EU Email API Comparison 2026: CLOUD Act Final Verdict
Post #1109 in the sota.io EU Email Compliance Series — EU-EMAIL-API-SERIE Finale #6/6
Five transactional email providers. Five CLOUD Act risk scores. One pattern: every major email API either is a US company or operates through a US subsidiary. And under 18 U.S.C. § 2703 — the Stored Communications Act that the CLOUD Act extended — that US connection gives American law enforcement warrantless access to email content, metadata, and recipient data stored anywhere in the world.
This is the finale of our six-part EU-EMAIL-API-SERIE. In posts 1–5, we analysed SendGrid, Mailgun, Postmark, AWS SES, and SparkPost/Bird individually. Here, we compare all five side-by-side, explain the CLOUD Act scoring methodology, and show you which EU-native alternatives have zero CLOUD Act exposure.
The Full CLOUD Act Score Table
Our CLOUD Act risk score runs from 0 (no US connection, EU-native) to 25 (maximum US corporate and government exposure). Each point represents a distinct legal vector through which US authorities could compel data disclosure without a mutual legal assistance treaty (MLAT).
| Provider | Parent Entity | HQ | CLOUD Act Score | Key Risk Factor |
|---|---|---|---|---|
| AWS SES | Amazon.com Inc. | Washington State | 21 / 25 | PRISM programme participant, CIA/DoD contractor, NSA §702 FISA orders |
| SendGrid | Twilio Inc. | San Francisco CA | 19 / 25 | Delaware corp + SCC reliance invalidated by Schrems II precedent |
| Postmark | ActiveCampaign Inc. | Chicago IL | 18 / 25 | Delaware holding, Illinois operations, broad SaaS toolchain exposure |
| Mailgun | Sinch AB + SparkPost Inc. | Sweden / Delaware | 17 / 25 | US operating entity (SparkPost Inc.) in Sinch tech stack |
| SparkPost / Bird | Bird BV + SparkPost Inc. | Netherlands / Delaware | 16 / 25 | Delaware subsidiary remains primary processing entity |
| MailerSend | UAB Mailerlabs | Vilnius, Lithuania | 0 / 25 | EU-incorporated, Hetzner infrastructure, no US entity |
| Brevo | Brevo SAS | Paris, France | 2 / 25 | French company, minor US CDN sub-processor only |
| Scaleway Transactional Email | Scaleway SAS | Paris, France | 1 / 25 | Iliad Group subsidiary, 100% EU infrastructure |
Why AWS SES Scores Highest (21/25)
Amazon.com Inc. is the single most legally exposed entity in this series. Three factors combine that no other provider matches:
1. PRISM programme participant. Amazon Web Services was named in the 2013 Snowden disclosures as one of nine companies in the NSA's PRISM mass-surveillance programme. PRISM orders under FISA §702 compel disclosure of all communications for targeted individuals — no probable cause, no judicial warrant, no notification to the data subject.
2. Major US government cloud contractor. Amazon holds the CIA's $600 million C2S contract (2013) and the NSA's classified cloud contracts. The legal and operational entanglement with US intelligence agencies creates structural conflicts of interest that cannot be solved by EU data residency.
3. Washington State incorporation. Amazon.com Inc. is incorporated and domiciled in Washington State. The CLOUD Act (18 U.S.C. § 2523) requires US providers to produce stored data wherever located when served with a US warrant. EU-based S3 buckets and AWS EU regions are not exempt.
If your transactional email goes through AWS SES, every recipient email address, delivery timestamp, and message header is potentially accessible under FISA §702 regardless of which AWS region you specify.
Why SparkPost Scores Lowest (16/25) — But Still Not Safe
SparkPost scores 16/25 because Bird BV — its Amsterdam-based parent — is genuinely European. Bird is incorporated in the Netherlands, subject to the Autoriteit Persoonsgegevens (AP), and listed on European exchanges. This earns it the most favourable score of the five US-backed providers.
But SparkPost Inc. — the actual entity that processes your email, manages your sending IPs, and stores your template data — remains a Delaware corporation headquartered in Columbia, Maryland. Bird acquired SparkPost in 2021 but did not reincorporate it under Dutch law.
The 16 points SparkPost scores come entirely from that Delaware subsidiary. The CLOUD Act does not care about corporate family trees. It cares about the entity that has possession, custody, or control of the data — and that's SparkPost Inc.
