Is PostgreSQL approved for German public sector use?

Yes. PostgreSQL is widely used in German government IT. The BSI (Federal Office for Information Security) includes PostgreSQL in its IT-Grundschutz framework, and the German Verwaltungscloud initiative supports open-source databases. Many Bundeslaender and federal agencies run PostgreSQL for citizen-facing applications.

What is BSI IT-Grundschutz and how does it relate to database compliance?

BSI IT-Grundschutz is the German federal security framework. Module SYS.1.2 covers database management systems with requirements for access control, encryption, logging, backup, and hardening. These map directly to pgcomply health_check() rules: SSL enforcement, authentication, superuser minimization, and audit trail integrity.

PostgreSQL Compliance for EU Public Sector: GDPR, BSI, and Data Sovereignty

Public Sector Requirements

EU public sector organizations have unique compliance needs:

Data sovereignty: No data transfer to non-EU infrastructure
Open-source preference: Auditable code, no proprietary lock-in
BSI/national framework compliance: IT-Grundschutz, ANSSI, or equivalent
GDPR: Full citizen data protection
Accessibility: Compliance evidence must be reviewable by non-technical auditors

Why pgcomply Fits

Data sovereignty: pgcomply is a SQL file that runs inside your PostgreSQL instance. No external connections, no cloud services, no data transfer. Install it on your sovereign infrastructure and it stays there.

Open source: Apache 2.0 licensed. The complete source code is readable, modifiable, and distributable. Your IT security team can audit every function.

BSI compliance: pgcomply.health_check() maps to BSI IT-Grundschutz Module SYS.1.2:

| BSI Requirement | pgcomply Check | |----------------|---------------| | SYS.1.2.A2: Installation protocol | quick_setup() with audit trail | | SYS.1.2.A3: Access control | access_map(), enable_rls() | | SYS.1.2.A4: Encryption | health_check() SSL_ENFORCED | | SYS.1.2.A6: Logging | audit_log with SHA-256 chain | | SYS.1.2.A7: Backup concept | connection_audit(), retain() |

GDPR: Full PII lifecycle management: registry, classification, deletion, consent, masking, retention, breach logging.

Deployment on Sovereign Infrastructure

# On your Verwaltungscloud / BSI-certified server
psql -h db.sovereign.local -f pgcomply.sql
psql -h db.sovereign.local -c "SELECT pgcomply.quick_setup();"

No Docker required, no package manager, no npm. One SQL file, one command.

BSI IT-Grundschutz Mapping

The BSI IT-Grundschutz framework (Module SYS.1.2 for database management systems) defines specific requirements. Here is how pgcomply maps to them:

-- Run health check and map to BSI requirements
SELECT
  rule,
  status,
  detail,
  CASE rule
    WHEN 'SSL_ENFORCED' THEN 'SYS.1.2.A4 Encryption'
    WHEN 'PW_ENCRYPTION' THEN 'SYS.1.2.A3 Authentication'
    WHEN 'SUPERUSER_COUNT' THEN 'SYS.1.2.A3 Access Control'
    WHEN 'AUDIT_INTEGRITY' THEN 'SYS.1.2.A6 Logging'
    WHEN 'ROW_LEVEL_SEC' THEN 'SYS.1.2.A3 Access Control'
    ELSE 'SYS.1.2 General'
  END AS bsi_requirement
FROM pgcomply.health_check();

Specific Requirements and Implementation

SYS.1.2.A2 — Installation and Configuration Documentation

Every pgcomply operation is logged in the immutable audit trail:

-- Verify installation and configuration history
SELECT event_type, created_at, executed_by, details
FROM pgcomply.audit_log
WHERE event_type IN ('quick_setup', 'health_check', 'retention_set', 'pii_registered')
ORDER BY created_at;

SYS.1.2.A3 — User Administration and Access Control

-- Access matrix for all roles
SELECT * FROM pgcomply.access_map();

-- Role hierarchy (who inherits what)
SELECT * FROM pgcomply.role_hierarchy();

-- Quarterly access reviews
SELECT pgcomply.start_access_review('Q1-2026-BSI');

SYS.1.2.A6 — Database Logging

-- Verify immutable audit trail
SELECT pgcomply.verify_audit();

-- DDL change tracking
SELECT * FROM pgcomply.ddl_history(since := NOW() - INTERVAL '30 days');

German Verwaltungscloud Compatibility

The Verwaltungscloud initiative encourages open-source, EU-hosted solutions. pgcomply fits because:

No cloud dependency: Runs on any EU-hosted PostgreSQL (Hetzner, IONOS, BWCloud, dataport)
No US data transfer: Zero external connections, no telemetry
Code auditability: Apache 2.0, single SQL file, every function readable
Standard PostgreSQL: No custom compiled extensions, works on distributions certified for Grundschutz

Example: Deployment on dataport (Schleswig-Holstein)

# Connect to dataport-hosted PostgreSQL
psql -h db.dataport.de -U admin -d citizen_services

# Install pgcomply — one SQL file, no packages
\i pgcomply.sql

# Establish compliance baseline
SELECT pgcomply.quick_setup();

# Generate BSI-relevant evidence
SELECT * FROM pgcomply.health_check();
SELECT * FROM pgcomply.classification_map();

Open Source Mandate Compliance

The German Sovereign Tech Fund and EU Open Source Strategy both favor open-source solutions. pgcomply Community Edition meets these requirements:

Apache 2.0 License: Permissive, no copyleft restrictions
No proprietary dependencies: Only pgcrypto (bundled with PostgreSQL)
Fork-friendly: Organizations can maintain their own fork if needed
No vendor lock-in: DROP SCHEMA pgcomply CASCADE; removes everything cleanly

Summary

The EU public sector needs compliance tools that respect data sovereignty, run on sovereign infrastructure, and are fully open-source. pgcomply meets all three requirements as a pure SQL extension with zero external dependencies.