AWS SES EU Alternative 2026: Why Amazon's Email API Exposes Your Transactional Emails to US CLOUD Act Warrants

Post #4 in the sota.io EU Email API Series — EU-EMAIL-API-SERIE #4/6

Amazon Simple Email Service (SES) is the default choice for millions of developers building transactional email into their applications. At $0.10 per 1,000 emails and with a generous free tier, the economics are almost impossible to beat. But there is a cost that does not appear on your AWS bill: GDPR legal risk exposure to US law enforcement.

In this post — the fourth in our EU Email API series — we analyse why AWS SES scores 21/25 on the GDPR Risk Matrix, making it the highest-risk provider in the series so far. We cover what Amazon.com Inc.'s corporate structure means for your users' email data, why choosing eu-central-1 (Frankfurt) does not solve the jurisdiction problem, and which EU-native alternatives give you genuine data sovereignty.

The EU Email API Series: CLOUD Act Risk Scores

AWS SES takes the top spot in our series at 21/25 — the highest CLOUD Act risk score yet.

What is AWS SES?

Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service launched in 2011. It provides:

• SMTP interface — drop-in replacement for traditional SMTP relays
• HTTP API — programmatic sending via AWS SDK or REST calls
• Bounce and complaint handling — automatic suppression list management
• Dedicated IP pools — for high-volume senders needing IP reputation control
• Email templates — Handlebars-style templating engine
• Virtual Deliverability Manager — reputation monitoring dashboard
• SES sandbox — new accounts start here, must request production access

Pricing: $0.10 per 1,000 emails. Free tier: 3,000 emails per month when sent from an EC2 instance (or Lambda in us-east-1). No minimum commitment. SES is deliberately priced below cost to drive AWS ecosystem adoption.

SES is deeply integrated with other AWS services: Lambda triggers, SNS bounce notifications, S3 storage of email content, CloudWatch metrics, CloudTrail audit logs. If you are already on AWS, SES has near-zero migration friction — which is precisely why it becomes the invisible compliance risk in otherwise EU-compliant stacks.

Corporate Structure: Why AWS Is Not a Separate Company

This is the most common misconception that trips up EU legal and compliance teams: AWS is not a separate company. It is a business unit, later a registered subsidiary, of Amazon.com Inc.

The legal chain:

• Amazon Web Services Inc. — Delaware corporation, wholly owned subsidiary
• Amazon.com Inc. — Washington State corporation, listed on Nasdaq (AMZN)
• Amazon Web Services EMEA SARL — Luxembourg entity for EU billing

When you process your transactional emails through AWS SES — even using the Frankfurt (eu-central-1) region — the data controller relationship flows up to Amazon.com Inc., a US corporation subject to:

• 18 U.S.C. §2703(a) — Stored Communications Act: US government can compel disclosure of stored electronic communications
• 18 U.S.C. §2713 — CLOUD Act (2018): US companies must disclose data to US law enforcement regardless of where it is stored
• FISA §702 — Foreign Intelligence Surveillance Act: NSA-level access to communications on US company infrastructure
• National Security Letters (NSLs) — FBI administrative subpoenas, often accompanied by gag orders

Amazon is one of the largest recipients of US government data requests. In the first half of 2023, Amazon received 27,664 data requests globally. Unlike consumer services, business communications (transactional email = business records) are specifically targeted by CLOUD Act warrants.

CLOUD Act Risk Score: AWS SES — 21/25

We score providers across five dimensions, 0–5 points each. Higher scores indicate higher CLOUD Act exposure.

Total: 21/25 — Highest in EU Email API Series

The government contracting dimension matters more for SES than for consumer-facing email providers: US government agencies that use AWS have a direct contractual interest in maintaining law enforcement access. When the CIA and DoD are major customers, the political pressure to comply with government data requests increases.

The PRISM Context for AWS SES

The Snowden revelations (2013) confirmed that AWS was one of nine tech companies whose infrastructure was tapped by NSA's PRISM program. While Amazon disputed the "direct access" characterisation, the practical outcome was that NSA could access data on AWS servers via court orders that Amazon was legally prohibited from disclosing.

For SES specifically: email metadata is particularly valuable to intelligence agencies. Who your users are, when they registered, what they transact, which links they click — all of this flows through SES event data (opens, clicks, bounces) stored in CloudWatch and S3.

What Data Does AWS SES Process?

Understanding your data exposure requires mapping every data category SES touches:

Email Content (Transient)

SES does not permanently store the body of emails you send — it processes them through its sending infrastructure and delivers them. However, "transient" processing still means the data exists on AWS servers during transmission.

