU-sovereign stack for UK SMBs in 2026: Vercel, Resend, Plausible, Capsule
Every regulated UK vertical — clinics, solicitors, schools, accountants — eventually meets the same question. A DPO, a COLP, a DSL, a practice-assurance reviewer asks: where does my client’s data physically sit, and what’s your sub-processor list? The answer “AWS US-East, behind a Cloudflare proxy, with Google Analytics and HubSpot forms” doesn’t survive the meeting. The Schrems II ruling (Court of Justice of the EU, July 2020) didn’t ban US vendors — it made the SMB defend the choice in writing.
This is the EU-sovereign stack UK Web Marketing ships with every regulated-vertical build: four vendors, each picked against the obvious US default, each defensible to a regulator. Total cost on the Foundation tier: roughly £55 to £85 per month per site, depending on the bolt-ons.
The four vendors, the four US defaults
| Layer | The pick | Region | The US default | Why the pick wins |
|---|---|---|---|---|
| Hosting | Vercel | London (lhr1) | AWS US-East | Per-project region pin to London; SCC + DPA signed by default |
| Resend | Ireland (EU) | SendGrid (US) | EU region option, GDPR-clean defaults, no US-only data plane | |
| Analytics | Plausible | EU (self-hosted EU regions) | Google Analytics 4 | Cookieless, no IP store, no ICO consent banner needed |
| CRM | Capsule | Manchester, UK | HubSpot (US) | UK-resident data; UK-incorporated processor |
Each line on this table is a defence the SMB can hand its regulator. Each US default is a vendor the SMB would have to write a transfer impact assessment to keep using under UK GDPR Article 46. Schrems II is the reason: standard contractual clauses are no longer sufficient on their own; the data importer’s country has to be evaluated. The four picks above skip the evaluation by sitting inside the EEA or the UK.
Vercel London vs AWS US-East
The pick. Vercel Pro, with every project pinned to the lhr1 region (London). Functions, edge handlers, and ISR cache all serve from London. The DPA is signed by default during onboarding. (For the deeper hosting comparison, see Vercel vs Netlify vs Cloudflare Pages.)
The US default. AWS US-East-1 (N. Virginia). Default region for most AWS resources, the cheapest, the largest. Functions, S3 buckets, RDS databases all serve from Virginia unless explicitly moved.
The defensible difference. When the regulator asks “where does the request render,” the Vercel answer is “London, every time, by configuration in the project’s vercel.json.” The AWS-default answer is “US-East unless someone remembered to override it, and we’d need to audit each resource individually.” The first is a posture; the second is a project.
Cost. Vercel Pro is $20 per seat per month. For a single-seat UK Web Marketing client site that’s roughly £16 at current FX. AWS US-East is cheaper in absolute terms — but the defensibility cost (TIA, supplementary measures, ongoing review) eats the saving twice over for any regulated SMB.
Resend EU vs SendGrid
The pick. Resend, with the eu-west-1 region selected in the dashboard. Transactional email for booking confirmations, contact-form acknowledgements, magic-link logins. The Free tier covers up to 3,000 emails/month; the Pro tier is $20/month for 50,000.
The US default. SendGrid (Twilio). The most widely used transactional email vendor. Data plane is US, with limited EU support behind enterprise contracts.
The defensible difference. Resend was built EU-native from the start. The Ireland region is a checkbox, not a contract negotiation. SendGrid’s EU residency is genuinely possible but requires Twilio Enterprise pricing — typically four-figure monthly commits that no UK SMB takes. So in practice SendGrid means US-resident customer email metadata, which is the precise thing GDPR Article 44 (“transfers to third countries”) regulates.
For clinics, this matters specifically because appointment-confirmation emails contain protected health information by inference — patient name + clinic identity + appointment date implies a treatment relationship. PHI in transit through US email infra is the kind of thing the ICO has fined NHS trusts over. (See Why your UK clinic website probably breaks GDPR.)
Plausible EU vs Google Analytics 4
The pick. Plausible, EU-hosted, on the Pro plan (€19/month for the up-to-100k-pageviews tier). Cookieless by design — no client identifier, no IP store, no fingerprinting. No cookie banner required under UK GDPR, because Plausible isn’t processing personal data.
The US default. Google Analytics 4. Free, ubiquitous, and structurally incompatible with UK GDPR after the Schrems II / Austrian DSB / French CNIL findings — multiple EU regulators have ruled GA4 unlawful as deployed because client IPs and cookie IDs constitute personal data exported to the US.
The defensible difference. Plausible’s data flow is: page view → EU server → aggregated counter increment. No personal data ever leaves the EU because no personal data is ever collected. GA4’s data flow is: page view → cookie set → client ID + IP → Google US infrastructure → reporting via Google Cloud. The first survives the regulator’s question; the second triggers it.
