EU compliance

Why location matters for your email processing

European businesses face unique challenges when choosing technology providers. With increasing regulatory scrutiny and evolving data protection requirements, the choice between EU and US-based email processing services has become critical for compliance, security, and business continuity.

100% European infrastructure and operations

EmailConnect operates exclusively within the European Union:

Physical infrastructure

• Email processing: Scaleway, Paris, France
• Storage options: Scaleway (France), Hetzner (Germany), or custom S3
• Hosting: Hetzner, Falkenstein, Germany
• All data processing within EU boundaries
• No data replication to non-EU regions
• Encrypted connections between all EU facilities

Legal jurisdiction

• Company incorporated in Leiden, Netherlands
• Operations team based in Europe
• GDPR as primary privacy framework
• EU courts as exclusive legal jurisdiction

Staff and access

• Development team located in Europe
• No remote access from non-EU locations
• Background checks under EU standards
• Access logs maintained for compliance audits

GDPR compliance by design

Unlike retrofitted compliance approaches, EmailConnect was built with GDPR principles from day one:

Data minimization

• Process only the email fields you specify
• No unnecessary metadata collection
• Configurable data retention periods
• Automatic deletion after specified periods

Purpose limitation

• Email processing only for your specified use cases
• No secondary use of your data
• No analytics or profiling without consent
• Clear boundaries on data usage

Lawful basis documentation

• Clear processing purposes for each webhook
• Documentation templates for legitimate interest assessments
• Consent management for marketing emails
• Contract fulfillment tracking for business communications

Data subject rights

• Built-in deletion capabilities
• Data portability through JSON exports
• Access request fulfillment tools
• Rectification and restriction options

Protection from US surveillance laws

US-based email processing services expose European businesses to several legal risks:

The Cloud Act implications

The US Cloud Act allows American authorities to access data stored by US companies, regardless of physical location:

• What it means: US email providers must hand over your data when requested
• Geographic scope: Applies even when data is stored in EU data centers
• Business impact: Your confidential business communications become accessible to US authorities
• Legal protection: EU businesses have limited recourse under US law

Patriot Act exposure

The USA Patriot Act grants broad surveillance powers that can affect European businesses:

• Scope: Any data processed by US companies falls under potential surveillance
• Notification: Businesses may not be informed when their data is accessed
• Duration: Data access can continue indefinitely once initiated
• Appeals: Limited legal options for European businesses to contest access

FISA court orders

Foreign Intelligence Surveillance Act (FISA) courts can compel US companies to provide data:

• Secret proceedings: Court orders often remain classified
• Broad scope: Can cover entire categories of data
• Gag orders: Companies prohibited from disclosing surveillance
• European exemption: No special protection for EU business data

EmailConnect's sovereignty guarantees

Legal immunity from US laws

• No US corporate entities: Cannot be compelled under US jurisdiction
• EU legal framework: All disputes resolved under European law
• Data location guarantees: Your data never transits US infrastructure
• Transparent reporting: Annual transparency reports on any government requests

Minimal data exposure by default

EmailConnect is designed to minimise your data footprint at every tier. Free and Maker plans default to 1-hour retention — email metadata is automatically deleted within an hour of processing. Business and Platform plans can programmatically delete email records via the API as soon as a workflow completes, reducing the exposure window to seconds.

Data Residency Mode

For organisations that need full control over where email content is stored, our Platform plan includes Data Residency Mode. When enabled:

• Content stays in your infrastructure: Email body, attachments, and headers are delivered to your webhook and stored in your own S3 — never persisted in our database
• Metadata only in EmailConnect: We retain only routing metadata (message ID, recipient address, subject, timestamps, delivery status) for operational purposes — sender addresses are not stored
• Your jurisdiction, your rules: You choose where your S3 bucket is hosted, giving you full control over content jurisdiction
• Encrypted in transit: All data flows use TLS — email ingress (STARTTLS), webhook delivery (HTTPS), and S3 uploads (HTTPS). Content is never written to disk on our infrastructure
• Zero content exposure: Since we don't store content, there is nothing to subpoena and no content to breach

Per-country email processing

Regional MX servers ensure email content is processed and stored within a specific country. Servers can be provisioned in Germany, the Netherlands, and France, with additional countries available on request. On-premise deployment is available for organisations that need to run the processing node on their own infrastructure.

See our Data Residency Mode guide for the full architecture, available regions, and sovereignty tiers.

Business continuity protection

• Regulatory stability: EU data protection law provides predictable framework
• Contract enforceability: Strong legal protections for service agreements
• Audit compliance: Documentation designed for EU regulatory requirements
• Vendor due diligence: Simplified compliance for your procurement processes

Competitive advantages

• Client confidence: Demonstrate commitment to data protection
• Regulatory approval: Simplified compliance for regulated industries
• Audit efficiency: Streamlined GDPR compliance documentation
• Market differentiation: European values as competitive advantage

Industry-specific compliance benefits

Financial services

• PCI DSS alignment: EU-based processing supports payment card security
• Basel III compliance: Data residency requirements easily met
• MiFID II reporting: Simplified transaction communication tracking
• Anti-money laundering: Enhanced due diligence with European providers

Healthcare

• Medical device regulation: EU operations align with MDR requirements
• Clinical trial regulation: Patient communication tracking within EU
• Pharmaceutical regulation: Adverse event reporting stays European
• Health data protection: Additional GDPR protections for sensitive health data

Government and public sector

• Public procurement: Preference for European suppliers in many jurisdictions
• Sensitive data handling: Enhanced protection for government communications
• Digital sovereignty: Support for national digital independence initiatives
• Security clearance: Simplified approval processes with EU providers

Compliance documentation and auditing

EmailConnect provides comprehensive compliance support:

Documentation packages

• GDPR impact assessments: Template assessments for email processing
• Vendor due diligence: Complete compliance questionnaire responses
• Security documentation: SOC 2 Type II equivalent reporting
• Breach notification: Incident response procedures and templates

Audit support

• Compliance officers: Direct access to our DPO for audit questions
• Documentation access: Real-time compliance dashboard
• Audit trail: Comprehensive logging of all data processing activities
• Certification support: Assistance with ISO 27001 and other certifications

Regular compliance updates

• Regulatory monitoring: Proactive updates on changing EU data protection law
• Policy updates: Automatic updates to reflect regulatory changes
• Training materials: Regular compliance training for your team
• Best practices: Ongoing consultation on data protection optimization

Getting started with compliant email processing

Ready to move your email automation to a truly European solution?

Questions about EU compliance requirements? Our data protection officer provides direct support for all compliance questions at dpo@emailconnect.eu.