GDPR and Screenshot APIs: Why Self-Hosting Is the Safest Approach
When does GDPR apply to screenshot processing?
GDPR applies whenever you process personal data — any information that relates to an identified or identifiable natural person. The definition is deliberately broad, and it catches screenshot workloads more often than developers expect.
Consider what your screenshots actually contain:
- Invoice or order confirmations — customer name, address, email, purchase history
- Dashboard screenshots — user account details, usage patterns, personally identifiable metrics
- Email template previews — recipient names and email addresses in the preview content
- Profile or account pages — names, avatars, contact details, preferences
- Visual regression tests on authenticated pages — any page behind a login may contain user-specific data
- OG image generation from user-created content — titles, author names, user-generated text
If any of these match your use case and you are using a SaaS screenshot API, GDPR obligations likely apply to that processing.
The data processor relationship
Under GDPR Article 28, when you engage an external service to process personal data on your behalf, that service becomes a data processor. You remain the data controller — responsible for the lawfulness of the processing and for ensuring your processor provides sufficient guarantees about data protection.
When you call a SaaS screenshot API with a URL or HTML payload:
- You send the data (HTML content, URL, cookies for authenticated sessions) to the API provider's servers
- The provider's infrastructure processes your data — renders it with headless Chromium, generates the screenshot image
- The provider returns the screenshot and (depending on their retention policy) may temporarily store the content
This is textbook data processor territory. The provider processes your personal data on your instructions, using their own technical means.
What a DPA requires
GDPR Article 28 requires a written contract — the Data Processing Agreement — between controller and processor. A compliant DPA must specify:
- The subject matter, duration, nature, and purpose of the processing
- The type of personal data and categories of data subjects
- The processor's obligations: process only on documented instructions, ensure confidentiality, implement appropriate security measures, assist with data subject rights, delete or return data on request, provide audit access
- Sub-processor restrictions: the processor must get your authorisation before engaging sub-processors
Most major screenshot API providers offer a DPA — but it is rarely signed automatically. You typically need to request it through their enterprise or legal process, or accept it through a self-serve flow in their dashboard.
The international transfer problem
GDPR Chapter V restricts transfers of personal data outside the European Economic Area (EEA) unless specific conditions are met. The three most common mechanisms are:
- Adequacy decision — the EU has determined the destination country has equivalent data protection standards
- Standard Contractual Clauses (SCCs) — contractual commitments between exporter and importer covering the transferred data
- Binding Corporate Rules (BCRs) — applicable only to intra-group transfers within a multinational
The United States does not have a blanket adequacy decision covering all US companies, though the EU-US Data Privacy Framework (DPF) covers certified organisations. Most major SaaS providers — including several screenshot APIs — are DPF-certified, which simplifies the transfer mechanism. However, DPF certification is voluntary and must be verified on the DPF list.
If your screenshot API provider is not DPF-certified, you need SCCs in addition to a DPA. This adds contractual complexity and ongoing compliance obligations.
What self-hosting eliminates
When you self-host Openkova on your own infrastructure, the data processing picture changes completely:
- No third-party processor — your own servers process the data; there is no Article 28 relationship to document
- No international transfer — deploy in your preferred AWS region, Hetzner EU DC, or on-premise; data never crosses jurisdictions you haven't chosen
- No DPA required — internal processing between your own systems does not require a processor contract
- No sub-processor risk — SaaS providers typically use sub-processors (CDNs, cloud infrastructure, monitoring tools) that each need their own assessment
- Full audit trail — you control logging, retention, and deletion entirely
This does not mean self-hosting eliminates all GDPR obligations — you still need a lawful basis for the processing and must uphold data subject rights. But it removes the third-party processor layer, which is frequently where compliance gaps occur.
