Cloud Object Storage for SaaS: Cost and Compliance Compared

12 min read
Vladimir Terekhov
Abstract frosted glass storage cards connected by a crimson ribbon on a luminous gradient background

The same 4.8 TB of stored audio costs about $33/month on one provider and $125/month on another. For a SaaS product that records, stores, and replays media files, cloud object storage for SaaS is one of the few infrastructure decisions where the wrong default quietly compounds into a real line item. This article compares five providers across cost, EU compliance, and integration friction so you can pick the right one before retention math catches up with you.

Why Media-Heavy SaaS Storage Is a Different Problem

Most SaaS applications treat storage as an afterthought. Database rows are small. User avatars are tiny. But once your product records audio interviews, stores uploaded videos, or archives document scans, the economics shift.

Media workloads share a pattern: files are written once, replayed occasionally, and retained for a long time. A 15-minute voice interview compresses to about 20 MB. Record 5,000 of those per month and you are adding 100 GB of new data every month. After a year, you are sitting on 1.2 TB of retained audio, and the bill depends almost entirely on how much you pay per gigabyte of storage, not on how often someone presses play.

This write-once, read-occasionally pattern means egress fees matter less than you would expect. If 20% of files get replayed once per month, a 1.2 TB corpus generates only about 20 GB of monthly download traffic. That is well within the free tiers of most providers. The cost driver is the retained corpus itself.

Four other factors separate media storage from general-purpose storage decisions.

GDPR and Per-File Deletion

If your files contain personal data, you need to delete individual recordings on request. Every provider discussed here supports programmatic per-file deletion, but the operational details differ. Some providers also require lifecycle rules to clean up orphaned chunks from failed multipart uploads, which silently inflate storage bills if left unmanaged.

Browser Streaming Compatibility

Serving audio to a web player through an HTML5 <audio> element requires proper HTTP range-request support. The browser sends a Range: bytes=0-1 probe and expects a 206 Partial Content response. If the storage backend or CDN returns a plain 200 OK, Safari in particular will fail to play the file or break timeline seeking. AWS S3, Cloudflare R2, and Backblaze B2 handle range requests natively. Supabase Storage has had documented edge cases where signed URL configurations interfere with Accept-Ranges headers, sometimes requiring a proxy endpoint as a workaround.

Multipart Upload Cleanup

Failed multipart uploads can leave orphaned chunks that accumulate silently. S3, R2, and B2 support lifecycle rules to purge incomplete multipart uploads after a configurable number of days. Supabase and Bunny may require scheduled cleanup logic in your background job architecture to prevent silent data retention and billing surprises.

EU Data Residency

For EU-based products handling voice recordings or personal media, where data physically lives matters. The approaches range from simple region selection to explicit jurisdictional guarantees, and the legal exposure varies depending on whether the provider is headquartered in the US or the EU.

Cloud Object Storage for SaaS: Five Providers Compared

Supabase Storage

If you already run your database and auth on Supabase, Storage is the lowest-effort option. Files go into the same project, share the same auth layer, and use the same SDK. The Pro plan ($25/month) includes 100 GB of file storage and 250 GB of egress. Beyond that, storage overages cost about $0.021/GB-month, and uncached egress runs $0.09/GB.

EU residency is straightforward: choose an EU region (Frankfurt, London, Paris) at project creation. Supabase provides signed URLs for time-limited access, and per-file deletion is a single remove call through the Storage SDK.

The tradeoff is economic. At small volumes, the Pro base fee dominates the bill. At large volumes, the per-GB storage rate is 40-300% higher than dedicated object stores. Supabase works well as the default until retained media grows past the low single-digit terabyte range.

AWS S3 + CloudFront

S3 is the reference implementation for object storage and remains the most feature-complete option. S3 Standard in EU regions costs about $0.023/GB-month for the first 50 TB. Request pricing is negligible at media workload volumes: $0.005 per 1,000 writes and $0.0004 per 1,000 reads.

The 2026 CloudFront pricing makes this cheaper than many teams expect. CloudFront's Always Free tier includes 1 TB of data transfer and 10 million requests per month with no time limit. Transfer from S3 to CloudFront is free. For a media SaaS with modest replay volumes, CloudFront egress costs zero.

S3 supports presigned URLs, CloudFront supports signed URLs and signed cookies, and buckets can be pinned to specific EU regions. The platform handles range requests, multipart uploads, and lifecycle policies cleanly.

The downside is setup weight. For a small team or solo builder already on Supabase or Firebase, adding S3 means an AWS account, IAM roles, bucket policies, CORS configuration, and usually a CloudFront distribution with TLS. It is the right choice if you already operate on AWS. It is a harder sell if you do not.

