We're Oktopeak, a 7-person development team based in Novi Sad, Serbia. We build regulated SaaS for US founders in legal tech and healthcare. Our clients include funded US companies handling HIPAA data, attorney-client privileged documents, and DEA-regulated substances.
We've heard every due diligence question. This guide addresses the real ones: data protection, intellectual property, contracts, timezone, talent quality, and the red flags to watch for when evaluating any Serbian agency.
Data Protection: Serbia's GDPR-Aligned Framework
Serbia enacted its Personal Data Protection Law (PDPL) in August 2019, modeled directly on GDPR. As an EU candidate country actively working toward accession, Serbia has aligned its data protection framework with EU standards.
What the PDPL covers (mirroring GDPR):
- Lawful basis for processing. Personal data requires a legal basis: consent, contract, legal obligation, vital interest, public interest, or legitimate interest.
- Data subject rights. Access, rectification, erasure, portability, and objection rights.
- Breach notification. Data controllers must notify the Commissioner for Information of Public Importance within 72 hours of discovering a breach.
- Data Protection Officers. Required for organizations processing sensitive data at scale.
- Cross-border transfer rules. Transfers outside Serbia require adequacy decisions or appropriate safeguards (Standard Contractual Clauses).
For a US founder: engaging a Serbian development team has similar data protection obligations to engaging one in any EU member state. The legal framework is not a gap. The gap, if any, is enforcement maturity, which is a legitimate consideration. But for software development specifically (where client data sits on US cloud infrastructure, not Serbian servers), the practical risk is minimal.
For HIPAA-regulated work specifically
Serbian data protection law is relevant but secondary. Your primary compliance obligation is HIPAA, which is US federal law. A Serbian team working on HIPAA projects operates under a Business Associate Agreement (BAA) with US-law jurisdiction. Serbia's PDPL adds a layer of protection, not a gap.
Intellectual Property: Who Owns the Code?
Your contract determines IP ownership, not Serbian law by default. But it's worth understanding the legal backdrop:
International treaty coverage:
- Berne Convention (since 1930, as successor to Yugoslavia). Automatic copyright protection for creative works including software.
- TRIPS Agreement (WTO member since 2024). Trade-related IP standards.
- WIPO Copyright Treaty and WIPO Performances and Phonograms Treaty. Digital IP protections.
Serbian IP law:
- Software is classified as a copyrightable literary work under Serbia's Law on Copyright and Related Rights.
- Work created under an employment contract belongs to the employer by default (Article 98). However, commissioned work (contractor/agency relationships) requires explicit contractual assignment.
- Serbia's IP courts are functional and handle disputes, though enforcement can be slower than US or UK courts.
What to do: Use a contract governed by US or UK law with explicit work-for-hire clauses. Specify that all code, designs, documentation, and derivative works are owned by the client. Include an arbitration clause (ICC or AAA) for dispute resolution. This is standard practice and eliminates geographic jurisdiction concerns.
We transfer code ownership progressively throughout every engagement. Our clients have full access to the repository from day one. There's never a moment where we hold code hostage or where ownership is ambiguous.
Contract Enforcement: What Happens If Things Go Wrong?
This is the question behind the question. Founders don't just want to know if their contract is valid. They want to know: can I actually enforce it?
The practical answer depends on how you structure the agreement:
| Approach | Enforceability | Recommendation |
|---|---|---|
| US-law contract + US arbitration | Strong | Best for US founders. Serbia recognizes foreign arbitral awards under the New York Convention. |
| UK-law contract + ICC arbitration | Strong | Good alternative for EU-based clients. |
| Serbian-law contract + Serbian courts | Moderate | Functional but slower. Not recommended for US founders. |
| No governing law specified | Weak | Jurisdictional ambiguity. Avoid. |
Serbia is a signatory to the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards. This means an arbitral award from a US or international tribunal is enforceable in Serbian courts. This is the same framework that covers contracts with vendors in most of the developed world.
The practical risk mitigation: structure payments in milestones (20-30% per phase). Your maximum exposure at any point is one milestone payment. Combined with progressive code transfer (full repo access throughout), the enforcement question becomes theoretical rather than practical.
Where Client Data Actually Lives
This is simpler than most founders expect. Client data lives on your cloud infrastructure, not in Serbia.
- Hosting: AWS, Azure, or GCP in US or EU regions (your choice). We configure and deploy to your account.
- Development access: Developers connect to cloud resources via VPN or secure bastion hosts. They don't download production databases to local machines.
- Test data: Synthetic data for local development. Production data never leaves the cloud environment.
- Source code: GitHub or GitLab in your organization's account. You control access and can revoke it at any time.
The development team's physical location in Serbia has no impact on where your data resides. The architecture is identical to working with a remote US team. Data sits behind IAM policies, encryption, and audit logging in a US data center.
