Sasha Ehrlich
Compliance · EU residency
Writing for Elido since September 2024
Sasha leads compliance and EU data residency posture at Elido. They previously spent four years as a privacy associate at a Frankfurt-based commercial law firm advising SaaS exporters on Article 28 data processing agreements and Schrems II remediation, and a year as data protection counsel at a Berlin fintech.
They write the compliance posts — GDPR Article 3 territorial scope, ISO 27001 vs SOC 2 Type II in EU procurement, sub-processor disclosure obligations — and review every other post for compliance claims that need toning down. If a claim about "GDPR compliant" sneaks past Sasha, it's because the post was published on a Friday afternoon.
Sasha sits on the editorial committee for an EU-focused privacy newsletter and is a non-practising solicitor (England & Wales).
Expertise
- GDPR territorial scope and Article 3 application
- Schrems II remediation and EU-US data transfer mechanics
- ISO 27001, SOC 2 Type II, HIPAA BAA flow
- Sub-processor disclosure and DPA drafting
Elsewhere
Posts by Sasha Ehrlich
The best EU URL shorteners in 2026 (and why it matters)
Which URL shorteners actually host in the EU, what their sub-processor lists look like, and how to read a residency claim against the underlying infrastructure
ComparisonsAre URL Shorteners Safe? A Balanced Answer for 2026
Reputable URL shorteners are safe; the real risk is opaque destinations and abuse, both manageable. How to check a short link and choose a safe provider
ComplianceGDPR for URL shorteners: what your DPO actually wants to see
A working DPO's read on the GDPR articles that apply to URL shorteners - Articles 3, 6, 28, 30, 32, 35, sub-processor disclosure, and the DPA clauses
ComplianceCornerstoneSOC 2 and HIPAA for link tracking: a procurement answer
What enterprise security questionnaires actually ask about a URL shortener: SOC 2 controls mapped to link infrastructure and where HIPAA stops applying
ComplianceConsent Mode v2 for link tracking: what the DMA changed
Consent Mode v2 and the Digital Markets Act rewrote short-link analytics: what the four signals mean, how server-side recovery works, and what EDPB and CJEU say
ComplianceElido vs Cuttly: EU URL shorteners, where each wins
Both Elido and Cuttly keep your link data in Europe. Where they differ - multi-region edge, SSO tier, audit log, HA - decides which is right for you.
ComparisonsSCIM and SSO for marketing tools: what enterprise IT actually asks
SAML 2.0 + OIDC + SCIM 2.0 - the procurement-checklist version. IdP compatibility, deprovisioning as audit artefact, and the marketing-tool gap
FeaturesSchrems II and tracking pixels: where the DPF leaves you in 2026
Schrems II invalidated Privacy Shield. The EU-US Data Privacy Framework restored adequacy in 2023. What this actually means for marketing pixels under GDPR Article 44+
ComplianceEU data residency for marketing tools: what your DPO actually asks
What 'EU data residency' means under GDPR Article 3 + Schrems II - where marketing tools leak, the server-side fix, and a procurement checklist
ComplianceCornerstoneCookieless attribution explained: what still works in 2026
Two attribution paths survive third-party cookie sunset - server-side identifiers and first-party redirects. A pragmatic stack for marketers who need real numbers
ComplianceClick attribution after Safari ITP: what still works in 2026
Each ITP version closed a workaround. Here's what each one broke, in date order, and the short-link redirect pattern that survives all of them
ComplianceWebhooks vs polling for click tracking: pick the pattern
When to use webhooks and when to poll the analytics API for click data: hidden costs of each, code in TypeScript and Python, plus the hybrid pattern.
IntegrationsURL shortener security: what to expect from your provider
A concrete checklist for evaluating any URL shortener: URL scanning, webhook signing, API key storage, rate limiting, bot filtering, and audit logs.
ComplianceGDPR-friendly URL shorteners - what to look for in 2026
A practical checklist for evaluating URL shorteners under GDPR: EU data residency, IP truncation, DPA availability, right to erasure, and US-tool traps.
Compliance