GDPR Art.28 implication: Even transient processing constitutes "processing" under Art.4(2). Amazon.com Inc. must be listed as a sub-processor. Their DPA (AWS Data Processing Addendum) does not limit US government access.

Email Metadata (Persistent)

This is where the risk is highest. SES stores:

• Suppression lists — email addresses that bounced or unsubscribed (retained indefinitely)
• Sending statistics — volume, open rates, click rates per identity (retained 60 days+)
• Event data — bounce events, complaint events, delivery notifications (SNS notifications, CloudTrail records)
• Identity configuration — your sending domains, DKIM keys, SPF configuration

Suppression lists are particularly sensitive: they reveal who your users are, when they became inactive, and implicitly what services they use.

CloudTrail Logs

Every SES API call generates a CloudTrail log entry. For production systems, this means:

• Every SendEmail() call with recipient address
• Every CreateEmailIdentity() call with domain name
• Every GetSuppressedDestination() lookup
• Every template render event

CloudTrail logs are typically stored in S3, which is also subject to CLOUD Act warrants. For regulated industries (healthcare, finance), this creates a secondary disclosure risk beyond the email content itself.

Dedicated IP Reputation Data

If you use dedicated IPs, AWS stores:

• Sending history per IP (used for reputation scoring)
• Complaint rates associated with your identity
• Blocklist events

This data can reveal business relationships (which IPs you share with other customers), sending volumes, and customer acquisition patterns.

The EU Region Trap: Why eu-central-1 Doesn't Help

This is the most common compliance mistake we see in EU startups: "We use eu-central-1, so we're fine."

The eu-central-1 (Frankfurt) data center is physically located in Germany. The servers are managed by Amazon Web Services GmbH (Germany), a German entity. But:

1. The data controller is Amazon.com Inc. — A CLOUD Act warrant targets the company, not the building. US law enforcement issues a warrant to Amazon.com Inc., and Amazon.com Inc. must comply — retrieving the data from whichever AWS region it sits in.

2. AWS EMEA SARL is not the data controller for SES — Amazon's EU billing entity (Luxembourg) processes payments. The actual SES service is operated by Amazon Web Services Inc. (Delaware).

3. GDPR Art.46 Standard Contractual Clauses don't override CLOUD Act — SCCs are a mechanism for lawful data transfer under GDPR. They do not prevent US law enforcement from serving warrants to US companies. The Schrems II judgment (C-311/18) explicitly noted that SCCs cannot protect against US surveillance law.

4. Amazon's Data Residency commitments are conditional — Amazon offers "Data Residency SLAs" for some services. For SES, these are best-effort and specifically carve out "legal obligations." A CLOUD Act warrant is a legal obligation.

The test: If a US attorney serves Amazon.com Inc. with a CLOUD Act warrant for email records associated with a specific domain or email address, can Amazon legally refuse because the data is in Frankfurt? No. They must comply.

Comparison: What EU-Native Actually Means

Amazon's EU GDPR History

Amazon's compliance posture with EU data protection law provides useful context:

2021 — CNIL (France) Fine: €746 million — the largest GDPR fine in EU history at the time (since surpassed by Meta). The CNIL found Amazon's cookie consent mechanism on amazon.fr violated GDPR Art.5(1)(a) (lawful, fair, transparent processing) and Art.7 (conditions for consent). Amazon's cookie banner set tracking cookies without valid consent.

Relevance for SES: The CNIL finding demonstrated that Amazon's approach to GDPR compliance prioritises business interests over user rights. For email tracking (the SES click/open tracking pixel), the same consent principles apply. If you use SES click tracking for marketing emails without proper GDPR consent, you inherit Amazon's compliance posture.

2023 — DSB (Austria) Ruling on AWS Logs — The Austrian Data Protection Authority ruled that using AWS for storing EU citizen data created a transfer risk requiring valid Art.46 safeguards (SCCs + TIA). The ruling specifically mentioned CloudWatch logs (which SES event data flows into) as a transfer risk.

EU-Native Alternatives to AWS SES

1. MailerSend — CLOUD Act Score: 0/25 (Lithuania)

Company: UAB Mailerlabs — incorporated in Vilnius, Lithuania. EU company under Lithuanian law, EU member state.

Why 0/25: No US parent. No US investors in control. No US government contracts. Lithuania is an EU member state subject to GDPR — no adequacy decision needed, no transfer mechanism required. A US CLOUD Act warrant to Amazon.com Inc. cannot reach a Lithuanian company.