Timezone: The Honest Picture
Serbia is CET (UTC+1). Here's what that means for US teams:
| Your Location | Gap | Daily Overlap | Reality |
|---|---|---|---|
| US East (NYC, Boston, DC) | 6 hours | 4-5 hours (7 AM-12 PM EST) | Very workable. Enough for standups, code reviews, and decision-making. |
| US Central (Chicago, Austin) | 7 hours | 3-4 hours (7-10 AM CST) | Workable with intentional scheduling. |
| US West (SF, LA, Seattle) | 9 hours | 2-3 hours (7-9 AM PST) | Tight. Requires async-first workflow. Works if your team is disciplined. |
| UK / Western Europe | 0-1 hours | Full overlap | Seamless. Same business hours. |
The honest tradeoff for West Coast teams: if your product requires daily pair programming sessions or constant real-time decision-making, a 9-hour gap is difficult. But most software development doesn't require that. It requires clear specs, async code reviews, and 1-2 synchronous touchpoints per week. For that workflow, the timezone is an advantage: your morning starts with code that was written, reviewed, and deployed to staging while you slept.
The Talent Pool
Serbia has approximately 60,000+ IT professionals. The numbers worth knowing:
- Education: The University of Belgrade and University of Novi Sad run math-heavy, theory-focused CS programs. Graduates understand algorithms, system design, and data structures, not just framework-specific skills.
- English proficiency: Serbia ranks among the highest in Eastern Europe on the EF English Proficiency Index. All professional communication, documentation, and code comments are in English.
- Retention: The cost of living in Serbia means a senior developer salary ($3,000-$5,000/month) provides a comfortable lifestyle. This keeps talent in-country rather than emigrating. Lower turnover means more stable teams.
- EU candidate status: Serbia is actively working toward EU accession. The regulatory, business, and educational systems are aligning with EU standards.
What's distinctive about the best Serbian teams (and this applies to us specifically): full-stack capability across multiple stacks (we work in React/Node.js and Laravel/Vue, choosing the right tool for the domain), experience with US regulatory frameworks through actual project work (not training courses), and a direct communication style. Serbian business culture is closer to German or Dutch than to the more deferential styles common in South or Southeast Asian outsourcing markets. If your feature idea is technically unsound, we'll tell you directly.
Serbia vs Other Destinations: An Honest Comparison
| Serbia | Poland | Ukraine | India | |
|---|---|---|---|---|
| Agency rates | $60-$80/hr | $70-$100/hr | $40-$70/hr | $25-$50/hr |
| EST overlap | 4-5 hours | 4-5 hours | 4-5 hours | 1-2 hours |
| English proficiency | High | High | High | Variable |
| Political stability | Stable | Stable (EU member) | Active conflict | Stable |
| Data protection | GDPR-aligned (PDPL) | GDPR (EU member) | Developing | DPDPA 2023 |
| HIPAA/regulated exp. | Specialized teams exist | Some teams | Some teams | Rare for quality work |
Poland is the most mature Eastern European market and slightly more expensive. Ukraine has excellent talent but geopolitical risk that many US founders can't accept in 2026. India offers the lowest rates but the timezone gap (10.5 hours from EST) makes real-time collaboration difficult, and finding teams with genuine US regulatory compliance experience is significantly harder.
Serbia's positioning: European engineering quality at rates 15-30% below Poland, with GDPR-aligned data protection and a growing concentration of teams experienced in US compliance frameworks.
Red Flags When Evaluating Serbian Agencies
Not every Serbian agency is worth working with. Watch for these:
- "We do everything." A 7-person agency claiming expertise in mobile, web, AI, blockchain, IoT, and AR/VR is spreading thin. Look for teams with a clear specialization.
- No named projects. "We've worked in healthcare" is not proof. Named clients, specific compliance frameworks built, and verifiable outcomes are proof.
- Staff augmentation model only. If they place individual developers on your team (body shopping), they're a recruiter, not an agency. You're managing the engineering. Make sure that's what you want.
- Reluctance to sign a BAA or NDA. Standard business practice. No hesitation should exist.
- No English on calls. If the salesperson speaks English but the developers don't, communication will break down during development.
- Rates below $40/hr for agency work. At those rates, you're getting junior developers or the agency is unsustainably underbidding. Quality Serbian agency work costs $60-$80/hr. Below that, question what you're getting.
Frequently Asked Questions
Is Serbia GDPR compliant?
Serbia's PDPL (2019) is modeled on GDPR. As an EU candidate country, Serbia aligns with EU data protection standards. Engaging a Serbian team has similar data protection obligations to engaging one in the EU.
Who owns the code?
You do, per your contract. Use a US-law contract with explicit work-for-hire clauses. Serbia recognizes international IP treaties (Berne, TRIPS, WIPO). We transfer code ownership progressively and provide full repo access from day one.
What if the engagement goes wrong?
Structure payments in milestones (20-30% per phase). Your maximum exposure is one milestone. Use a US-law contract with an arbitration clause. Serbia is a signatory to the New York Convention, making foreign arbitral awards enforceable.
Where does my data live?
On your cloud infrastructure (AWS/Azure/GCP) in US or EU regions. Developers access resources via VPN, never downloading production data locally. Source code is in your GitHub/GitLab account under your control.
Is the timezone gap a problem?
For East Coast teams (6hr gap): no. 4-5 hours of daily overlap is plenty. For West Coast teams (9hr gap): it requires an async-first workflow. Most software development benefits from this structure.
Next Steps
- Outsourcing HIPAA software development — compliance-specific guide for healthcare founders
- Serbian developers for regulated SaaS — the cost, timezone, and talent math
- About Oktopeak — our team, our location, our approach
- Book a 30-minute call — see the timezone overlap in action