Cloudflare R2

R2 hits the intersection of low cost and low complexity better than any other option for media workloads. Storage costs $0.015/GB-month. Egress to the internet is free, always, including beyond the free tier. The free tier itself includes 10 GB of storage, 1 million write operations, and 10 million read operations per month.

For EU compliance, R2 offers jurisdictional restrictions at the bucket level. Setting a bucket to the eu jurisdiction guarantees that objects are stored within EU member states, and the data processing agreement routes through Cloudflare's Frankfurt-based entity. This is a stronger guarantee than simple region selection.

R2 exposes an S3-compatible API that works with standard AWS SDKs. Presigned URLs for GET, PUT, HEAD, and DELETE work on the S3 endpoint. Integration from a Next.js, Node, or Python backend looks like standard S3 client code pointed at a custom endpoint. Per-file deletion is a standard DeleteObject call, and lifecycle rules handle orphaned multipart uploads.

One caveat: presigned URLs only work on R2's S3 endpoint, not on custom domains. If you want to serve files through a custom domain, you need to handle auth via Cloudflare CDN token authentication or cookies rather than S3-style presigned URLs.

Backblaze B2

B2 is the cheapest option in this comparison by a significant margin. Storage costs about $6.95/TB-month, which works out to roughly $0.007/GB-month. As of mid-2026, API transactions are free for pay-as-you-go customers. Egress is free up to three times the average monthly storage volume, which covers most write-once, read-occasionally workloads comfortably.

EU data residency is handled by selecting EU Central at account creation, which stores all data in Amsterdam. The region choice is permanent and applies to the entire account.

B2's S3-compatible API supports presigned URLs for uploads and downloads, and standard AWS SDKs work with minimal configuration. The integration story is similar to R2: point your S3 client at B2's regional endpoint and generate presigned URLs from your server.

The tradeoff is flexibility. The region is account-level, not bucket-level. Cloudflare R2's jurisdictional restrictions are more granular. And while B2's pricing is outstanding, the gap narrows if you pair R2 with its free egress and slightly richer feature set.

Bunny Storage

Bunny is an EU-headquartered company (Slovenia) and positions itself explicitly as a privacy-first, GDPR-friendly platform. Standard HDD storage costs about $0.01/GB-month per region, with no API request fees. CDN delivery in Europe runs $0.01/GB with a $1/month account minimum.

Bunny supports EU-only CDN routing filters that restrict content serving to EU points of presence. For teams that need an EU-native vendor, not just EU-hosted data, Bunny is the strongest candidate.

The integration story is where Bunny diverges. Its storage API is not S3-compatible out of the box. S3 compatibility exists but is currently in closed preview. For secure media delivery, Bunny uses its own token authentication system based on SHA256/HMAC signatures rather than S3-style presigned URLs. This works well, but it means you are writing Bunny-specific integration code rather than reusing S3 SDK patterns.

Cost Comparison at Three Scales

The table below models the approximate monthly storage bill after 12 months of data retention. It assumes 20 MB average file size, 20% monthly replay rate, and current mid-2026 list pricing. For Supabase, the $25/month Pro plan base is included because a production project that needs more than 1 GB of storage requires Pro.

Provider500 files/mo (~120 GB stored)5,000 files/mo (~1.2 TB stored)20,000 files/mo (~4.8 TB stored)
Supabase Storage (Pro)~$25~$48~$125
AWS S3 + CloudFront~$3~$28~$110
Cloudflare R2~$2~$18~$72
Backblaze B2~$1~$8~$33
Bunny Storage + CDN~$1~$13~$49

A few patterns matter more than the specific dollar amounts.

Egress barely registers. At these replay volumes, every provider's free tier or included bandwidth absorbs playback traffic. The cost difference between providers is almost entirely driven by per-GB storage price multiplied by retained data volume.

The spread widens over time. At 120 GB, the difference between cheapest and most expensive is about $24/month. At 4.8 TB, it is over $90/month. If your product retains files for years rather than months, multiply accordingly.

The Supabase number deserves context. If you are already paying the $25/month Pro fee for your database and auth, the marginal cost of Supabase Storage at 120 GB is roughly $0.42/month in overages. The comparison looks very different when the base fee is a sunk cost versus a storage-specific expense.

EU Data Residency and GDPR Tradeoffs

All five providers offer some form of EU data storage, but the mechanisms and legal exposure differ. Teams building HIPAA-compliant or regulation-sensitive infrastructure will recognize the pattern: the compliance question is not just where bytes sit, but which legal jurisdiction governs access to them.