Features comparison with AWS SES:

• SMTP and REST API (compatible migration path)
• 3,000 emails/month free (no credit card required)
• Email templates (HTML + variables)
• Bounce/complaint webhooks
• Suppression list management
• Real-time analytics dashboard
• Transactional email API docs explicitly structured for SES migrants

Pricing: Free (3k/month) → $30/month (50k) → $75/month (150k) → $125/month (500k)

GDPR DPA: EU-to-EU processing, no SCCs required, DPA signed with Lithuanian entity.

2. Brevo — CLOUD Act Score: 2/25 (France)

Company: Brevo SAS — incorporated in Paris, France. Formerly Sendinblue. €51 million raised from French/European investors.

Why 2/25: French SAS, no US parent. The 2/25 score reflects minor US sub-processor exposure (some Brevo infrastructure uses Google Cloud EU regions — GCP is US-owned). Core operations are French.

Features comparison with AWS SES:

• SMTP relay + transactional API
• 300 emails/day free (9,000/month) — no expiry
• Marketing + transactional in one platform
• SMS sending alongside email
• CRM features (contact management)
• Inbound email parsing

Pricing: Free (9k/month) → €25/month (20k) → €65/month (100k)

GDPR DPA: French SAS entity, Art.28 DPA as EU controller.

3. Scaleway Transactional Email — CLOUD Act Score: 1/25 (France)

Company: Scaleway SAS — incorporated in Paris, France. Owned by Iliad Group (Xavier Niel).

Why 1/25: French company with purely European infrastructure. The 1/25 score is a formality (some open-source components with US origins). No US parent, no US government contracting.

Features comparison with AWS SES:

• SMTP relay
• REST API
• SPF/DKIM/DMARC setup
• Bounce and spam complaint webhooks
• 3,000 emails free/month
• Deep Scaleway ecosystem integration (VPC, compute)
• Domain verification with DNS

Pricing: Free (3k/month) → €1 per 1,000 emails. No base subscription.

Best for: Teams already on Scaleway infrastructure wanting a single EU-native vendor for everything.

4. Infomaniak — CLOUD Act Score: 2/25 (Switzerland)

Company: Infomaniak Network SA — Geneva, Switzerland. Privately owned, 100% renewable energy.

Why 2/25: Swiss company subject to Swiss DSG (nFADP), not directly to GDPR. Switzerland has a GDPR adequacy decision — EU citizens' data is adequately protected. No US parent, no US government contracts. The 2/25 reflects minor international CDN exposure for email delivery optimisation.

Features comparison with AWS SES:

• Newsletter + transactional email
• SMTP and API
• Swiss data centers
• Privacy-first corporate values
• 100% renewable energy (environmental compliance for ESG-conscious buyers)

Pricing: From CHF 0 (starter) → CHF 21/month (business)

Best for: Companies with Swiss operations, or those that prefer Swiss legal jurisdiction over EU.

Migration Guide: AWS SES → MailerSend

MailerSend provides the most direct migration path for AWS SES users because it offers both SMTP and REST API access with similar structure.

Step 1 — Account Setup and Domain Verification

# MailerSend API Base URL
# https://api.mailersend.com/v1/

# Verify your sending domain
curl -X POST https://api.mailersend.com/v1/domains \
  -H "Authorization: Bearer YOUR_MAILERSEND_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "yourdomain.com"
  }'

Add the DNS records returned (DKIM, SPF, Return-Path) to your DNS provider. MailerSend provides the same SPF/DKIM/DMARC setup flow as SES.

Step 2 — SMTP Migration (Zero Code Change)

If you use SES via SMTP, update your SMTP configuration:

# Before: AWS SES SMTP
SMTP_HOST = "email-smtp.eu-central-1.amazonaws.com"
SMTP_PORT = 587
SMTP_USER = "AWS_ACCESS_KEY_ID"
SMTP_PASS = "AWS_SECRET_ACCESS_KEY"

# After: MailerSend SMTP (EU-native, Lithuania)
SMTP_HOST = "smtp.mailersend.net"
SMTP_PORT = 587
SMTP_USER = "your_mailersend_smtp_username"
SMTP_PASS = "your_mailersend_smtp_password"

No other application code changes required. Both use TLS (STARTTLS on port 587).

