Move fast, don't break compliance: what every founder should know

2025 quietly became the year DDoS stopped being a "big company" problem. The bandwidth record was broken several times in a single year, each new peak holding for weeks rather than years. In one quarter alone, providers blocked roughly 20 million attacks — up around 358% year over year, which works out to about 1.5 attacks every second. Most last under ten minutes, but at an estimated $22,000 of damage per minute, even a brief outage is a six-figure event. And none of it scales with your size: a booter service will take a ten-person startup offline for the price of a dinner.

That backdrop is exactly why I wanted to put these ideas into writing: a reference you can read at your own pace and share with your team. This is my personal take, written the way I'd explain it to a founder over coffee rather than as a checklist.

The premise is simple. Startups are built on speed. We iterate fast to stay ahead of competitors. We validate product-market fit with real users and real data. We acquire users across markets and geographies. And we do all of it under the pressure of impressing investors with growth and traction. Somewhere in that sprint, two things almost always get pushed to "later": data sovereignty and security. The whole point of this piece is to argue that "later" is the most expensive word in the startup vocabulary — and that you can move fast without breaking compliance if you make a few decisions early.

The hidden assumption that gets startups in trouble

Let’s start with the belief that almost everyone in tech absorbs without realizing it: "the internet is borderless." On the surface, it feels true. You have global users from dozens of countries, cloud infrastructure spanning continents, APIs connecting services everywhere, and distributed teams working across time zones. Everything is connected, so it's easy to assume geography is an abstraction.

But regulations, infrastructure, and attackers are all very real, and they all live somewhere specific. Geographic boundaries matter more than ever, not less. The borderless internet is a developer's mental model, not a legal or security reality. Once you accept that, a lot of "surprises" stop being surprises.

What data sovereignty actually means

Data sovereignty is one of those phrases that sounds like a compliance buzzword until you break it into its parts. At its core, it determines which legal frameworks govern your data operations and your relationships with users. Five questions sit underneath it:

• Which laws apply to your data processing and user rights?
• Where is the data physically stored? i.e., the actual location of your servers and storage.
• Where is it processed? This can be different from where it's stored.
• Who can request access? This means that governments have the legal authority to compel you to hand over data.
• And finally, dispute resolution: which courts and legal systems handle conflicts when something goes wrong?

If you can't answer those five questions about your own product today, that's not a failure — it's just the gap most early-stage companies have. But it's a gap worth closing before a customer's security questionnaire or an investor's due diligence forces you to close it in a panic.

GDPR in plain language

GDPR is worth spending time on because it's the regulation founders hear about most and understand least. Stripped of the legalese, it comes down to a handful of principles. You need a lawful basis to process personal data — consent, contractual necessity, or another legitimate reason. You can only use data for the specific purposes you disclosed when you collected it. You should practice data minimization: collect only what you actually need, because every extra field is extra risk and liability. Individuals have rights to access, correct, delete, and export their data on request. If you have a breach, you generally have 72 hours to report it to authorities and notify affected users where required.

And then the part that makes everyone sit up: fines reach up to 4% of global annual turnover or €20 million, whichever is higher. That's not a parking ticket. That's an existential number for a company that's still pre-revenue or barely profitable.

It's not just GDPR

Here's where it gets harder. GDPR is the famous one, but data regulations vary dramatically by country, by industry, and by use case. What is perfectly compliant in one jurisdiction can be outright illegal in another. If your ambition is global operations and enterprise sales, you don't get to learn just one rulebook — you have to understand the full regulatory landscape you're operating in.

Sovereignty is also about legal independence, not only data location. Some laws are extraterritorial: they apply beyond the borders of the country that wrote them, which creates overlapping and sometimes conflicting compliance obligations. Governments can compel lawful access to data, but only within their jurisdiction — which is exactly why where your data lives changes who can demand it. Operating under EU law, for example, means full compliance with EU regulations and legal frameworks, full stop.

Sovereignty has to be designed into your architecture

The most important shift to make is this: data sovereignty isn't a policy document you write once and file away. It's infrastructure design. You have to architect your systems to confine data geographically by default, rather than hoping it stays put.

In practice, that looks like deploying databases in specific geographic regions, routing and processing European data within EU boundaries, isolating data for jurisdictions that require localization, and maintaining separate environments per compliance zone. The reason this matters early is that data is always in motion. In a modern architecture, requests originate from users everywhere, hit edge nodes for caching and initial processing, and move continuously between layers and locations. If you haven't designed for territorial control, your data will naturally spread to wherever the system finds it convenient — and that's usually not where your lawyers want it.

Being compliant doesn't mean being safe

Storing your data in the EU satisfies a regulatory requirement. It does not protect you from an attack. Policies don't stop breaches. If attackers extract your data, your compliance collapses instantly — you can be perfectly "compliant" right up until the moment your users' records show up on a forum.

Sovereignty and security have to work together. Geographic compliance is meaningless if the infrastructure holding that data is vulnerable. You need both: the right data in the right place, and the protection to keep it there.

The threat landscape is worse than founders assume

In 2025 the threat environment is escalating across every vector at once — attacks are more frequent, more powerful, and more accessible than ever. Attack frequency is now a daily reality for internet-facing infrastructure. Attack power keeps climbing, with multi-hundred-Gbps DDoS becoming routine rather than exceptional. DDoS-as-a-service means anyone can rent an attack for about £50. And AI-assisted abuse brings sophisticated automation to attackers at scale.

