The hidden GDPR trap - why server location isn't enough
TL;DR: EU servers ≠ GDPR compliance. Company jurisdiction matters more than you think.
The wake-up call: When Microsoft cut off the International Criminal Court
In February 2025, something unprecedented happened. Microsoft blocked the email account of Karim Khan, Chief Prosecutor of the International Criminal Court in The Hague, following US sanctions imposed by President Trump.
Think about that for a moment: A US company shut down email access for one of Europe's most important judicial institutions. Khan had to scramble to Proton Mail just to do his job. The ICC's work was virtually paralyzed.
If this can happen to the International Criminal Court, what does that mean for your business data?
The GDPR compliance reality check
Most businesses focus on where servers are located while completely missing the bigger picture. Here's what actually determines your data's protection:
✅ True EU compliance vs ❌ Hidden US exposure
| Service Type | ✅ EU-Safe Options | ❌ US Jurisdiction Risk |
|---|---|---|
| Cloud Hosting | Hetzner, Scaleway, OVHcloud | AWS, Google Cloud, Microsoft Azure |
| Email Services | Proton Mail, Tutanota, Posteo | Gmail, Outlook/Office 365, Yahoo |
| Object Storage | Scaleway Object Storage, OVHcloud | AWS S3, Google Cloud Storage |
| Analytics | Matomo (self-hosted), Plausible | Google Analytics, Adobe Analytics |
| Payments | European banks, Stripe EU | PayPal, Stripe US |
| CDN | KeyCDN, BunnyCDN | Cloudflare, AWS CloudFront |
The "European Company, US Infrastructure" trap
Here's where it gets tricky: Company X claims to be "European" and GDPR-compliant, but runs everything on AWS. This is incredibly common and creates a false sense of security.
Red flags to watch for:
- "EU-based" but infrastructure shows AWS/GCP in technical checks
- Privacy policy mentions US data processing
- Terms reference US legal jurisdiction
- Company registration outside the EU
Quick due diligence: 3 minutes to check any provider
1. Check the company registration
- Where is it legally incorporated?
- EU entity or just EU office of US company?
2. Test their infrastructure
- Use host-checker.net to see real hosting
- Look for AWS, Google Cloud, Azure mentions
3. Read the fine print
- Privacy policy: any US data processing?
- Terms of service: which laws govern disputes?
Our approach: EU-first by design
We built our service with one principle: No compromises on jurisdiction.
- 🇪🇺 EU-incorporated company (not just an EU office)
- 🇪🇺 EU-only infrastructure (Hetzner, no AWS dependency)
- 🇪🇺 EU service chain (from analytics to payments)
- 🇪🇺 EU legal protection (no exposure to US laws)
No "kill switches." No foreign government access. No surprises.
The bottom line
The ICC case proves that good intentions don't protect your data—jurisdiction does. Before you trust any service with your business data, ask yourself: Could a foreign government shut this down tomorrow?
If the answer isn't a definitive "no," keep looking.
Want to see how truly EU-compliant email works? Try our service or check our infrastructure transparency page to see exactly where your data lives.
Questions about your current setup? Drop us a line—we're happy to help you audit your compliance risk, no strings attached.