Step 3 — API Migration

# Before: AWS SES SDK (boto3)
import boto3

ses = boto3.client('ses', region_name='eu-central-1')

response = ses.send_email(
    Source='noreply@yourdomain.com',
    Destination={'ToAddresses': ['user@example.com']},
    Message={
        'Subject': {'Data': 'Welcome to Our Service'},
        'Body': {'Html': {'Data': '<h1>Welcome</h1>...'}}
    }
)

# After: MailerSend SDK (EU-native)
import mailersend

mailer = mailersend.NewApi("YOUR_MAILERSEND_API_TOKEN")

mailer.set_mail_from("noreply@yourdomain.com", "Your Service")
mailer.set_mail_to(["user@example.com"])
mailer.set_subject("Welcome to Our Service")
mailer.set_html_content("<h1>Welcome</h1>...")
mailer.send()

Step 4 — Bounce and Complaint Webhooks

AWS SES uses SNS (Simple Notification Service) for bounce/complaint notifications. MailerSend uses direct HTTPS webhooks.

# Before: SES → SNS → your endpoint (requires SNS subscription + SQS)
# SNS Topic ARN: arn:aws:sns:eu-central-1:123456789:ses-bounces

# After: MailerSend → your endpoint (direct, no intermediary)
# Webhook URL: https://yourapp.com/webhooks/mailersend
# Event types: email.bounced, email.spam_complaint, email.delivered

@app.route('/webhooks/mailersend', methods=['POST'])
def mailersend_webhook():
    payload = request.json
    event_type = payload.get('type')
    
    if event_type == 'email.bounced':
        email = payload['data']['email']['to'][0]['email']
        # Add to your suppression list
        mark_email_as_bounced(email)
    
    elif event_type == 'email.spam_complaint':
        email = payload['data']['email']['to'][0]['email']
        # Unsubscribe immediately (GDPR Art.21)
        unsubscribe_email(email)
    
    return '', 200

Step 5 — Suppression List Migration

Export your SES suppression list before switching:

# Export SES suppression list
aws ses list-suppressed-destinations \
  --region eu-central-1 \
  --query 'SuppressedDestinationSummaries[*].EmailAddress' \
  --output text > ses_suppression_list.txt

# Import to MailerSend via API
while IFS= read -r email; do
  curl -X POST https://api.mailersend.com/v1/suppressions/unsubscribes \
    -H "Authorization: Bearer YOUR_MAILERSEND_API_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"domain_id\": \"YOUR_DOMAIN_ID\", \"recipients\": [{\"email\": \"$email\"}]}"
done < ses_suppression_list.txt

GDPR Compliance Checklist: AWS SES vs MailerSend

Cost Comparison

AWS SES wins on price at scale. But the comparison should include the true cost: GDPR compliance overhead. A Data Transfer Impact Assessment for AWS SES requires 20–40 hours of legal review. SCCs must be signed with Amazon. A DPO must monitor the US government request rate. For companies with a DPO on staff, AWS SES has hidden costs that push it above MailerSend at every volume tier.

Key Takeaways

1. AWS SES scores 21/25 on the GDPR Risk Matrix — the highest in our EU Email API series. Amazon.com Inc. is a US corporation fully subject to CLOUD Act warrants.

2. EU regions don't solve the jurisdiction problem. eu-central-1 (Frankfurt) is physically in Germany, but Amazon.com Inc. must still comply with US CLOUD Act warrants regardless of where data is stored.

3. Amazon's government contracting creates compounded risk. AWS is a primary infrastructure provider for CIA, DoD, and NSA. The company has structural incentives to maintain compliance with US law enforcement requests.

4. MailerSend (Lithuania, 0/25) is the closest feature-equivalent with genuine EU jurisdiction. SMTP + REST API, free tier to 3,000 emails/month, direct migration path from SES.

5. Brevo (France, 2/25) is best for teams wanting marketing + transactional in one EU-native platform.

6. Scaleway Transactional Email (France, 1/25) is best for teams already on Scaleway infrastructure.

7. The migration effort is low. SMTP credentials are a config change. API migration is a few hours. Suppression list export/import is scriptable. The GDPR risk reduction is immediate.

What's Next in the EU Email API Series

Our next post covers SparkPost (now part of Bird, formerly MessageBird) — a particularly interesting case because Bird is a Netherlands-headquartered company (EU) that acquired a US email company. How does a Dutch parent with US operations score on the CLOUD Act matrix? The answer is more nuanced than you might expect.

Series finale (Post #6): A full comparison table of all six providers — CLOUD Act scores, pricing, GDPR compliance burden, developer experience ratings, and our recommendation matrix by use case.

sota.io is an EU-native managed PaaS — deploy any language on Hetzner Germany infrastructure with no US parent, no CLOUD Act exposure. Start free →