Sasha Ehrlich
Compliance · EU residency
Writing for Elido since September 2024
Sasha leads compliance and EU data residency posture at Elido. They previously spent four years as a privacy associate at a Frankfurt-based commercial law firm advising SaaS exporters on Article 28 data processing agreements and Schrems II remediation, and a year as data protection counsel at a Berlin fintech.
They write the compliance posts — GDPR Article 3 territorial scope, ISO 27001 vs SOC 2 Type II in EU procurement, sub-processor disclosure obligations — and review every other post for compliance claims that need toning down. If a claim about "GDPR compliant" sneaks past Sasha, it's because the post was published on a Friday afternoon.
Sasha sits on the editorial committee for an EU-focused privacy newsletter and is a non-practising solicitor (England & Wales).
Expertise
- GDPR territorial scope and Article 3 application
- Schrems II remediation and EU-US data transfer mechanics
- ISO 27001, SOC 2 Type II, HIPAA BAA flow
- Sub-processor disclosure and DPA drafting
Elsewhere
Posts by Sasha Ehrlich
SCIM and SSO for marketing tools: what enterprise IT actually asks
SAML 2.0 + OIDC + SCIM 2.0 — the procurement-checklist version. IdP compatibility, deprovisioning as audit artefact, and the marketing-tool gap
featuresSchrems II and tracking pixels: where the DPF leaves you in 2026
Schrems II invalidated Privacy Shield. The EU-US Data Privacy Framework restored adequacy in 2023. What this actually means for marketing pixels under GDPR Article 44+
complianceEU data residency for marketing tools: what your DPO actually asks
What 'EU data residency' means under GDPR Article 3 + Schrems II — where marketing tools leak, the server-side fix, and a procurement checklist
complianceCornerstoneCookieless attribution explained: what still works in 2026
Two attribution paths survive third-party cookie sunset — server-side identifiers and first-party redirects. A pragmatic stack for marketers who need real numbers
complianceClick attribution after Safari ITP: what still works in 2026
Each ITP version closed a workaround. Here's what each one broke, in date order, and the short-link redirect pattern that survives all of them
complianceWebhooks vs polling for click tracking — pick the right pattern
A practical breakdown of when to use webhooks and when to poll the analytics API for click data: hidden costs of each approach, concrete code examples in TypeScript and Python, and the hybrid pattern that covers most production use cases.
integrationsURL shortener security — what you should expect from your provider in 2026
A concrete checklist for evaluating the security posture of any URL shortener: URL scanning, webhook signing, API key storage, rate limiting, bot filtering, and what honest providers admit they haven't finished yet.
complianceGDPR-friendly URL shorteners — what to look for in 2026
A practical checklist for marketers and procurement teams evaluating URL shorteners under GDPR: EU data residency, IP truncation, DPA availability, sub-processor disclosure, right to erasure, and the hidden traps in popular US-based tools.
compliance