[{"data":1,"prerenderedAt":10},["ShallowReactive",2],{"article-eu-resident-family-finance-on-gcp":3},{"slug":4,"title":5,"summary":6,"date":7,"published":8,"content":9},"eu-resident-family-finance-on-gcp","How we built EU-resident family-finance on GCP","Family money is the most sensitive data we hold. Here's how we built nestbalm on GCP — data in Europe, a schema per household, and a key per family.","2026-07-03",true,"\u003Ch1>How we built EU-resident family-finance on GCP\u003C/h1>\n\u003Cp>\u003Cem>A build-in-public note from the team behind nestbalm — a budgeting app for the whole household. We're pre-launch, building with families ahead of our August soft open.\u003C/em>\u003C/p>\n\u003Cp>Most budgeting apps start with the dashboard. We started with a more boring question: if a family trusts us with every transaction, every shared account, and their kids' allowances, where does that data physically live — and who can actually read it?\u003C/p>\n\u003Cp>For a household in Germany or the wider EU, that isn't a checkbox at the bottom of a settings page. It's the whole decision. German families are, rightly, among the most privacy-cautious in Europe, and &quot;we take your privacy seriously&quot; is not a sentence anyone believes anymore. So before we built a single feature, we committed to two lines and refused to break them for convenience:\u003C/p>\n\u003Col>\n\u003Cli>\u003Cstrong>Data stays in Europe\u003C/strong> — everything at rest and in processing, in European regions, with no transfer to the US.\u003C/li>\n\u003Cli>\u003Cstrong>Keys stay close to the family\u003C/strong> — each household's data is encrypted under its own key, not one master key we can sweep across everyone at once.\u003C/li>\n\u003C/ol>\n\u003Cp>Everything below follows from those two sentences.\u003C/p>\n\u003Ch2>Compute: stateless containers, European regions\u003C/h2>\n\u003Cp>We run the app on Cloud Run — stateless containers, pinned to European regions. Stateless is the point: no household data lives on the compute layer. It's just the code path between the family's device and the encrypted store, and it can be torn down and replaced without anything sensitive riding along. Region placement is enforced at the platform level, not left to a config someone can fat-finger later.\u003C/p>\n\u003Ch2>Data: one schema per household\u003C/h2>\n\u003Cp>Multi-tenant apps usually pick one of three isolation models. We went with the middle one, on purpose.\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cstrong>Shared tables with a \u003Ccode>tenant_id\u003C/code> column\u003C/strong> is the cheapest to operate — and one careless query away from leaking one family's money data into another's. For this data, that blast radius is a non-starter.\u003C/li>\n\u003Cli>\u003Cstrong>A database per household\u003C/strong> is the strongest wall, but the operational cost climbs steeply as families join.\u003C/li>\n\u003Cli>\u003Cstrong>A schema per household\u003C/strong> — where we landed. Every household gets its own schema and its own tables, so isolation is enforced down at the query layer, without us running a separate database per family.\u003C/li>\n\u003C/ul>\n\u003Cp>It isn't free. Migrations have to fan out across every schema, and you feel that overhead in tooling and deploys. We think it's the right tax to pay when the rows are somebody's household finances.\u003C/p>\n\u003Ch2>Encryption: a key per household\u003C/h2>\n\u003Cp>&quot;Keys stay close to the family&quot; is a promise, so we want to be precise about what it means today and what it doesn't — because the fastest way to lose a skeptical reader is to overclaim on encryption.\u003C/p>\n\u003Cp>Today, each household's data is encrypted with its own key, managed in Cloud KMS using envelope encryption. Practically, that means there is no single master key that unlocks every family at once — compromising one household's key doesn't cascade to the next. The direction we're building toward is giving families more direct custody over that key over time; where exactly that line sits at launch is something we'll state plainly in the product, not blur in a blog post.\u003C/p>\n\u003Cp>If you're the kind of reader who's already drafting a comment about the difference between provider-managed and customer-held keys — good, that's the right question, and it's one we'd rather answer honestly than paper over.\u003C/p>\n\u003Ch2>Identity: fewer secrets to lose\u003C/h2>\n\u003Cp>Sign-in runs through established SSO / OAuth rather than us hand-rolling a password store on day one. The fewer credentials we store, the fewer we can ever lose. More sign-in options are on the roadmap; the principle stays the same — hold as little as we can get away with.\u003C/p>\n\u003Ch2>Residency in practice: the unglamorous enforcement\u003C/h2>\n\u003Cp>Saying &quot;data in Europe&quot; is easy. Making it structurally true is the actual work:\u003C/p>\n\u003Cul>\n\u003Cli>European regions for both compute and storage.\u003C/li>\n\u003Cli>Placement constraints so a service can't quietly spill into a US region under load.\u003C/li>\n\u003Cli>Encryption keys created and kept in European KMS.\u003C/li>\n\u003Cli>Every third party in the path vetted for \u003Cem>where\u003C/em> it processes, not just whether it's convenient.\u003C/li>\n\u003C/ul>\n\u003Cp>None of that is a headline feature. It's the plumbing that makes the headline honest.\u003C/p>\n\u003Ch2>The honest tradeoffs\u003C/h2>\n\u003Cp>Building in public means the caveats, too:\u003C/p>\n\u003Cul>\n\u003Cli>Staying EU-region-only rules out some cloud services and newer features that land in the US first. We've eaten that.\u003C/li>\n\u003Cli>Schema-per-household adds real migration and operational overhead.\u003C/li>\n\u003Cli>A key per household adds key-management complexity we have to carry.\u003C/li>\n\u003C/ul>\n\u003Cp>Each of those is a genuine cost. We took them because the alternative — the convenient, US-cloud, one-big-key default — is exactly the thing families are right to be wary of.\u003C/p>\n\u003Ch2>Why we're publishing this before launch\u003C/h2>\n\u003Cp>nestbalm isn't fully open yet. We're building it with families, in the open, ahead of the August soft launch — and the architecture above is a commitment we're making early precisely so we can be held to it.\u003C/p>\n\u003Cp>If you manage money as a household in Europe and you have opinions on where these lines should sit, that's the feedback we actually want. There's a 3-minute survey at \u003Cstrong>nestbalm.app\u003C/strong>; finishing it locks in 45 days of premium free at launch.\u003C/p>\n\u003Cp>Data in Europe. Keys close to the family. Made in Germany.\u003C/p>\n\u003Cp>— \u003Cem>The nestbalm team\u003C/em>\u003C/p>\n",1783078978624]