This is where I keep running into pushback from founders: "We're tiny. Why would anyone target us?" The honest answer is that targeting has very little to do with your size. Attackers don't check your revenue before launching a DDoS — any internet-facing service is a potential target. Entire sectors get hit by coordinated campaigns, so if you're in fintech, gaming, or crypto, you're already on lists you never signed up for. Automated bots scan the internet around the clock, looking for exposed, vulnerable infrastructure. And sometimes it's just personal — a banned player, a disgruntled user, or a competitor acting out of spite.

When a large DDoS hits, the damage rarely stays contained. It's a domino effect. The attack saturates available bandwidth, congests upstream links that affect neighboring tenants, takes down co-located workloads on the same host, and cascades into the dependent services that rely on all of it. The blast radius is far bigger than the original target. And attackers know to launch at the worst possible moment — your product launch, your investor demo, your biggest marketing push, your peak revenue period — precisely because that's when downtime does the most reputational and financial damage.

DDoS is only one layer

It would be a mistake to walk away thinking this is all about volumetric attacks. DDoS is just the most visible layer. Modern threats operate across the application, API, and data layers simultaneously, which means defense has to have depth. These threats include API abuse, credential stuffing, account takeover, scraping of pricing and inventory data, and outright data exfiltration.

Bots have evolved well past the crude scripts most people picture. Today's bots route through residential proxy networks to look like genuine home users, rotate IPs and spoof geography to dodge blocklists, run headless browsers that execute JavaScript and render pages like real visitors, emulate human behavior down to mouse movements and realistic timing, and use AI to generate unique interaction signatures. Signature-based blocking alone simply can't keep up.

And it's not as simple as "block all bots," because not all bots are bad. Good bots index your content, monitor your uptime, and power legitimate integrations. Bad bots run fraud, credential stuffing, scalping, scraping, and DDoS participation. Increasingly, there's a third category — AI agents acting autonomously on behalf of real users, making purchases and booking appointments. Telling these apart requires behavioral protection: analyzing user actions and session patterns to establish a baseline, scoring risk dynamically, using ML-based anomaly detection, and recognizing sophisticated patterns through behavioral fingerprinting.

The AI arms race is also worth addressing directly. Startups use AI to build faster; attackers use AI to attack smarter, automating reconnaissance, vulnerability discovery, and adaptive evasion. The critical assumption to carry into every security decision is that automation already exists on the attacker side. Manual, periodic security reviews won't keep pace with AI-enhanced threats.

Why global infrastructure is the real answer

Effective DDoS mitigation is not about buying a better firewall for your data center. It's about intercepting attacks before they ever reach your infrastructure. That requires a globally distributed network with enough aggregate capacity to absorb and filter attack traffic at the edge, as close to the source as possible. You can't filter a multi-hundred-Gbps flood at a single origin — the link saturates long before your firewall gets a vote.

This is also why infrastructure is a strategic decision rather than a procurement detail. Migrating cloud or security providers after you've scaled takes months of engineering, testing, and risk. Retrofitting security onto an architecture that wasn't built for it means costly refactoring and redesign. Short-term infrastructure shortcuts quietly accumulate into architecture debt that constrains your growth later. The decisions you make in your first six months constrain your options for years — so choose providers with true global presence and real capacity, and think about geography early. Geographic distribution isn't just a latency optimization; it's security resilience and regulatory compliance at the same time.

Sovereignty plus security equals trust

The reason any of this matters commercially is trust, and trust converts. Companies with robust compliance and security close enterprise deals about 3x faster, because they sail through procurement instead of stalling. Security and compliance show up as critical factors in 92% of investor due diligence processes. 85% of users now consider a company's data protection practices before they even choose a service. And proper architecture enables roughly 10x faster geographic expansion, because you're not stopping to refactor every time you enter a new market. Sovereignty and security aren't a tax on growth — done right, they're an accelerant.

A practical starting point

None of this means you need a perfect compliance fortress on day one — and I want to be clear about that, because the alternative is paralysis. What you need is to understand the fundamentals and plan your path forward.

For data sovereignty, the minimal viable version is four steps: know where your data lives by documenting the physical storage locations of all your data assets; understand jurisdiction by identifying which laws apply to your operations and users; map your data flows by tracing how data actually moves through your infrastructure; and plan a regional strategy so your expansion is designed with sovereignty in mind rather than bolted on afterward.

For security, the minimal viable baseline is five layers:

• DDoS resilience against volumetric attacks;
• Application and API protection through a web application firewall and API gateway;
• Bot management that blocks abuse while letting legitimate automation through;
• Monitoring and logging for real visibility into traffic and anomalies; and
• Incident response thinking, meaning documented playbooks so your team isn't improvising mid-crisis.

Start simple, scale smart.

The core message

The goals founders care about — moving fast, shipping globally, and scaling quickly — are often framed as being in tension with sovereignty and security. They're not. They're mutually reinforcing the moment you treat infrastructure as a strategic decision instead of an afterthought.

Speed is your advantage. Compliance and security shouldn't be your weakness. Building on globally distributed infrastructure with edge-based DDoS mitigation, WAAP, intelligent bot management, and clear data residency is exactly the approach we've taken with Gcore, precisely so that founders can have both: the velocity of a startup and the protection of a company ten times their size. The choices you make today decide whether you scale smoothly or spend months retrofitting security and sovereignty later.

If you're scaling across borders right now, I'd genuinely encourage you to run through those two minimal-viable checklists this week. It's a couple of hours of work that can save you a couple of quarters of pain.

And if you're an early-stage company that wants globally distributed infrastructure, edge-based DDoS mitigation, WAAP, bot management, and clear data residency without burning through your runway, that's exactly what we built the Gcore Startup Program for. You can explore it here: https://gcore.com/infrastructure-for-startups