Cost saving. Plausible Pro is €19/month (~£16). GA4 is “free” but the compliance cost of running it on a regulated UK SMB site is the cost of writing a CNIL-style supplementary-measures document, which any external counsel will quote at four figures.
Capsule Manchester vs HubSpot
The pick. Capsule CRM (Zestia Ltd, Manchester). UK-incorporated, UK-resident data, hosted on UK infrastructure. Plans from £15/user/month (Starter) through £36/user/month (Growth). (Full comparison: Capsule vs Pipedrive vs HubSpot.)
The US default. HubSpot. The dominant SMB CRM globally; data resident in the US for most plans, with EU residency available only on enterprise tiers.
The defensible difference. Capsule’s processor agreement names a single UK data centre. The sub-processor list is short and EU/UK-resident. HubSpot’s processor agreement names dozens of US sub-processors, and EU customer data is co-mingled with US customer data in the same logical tenants on the cheaper plans. For a UK accountancy practice subject to ICAEW confidentiality, that co-mingling is the structural issue, not a feature.
The smaller story. Capsule is also a better tool for the actual SMB job — a five-person practice tracking 200 active clients does not need HubSpot’s marketing automation pillar. It needs contacts, opportunities, and tasks. Capsule does that for less than half the price, in Manchester.
What the stack costs, monthly
Foundation-tier client on the EU-sovereign stack:
- Vercel Pro: ~£16
- Resend (free tier sufficient for under 3,000 emails/month): £0
- Plausible Pro (small-traffic site, Starter tier ~€9/mo): £8
- Cloudflare (DNS + email routing, free): £0
- Foundation total: ~£24/month in pure vendor cost
Growth-tier client adds:
- Resend Pro: £16
- Plausible Pro (~100k pageview tier): £16
- Capsule Starter (one seat): £15
- Growth additional: £47/month
Total Growth-tier vendor cost: roughly £71/month. Add the £195/month Growth Engine service fee and the all-in is around £266. Compare against HubSpot Marketing Hub Professional (£740/month minimum) plus a US-hosted website plus GA4 plus SendGrid Enterprise plus the supplementary-measures consultancy — and the cost question reverses entirely.
The sub-processor template
Every UK Web Marketing build ships with a /compliance page that names the four vendors above, their data-processor agreements, and the country each one operates in. The page exists because regulators ask for it — not because it converts.
Template structure (live example at ukwebmarketing.io/compliance):
- Data controller — the client business, by company number.
- Data processor — UK Web Marketing Ltd, plus the four sub-processors named below.
- Sub-processor list — one row per vendor: legal name, country, role, DPA link, contact for data subject requests.
- International transfer mechanism — for each vendor, the legal basis (UK adequacy decision for EU vendors; n/a for UK-resident vendors).
- Review date — annual, with the date logged.
This document is what a DPO asks for. Having it ready, by default, on every client site is the posture difference between “we host on AWS, the cookie banner mentions Google Analytics” and “here is our sub-processor list, dated, with DPAs linked.”
What this stack doesn’t do
Three honest call-outs:
- It’s not zero-risk. Vercel is US-incorporated even with the London region. A worst-case CLOUD Act subpoena could theoretically compel disclosure of UK-resident data. The supplementary measure is encryption-at-rest with keys held by the controller — most regulated-vertical builds add this for the booking + form-submission database via Vercel Postgres + customer-managed keys, or by routing form submissions to Capsule (UK-resident) directly.
- It’s not cheaper short-term. A WordPress + SiteGround + GA4 + HubSpot Free + Mailchimp stack is free-to-£20/month total. The EU-sovereign stack is £24-£85/month in vendor fees. The case for spending the difference is the regulator question — and the case is a regulator question, not a finance question.
- It requires ongoing review. Vendors get acquired. Resend could be bought by a US giant tomorrow. The annual sub-processor review on
/complianceexists precisely to catch this — and the managed website service does the review for you.
Closing — when this stack is the right answer
If your business is in one of the four regulated verticals, this stack is the default. If your business is unregulated — a hospitality venue, a consumer brand, an e-commerce shop selling to consumers — the case is weaker, because the regulator question never gets asked. The stack still wins on speed (Vercel London is genuinely faster than AWS US-East from any UK location) and on the GA4-vs-Plausible cookie-banner question, but the urgency is lower.
If you want this stack assembled on your site: managed website service. If you want to know which US-default vendors are currently on your build: free audit.
Related: Why your UK clinic website probably breaks GDPR, ICAEW confidentiality, SRA confidentiality, KCSIE.