Region selection is the baseline. AWS S3, Supabase, and Backblaze B2 let you place data in EU data centers. Your bytes live in Frankfurt or Amsterdam, but the provider is a US-headquartered company subject to US law, including the CLOUD Act, which allows US federal law enforcement to compel access to data stored overseas.

Jurisdictional restrictions go a step further. Cloudflare R2's EU jurisdiction setting pins physical storage to EU data centers and routes the data processing agreement through Cloudflare's Frankfurt-based entity. This creates a documented compliance layer beyond simple region selection.

EU-native providers avoid CLOUD Act exposure entirely. Bunny (Slovenia) operates under EU jurisdiction by default. For teams that need absolute sovereign control, self-hosted options like MinIO on EU infrastructure (Hetzner, OVHcloud, Scaleway) eliminate US corporate exposure, though they add operational burden.

For per-file deletion, all providers support programmatic object deletion through their APIs. The more subtle GDPR concern is orphaned data from failed uploads. S3, R2, and B2 support lifecycle rules that automatically purge incomplete multipart uploads after a set number of days. Supabase and Bunny require manual or scheduled cleanup to prevent silent data retention.

When to Start Simple and When to Split Storage

The decision is not really "which provider is best." It is "when does it make sense to add a second provider for media."

Start with Your Existing Stack

If you are building an MVP or running early production on Supabase, Firebase, or another platform that includes file storage, use that for your first 6-12 months. The operational simplicity of a single stack matters more than saving $15/month on storage. Your auth, permissions, and file metadata all live in one place. Uploads and deletions are simple SDK calls with no cross-service wiring.

Plan the Split at 500 GB to 1 TB

By this point, storage overages on your primary platform start to add up, and you have enough production experience to know your actual access patterns. A split architecture is straightforward: keep metadata, auth, and business logic in your primary backend. Store media files in a dedicated object store. Generate presigned URLs server-side and hand them to the client for upload and playback.

Execute at 1-2 TB or When Compliance Requires It

At this volume, the cost difference between Supabase/Firebase storage and a dedicated provider is $30-60/month, growing every month. If compliance conversations require explicit jurisdictional guarantees or EU-native hosting, that is a separate trigger regardless of volume. A well-planned cloud migration at this stage is far simpler than moving terabytes of production data later.

Provider Recommendations by Situation

Cloudflare R2 is the strongest default for most teams. It combines low cost, zero egress, explicit EU jurisdictional controls, and familiar S3-compatible tooling.

Backblaze B2 is the right pick if raw cost is the priority and you are comfortable with account-level region selection rather than bucket-level jurisdiction.

Bunny Storage is the best fit when EU-native corporate jurisdiction is a hard requirement, and you are willing to write provider-specific integration code.

AWS S3 + CloudFront makes sense for teams already operating on AWS, where IAM, VPC, and CloudFront configuration are routine rather than new overhead.

Supabase Storage is the right starting point for early-stage products already built on the Supabase platform, with a planned migration path once retained media reaches the terabyte range.

Decision Checklist

Before committing to a provider, run through these questions:

  1. How much media will you retain after 12 months? If under 500 GB, use whatever your current stack provides. If over 1 TB, dedicated object storage pays for itself quickly.
  2. Do you need EU jurisdictional guarantees or just EU region hosting? Region hosting is available everywhere. Jurisdictional restrictions narrow the field to R2 and Bunny.
  3. Does your product serve audio or video in the browser? Test range-request behavior with your chosen provider and signed URL configuration before committing. Safari failures in production are painful to debug.
  4. Are you already on AWS? If yes, S3 + CloudFront is the path of least resistance. The Always Free CloudFront tier makes egress a non-issue at moderate scale.
  5. Is S3 API compatibility a requirement? If your custom-built application relies on S3 SDK patterns for presigned URLs and multipart uploads, Bunny's non-standard API adds integration cost.

The infrastructure choices compound. A SaaS product that gets cloud object storage for SaaS right early avoids a painful migration later, when terabytes of production data make provider switches slow and risky. Pick the provider whose cost curve matches your retention model, verify range-request behavior with your target browsers, and set lifecycle rules for multipart cleanup from day one.

Share:
#Cloud Computing#DevOps#Software Development#AWS#Data Security
Vladimir Terekhov

Vladimir Terekhov

Co-founder and CEO at Attract Group

Ready to Start Your Project?

Let's discuss how we can help you achieve your business goals with cutting-edge technology solutions. Get a free consultation to explore how we can bring your vision to life.

Or call us directly:+1 888-438-4988

Request a Free Consultation

Your data will never be shared with anyone.