Checklist: SaaS screenshot API GDPR compliance
If you are using or evaluating a SaaS screenshot API for workloads that involve personal data, work through this checklist:
| Step | Action | Notes |
|---|---|---|
| 1 | Confirm personal data is in scope | Review the HTML/URLs you send — does any content identify an individual? |
| 2 | Request and sign a DPA | Check the provider's legal or privacy page; some self-serve via dashboard |
| 3 | Verify transfer mechanism | Is the provider DPF-certified? If not, SCCs are required for US transfers |
| 4 | Review sub-processors | The DPA should list or reference the provider's sub-processor list; review for EU acceptability |
| 5 | Check data retention policy | How long does the provider store screenshot output and input data? Is deletion on-request available? |
| 6 | Update your Records of Processing Activities (ROPA) | Add the screenshot API as a processor in your Article 30 records |
Checklist: Self-hosted screenshot API GDPR approach
| Step | Action | Notes |
|---|---|---|
| 1 | Choose a compliant hosting region | Deploy Openkova in an EU region (e.g. Hetzner Falkenstein, AWS eu-west-1) to keep data in the EEA |
| 2 | Define your retention policy | Configure Openkova's storage path; implement automated deletion of screenshots after your defined retention period |
| 3 | Add to your ROPA | Record the screenshot processing activity, lawful basis, data categories, and retention period in your Article 30 records |
| 4 | Restrict access | Openkova does not include built-in auth in the OSS version; use a reverse proxy with auth (nginx, Caddy, Traefik) or network-level access controls |
Practical guidance by use case
OG image generation from public content
If your HTML templates contain only public, non-personal content (article title, publication date, site name), SaaS APIs are straightforward — no personal data, no GDPR implications for the processing itself. Either SaaS or self-hosted is fine.
Invoice and document PDF generation
Invoices almost always contain personal data: customer names, addresses, email addresses, purchase history. Self-hosting is the simplest compliant path. If using SaaS, a DPA is mandatory.
Visual regression testing on authenticated pages
Pages behind authentication may contain user-specific data depending on your product. If your regression suite screenshotting authenticated pages, those screenshots may be in scope. A self-hosted screenshot API that runs inside your CI/CD environment avoids sending that content externally.
Dashboard and analytics page screenshots
Monitoring screenshots of dashboards or admin panels containing user metrics, names, or account details are clearly personal data processing. Self-hosting is strongly recommended.
Deploying Openkova in the EU
To keep all screenshot processing within the EEA, deploy Openkova on EU-based infrastructure:
# Hetzner Cloud (Falkenstein, Germany — EU)
hcloud server create \
--name openkova-prod \
--type cx22 \
--image ubuntu-24.04 \
--location fsn1
# Then run with Docker Compose
docker compose up -dHetzner's Falkenstein and Nuremberg DCs are located in Germany. AWS eu-west-1 (Ireland), eu-central-1 (Frankfurt), and OVHcloud EU regions are all EEA-compliant options. See the Docker deployment guide for full setup instructions.
Frequently asked questions
Is using a SaaS screenshot API GDPR compliant?
It depends on what you screenshot. If the pages contain personal data, the SaaS provider becomes a data processor under GDPR and requires a signed DPA. US-based providers also require Standard Contractual Clauses or DPF certification for lawful EU data transfers. Self-hosting eliminates the third-party processor relationship entirely.
Does GDPR apply to screenshot APIs?
Yes, if the HTML or URLs you process contain personal data. Screenshots of invoices, dashboards, user profiles, email previews, and authenticated pages commonly contain personal data under GDPR's broad definition.
What is a Data Processing Agreement for a screenshot API?
A DPA is a contract required by GDPR Article 28 when you engage a third party to process personal data on your behalf. It specifies what data is processed, how it is handled, and the processor's security and compliance obligations. Most major screenshot APIs offer DPAs, but you must request and sign one — it is rarely automatic.
Can a self-hosted screenshot API be GDPR compliant?
Yes. With Openkova self-hosted on your own EU infrastructure, all processing occurs within your systems. There is no third-party processor, no international transfer, and no DPA required. You retain full control over data retention, access, and deletion.
Which screenshot APIs are GDPR compliant?
ScreenshotOne, Urlbox, and Browserless all offer DPAs. Compliance requires signing those agreements and, for US-based providers, verifying DPF certification or implementing SCCs. The simplest path is self-hosting with Openkova — no third-party agreements needed.
Openkova is MIT-licensed. Deploy in any EU region. No third-party data processor, no DPA required.