We Audited Our Own Website for EU Compliance. The Results Were Not Flattering.
On building digital infrastructure properly, starting with our own. There is a category of problem that is easy to identify in someone else's system and easy ..
Rochman Maarif
As the founder of PT ADI TJANDRA TEKNOLOGI, the organization behind the YPYM ecosystem, he is guided by a core conviction: digital infrastructure is not a marketing expense, but a strategic financial asset.
On building digital infrastructure properly, starting with our own.
There is a category of problem that is easy to identify in someone else's system and easy to ignore in your own. GDPR compliance, for most web products built outside the European Union, belongs exactly to that category.
The regulation has been enforceable since May 2018. The core requirements are not ambiguous..
..you do not track users before they consent, you do not store personal data without a clear legal basis, and you do not make technical decisions that route user data through third-party infrastructure without explicit disclosure.
Eight years of enforcement actions, penalty notices, and case law have produced a body of guidance that is, at this point, highly specific about what compliance actually looks like.
Most websites built in Southeast Asia are not compliant. That is not an accusation. It is an audit reality that applies to the overwhelming majority of web products built anywhere outside the EU, typically by teams who were not factoring European data subjects into their technical choices.
We were not an exception.
In April 2026, we executed a comprehensive compliance audit of ypym.app. The operational logic was straightforward, YPYM builds digital infrastructure for businesses scaling into European markets. If we cannot demonstrate structural compliance on our own platform, the credibility of our engineering is fundamentally undermined.
The findings were instructive.
The Audit: Structural Failures in Default Deployments
Our architecture revealed multiple compliance vectors that had been overlooked:
- Unconditional Tracking: Google Analytics 4 (GA4) was loading unconditionally on every page visit. The consent panel we built into the navigation; which appeared visually complete, lacked programmatic connection to the analytics scripts. The
gtag('config')call fired regardless of user interaction. Similarly, the Meta Pixel loaded unconditionally viaconnect.facebook.net. Tracking was executing with zero consent. - Data Leakage via Typography: Google Fonts loaded from
fonts.googleapis.comacross the application. Every request to a Google-controlled server transmits the user's IP address, classified as personal data under GDPR Recital 30. There was no consent, no disclosure, and no legal basis. We identified<link>tags embedded in 15 separate files across our layouts. - Unjustified Data Retention: Our newsletter infrastructure stored subscriber IP addresses in a SQLite database upon submission. This was not tied to any persistent security requirement; it existed simply because the column was written into the initial schema and never revisited. Furthermore, the system activated email addresses immediately, lacking a verified double opt-in mechanism.
- Shadow Bypass: One standalone internal page (
human.astro), which operates outside the primary layout and thus did not inherit the consent component, contained a hardcoded GA4 script. Invisible to external scanners due to anoindexdirective, it bypassed the consent architecture entirely.
| Regulation | Relevance | Status |
| GDPR | Data privacy, tracking, forms | Partial - documentation intact, implementation gaps exist |
| ePrivacy Directive | Cookie consent prior to tracking | Non-compliant - tracking executes without consent |
| EU Whistleblowing Directive | Internal reporting procedures | Partial - form is live, procedures remain undocumented |
| NIS2 Directive | Cybersecurity for digital companies | Unexamined - requires full security audit |
| EU AI Act | If AI features are integrated | N/A currently |
| Digital Services Act | Applicable if EU traffic scales significantly | Low risk for current platform volume |
The Architecture of the Fix
We systematically dismantled and reconstructed these components over a one-week development sprint.
1. Consent Architecture & Conditional Loading GA4 now operates strictly under Consent Mode v2. All four consent signals default to denied before the gtag.js script enters the DOM. The UI panel now dispatches a custom event (ypym:consent-updated) upon save, which the analytics component intercepts to mutate state. The Meta Pixel is no longer loaded and suppressed; it is dynamically injected only if the user explicitly grants marketing consent.
2. Zero External Typography Requests We stripped all proprietary external fonts (replacing Google Sans Flex with Plus Jakarta Sans) and implemented a fully self-hosted typography stack via @fontsource packages. Zero requests leave the browser to any Google server for font delivery. The Content Security Policy (CSP) was aggressively tightened, removing Google Fonts domains and explicitly locking font delivery to 'self'.
3. Cryptographic Double Opt-In The newsletter pipeline was rebuilt into a rigorous double opt-in model. Submissions now generate a 64-character cryptographic token with a 24-hour expiry. The database schema was altered to drop the ip column entirely. Rate limiting continues to operate per-IP in memory, preventing abuse without persisting personal data to disk.
4. The Legal Framework Google's Data Processing Terms were accepted on February 13, 2026. The Controller-Controller Data Protection Terms were officially ratified today, June 3, 2026.
| Component | Status | Description / Technical Details |
| Privacy Preference Center (UI Panel) | Integrated in Header.astro | Connected via saveConsent() + custom event dispatch |
| Manage Consent Preferences (Granular) | Live in UI Panel | Per-category control: necessary, performance, functional, marketing |
| GA4 Consent Mode v2 | Implemented | Consent-gated; defaults to denied prior to explicit user opt-in |
| Meta Pixel | Implemented | Dynamically injected into the DOM only after marketing consent is granted |
| Google DPA | Ratified (Feb 2026 / Jun 2026) | Data Processing Terms + Controller-Controller Data Protection Terms accepted |
| Self-hosted Fonts | Done | Fully localized; zero requests leave the browser to Google Fonts servers |
| Newsletter Double Opt-In | Done | Cryptographic verification token required before subscriber activation |
| IP Storage Removal | Done | Database schema altered; subscriber IP addresses are no longer persisted |
| CSP Headers | Updated | Meta Pixel domains whitelisted; Google Fonts domains stripped entirely |
human.astro Consent Bypass | Fixed | Structural layout corrected; page is now consent-gated identically to the core site |
The Default Path is the Compliance Risk
The honest observation is that none of the violations we found were obscure or malicious. They were the default behavior of tools that standard web development tutorials teach engineers to deploy without modification.
The Google Fonts <link> tag is copied directly from Google's documentation. The GA4 snippet is pulled straight from the setup interface. The newsletter stored an IP address because the developer recognized it as a common pattern.
The problem is that the default state of most modern web tools fundamentally violates the legal standards governing user data in the world's largest economic bloc.
That is the specific gap YPYM is now building documentation to close.
Starting this month, we are publishing a technical series that reconstructs each of these compliance issues from first principles: mapping the default behavior in DevTools, analyzing the legal vulnerability, and providing the precise, verifiable code required to fix it. We use ypym.app as the primary case study because working from real production code—exposing our own flaws and fixes—is exponentially more useful than theoretical, sanitized examples.
This is not a course. It is not a framework. It is an architectural record of what we found, what we dismantled, and how we rebuilt it. Other engineering teams will find the same vulnerabilities in their codebases. Some will fix them. Most will not, because the default path requires no action.
The default path is the compliance risk.