Hello @Markus_Kieselmann I hope someone already answered this at least externally to the forums.
Basically Device Sync is in fact compliant for GDPR, you can find all the things it’s compliant for here: Trust Center — MongoDB Cloud Services | MongoDB
It even recently got CJIS and a higher level of FedRAMP certification, too. I’m not sure at what level CJIS is for Atlas, but it exceeds Interpol’s RPD and CCF requirements, meaning it well exceeds GDPR compliance requirements, it’s going to come down to how YOU choose to design the collections and infra around it.
The FedRAMP is also heavier than Germany’s BDSG, you could probably talk to the provisional authorities in your region of Germany even, about a German Government Atlas instance if enough manpower were available etc. You never know, and honestly I’m sure MongoDB wouldn’t mind said kind of conversation.
When I worked with NATO back in 2012 I know Atlas and Firebase were both infrastructure that would have been amazing to have had available. But without the special stuff involved with FEDRAMP and CJIS, it still is GDPR compliant just on its own accord in a stand alone constraint, it’s even HIPAA compliant, which HIPAA exceeds needs of GDPR, and is marginally even more strict than GDPR, which also exceeds the CFRA and other consumer data privacy acts.
That said, in Atlas the data is locked away from even employees unless exclusive circumstances and permissions from the customer directly are given for emergency situations.
And to prevent data from being transferred to MongoDB in the states? The data is local to the regional datacenter you choose. If you pick Frankfurts DC, that’s where the data is, which is ran and operated by German’s.
Amazon FRA50 Kleyerstrasse 88-90. Frankfurt am Main 60326 is the Atlas Datacenter in Germany, hosted by Amazon, manned by German born citizens, which you could always reach out to Amazon directly for any specific restrictions you need to have in place, and communicate that with MongoDB for what’s needed.
Given MongoDB is GDPR compliant, I honestly wouldn’t worry as much about that.
EDIT
And hey @Markus_Kieselmann, if you’re needing NATO compliance I do have the contact information for the Joint Information Security, Systems, and Data Command out of Ulm, as well as NCISG out of Mons, in the Joint Support and Enabling Command Headquarters. I do have the direct lines if you need questions answered of what AWS services and third party services are approved.
Which the Datacenter Europe Central - 1 regions 50, 53, ETC. are all approved datacenters, they do have channels within Amazon you can be directed through if you’re asking because of a NATO need. If this request of info isn’t related to NATO, you can freely just use the general consumer Atlas and normal AWS channels and be GDPR compliant based upon your configurations and what data you choose to collect.