Most UK SaaS founders default to S3 in eu-west-2 and call it GDPR compliance done. It is not. S3 in London is operated by AWS Inc, a US entity. The data sits in London. The processor sits in Seattle. Under UK GDPR Chapter V and the post-Schrems II ICO position, that is a transfer to a non-adequate third country unless your DPA includes the latest SCCs and a documented Transfer Impact Assessment. Plenty of UK SMBs get away with it. Plenty also fail compliance audits because of it. We built Beamprobe (a UK virtual data room) on Cloudflare R2 with the EU jurisdiction flag instead. After six months in production, here is what worked, what tripped us up, and what I would do differently. Why R2 EU jurisdiction is different from "R2 in Europe" R2 has a jurisdiction setting at the bucket level. You can set it to EU. When you do, three things change: The bucket is pinned to EU member-state data centres. No transparent replication to North America.…