Potential hurdles of GDPR in relation to tardigrade-using consumer application (Germany and world-wide)

From what I understand Storj is clearly the controller by definition of the GDPR of the data, as they determine how it is processed, distributed and stored by their software, not to forget the satellites they operate.
I don’t think there is a twist that could make the GDPR not applicable for them.

I am seeing an additional challenge: Because maybe you could get off the hook of the GDPR rules for the encrypted data pieces (one could argue these are not personal information as they are not only encrypted, but also segmented so nobody can read them so they cannot be personal identifiable information).
But the Storj nodes interact directly with the up- and downloader. Therefore they process IPs (They even show up in the logs sometimes). As IPs are considered personal identifiable information, there is no question that Storj nodes process such.
And this at least would make the GDPR fully applicable for nodes in my opinion. It could again be considered differently if the nodes would only interact with central gateways operated by Storj, but this is not how Tardigrade works.

I don’t however agree that nodes are sub-processors. As Storj probably is to be considered a controller in any way, the nodes would be normal processors. But anyway I think this does not mean anything in terms of the responsibility.

I also do not agree that there need to be written contracts, as the GDPR directive states “contract or other legal act” which could be an approved certification process. However of course this does not reduce the obligations that stem from the GDPR.

As Storj self has stated that it is not GDPR compliant at the moment it turns into the tough question, if they even can legally offer their service in the EU (which means for SNO as well as for EU citizens who are using Tardigrade) currently or if they are at the risk of fines from data protection authorities any time. I wonder if the SNO then could be fined as well? Generally it is considered that if the product or service is offered within the EU, then the data processing needs to comply with the GDPR, whether or not the company is physically located there or not.

@jocelyn: Let me bring back 2 topics that I have started, that are connected with this one:
Maybe being a member in an association like Eco could help to address and resolve all those questions and uncertainties: Increasing Storjs exposure to potential partners and customers
Need for certification of GDPR compliance:
Tardigrade independent 3rd party certification / audits?