The CLOUD Act Scoring Methodology
For transparency, here are the five scoring vectors we applied to each provider:
Vector 1: US Incorporation (0–5 points)
- 0: No US entity in the corporate structure
- 2: US sub-processor only (not primary processing entity)
- 4: US subsidiary with operational data access
- 5: Primary entity is US-incorporated
Vector 2: Intelligence Agency Exposure (0–5 points)
- 0: No documented US intelligence relationships
- 1: Standard US person/foreign data FISA exposure
- 3: Named in mass surveillance programmes or contractor relationships
- 5: PRISM participant + active classified contracts
Vector 3: FISA §702 / National Security Letter Risk (0–5 points)
- 0: Not subject to US FISA jurisdiction
- 3: Subject to FISA via US parent
- 5: Primary FISA target history documented
Vector 4: SCC / Transfer Mechanism Resilience (0–5 points)
- 0: No SCCs needed (EU-native)
- 2: SCCs in place, no known DPA challenges
- 4: SCCs challenged by national DPAs post-Schrems II
- 5: SCCs effectively invalidated for this data category
Vector 5: EU Data Residency Effectiveness (0–5 points)
- 0: Data never leaves EU jurisdiction
- 1: EU data centres, no US transfer
- 3: EU regions available but US entity retains access
- 5: EU regions exist but CLOUD Act override documented in TOS
What GDPR Art. 28 Requires When Using These Providers
Under GDPR Article 28, you cannot transfer personal data to a processor unless you have a valid Data Processing Agreement (DPA) that includes:
- Processing only on your instructions (Art. 28(3)(a))
- Confidentiality obligations (Art. 28(3)(b))
- Appropriate technical and organisational measures (Art. 28(3)(c))
- No sub-processing without authorisation (Art. 28(3)(d))
- Cooperation with supervisory authorities (Art. 28(3)(f))
The fundamental problem: when a US provider is served with a CLOUD Act warrant, they are legally required to comply — and they are legally prohibited from notifying you. This makes the "processing only on your instructions" requirement impossible to honour in practice.
Every national DPA that has ruled on Google Analytics, Facebook Pixel, and similar US services has reached the same conclusion: SCCs do not fix the CLOUD Act gap because the recipient country (the US) does not provide "essentially equivalent" protection as required by Schrems II (C-311/18).
The same logic applies to transactional email providers.
EU-Native Alternatives: The Three You Should Evaluate
MailerSend — 0/25 CLOUD Act Score
Corporate structure: UAB Mailerlabs, incorporated in Vilnius, Lithuania. No US entity, no US investors with board control, no US sub-processors for the core email pipeline.
Infrastructure: Servers in Hetzner Online GmbH (Germany/Finland) and OVHcloud (France/Germany). All data remains in EU jurisdiction.
GDPR compliance: As a Lithuanian UAB processing data entirely within the EU, MailerSend is subject to Lithuanian DPA (VDAI) oversight. No SCCs required for EU-to-EU data transfers.
Developer experience: REST API with Node.js/PHP/Python/Go SDKs. Drop-in replacement for SendGrid's API schema. Webhook support for delivery events, opens, clicks, spam reports.
Pricing: Free tier (3,000 emails/month), paid from $35/month for 100,000 emails.
When to choose MailerSend: Highest-compliance requirement (financial services, healthcare, legal), public sector, any org with Data Protection Officer who needs clean legal basis.
Brevo — 2/25 CLOUD Act Score
Corporate structure: Brevo SAS (formerly Sendinblue), Paris, France. Founded 2012, bootstrapped until 2021 (€160M Series B from Citigroup's Venture unit and Bain Capital). Some US investor involvement at Series B level = 2/25 score.
Infrastructure: Primarily OVHcloud (France) and Scaleway. EU-region default.
GDPR compliance: French DPA (CNIL) oversight. Strong track record — CNIL issued no enforcement against Brevo in 2022-2025 period.
Developer experience: Full transactional email API, marketing automation, SMS, WhatsApp channels. More feature-rich than MailerSend for multi-channel campaigns.
Pricing: Free tier (300 emails/day), Starter from €25/month.
When to choose Brevo: Organisations that want transactional + marketing email from one EU-native provider. Larger teams that need workflow automation alongside transactional sends.
Scaleway Transactional Email — 1/25 CLOUD Act Score
Corporate structure: Scaleway SAS, Paris, France. Subsidiary of Iliad Group (Xavier Niel), publicly listed in France. 100% French ownership, 100% EU board.
Infrastructure: Scaleway's own data centres in Paris and Amsterdam. No hyperscaler dependency.
GDPR compliance: CNIL oversight, EU CLOUD Act Bill (proposed 2022, EUCS framework alignment). Iliad Group has taken explicit public positions against CLOUD Act access.
Developer experience: REST API, SMTP relay. Less mature SDK ecosystem than MailerSend or Brevo — best for developers already in the Scaleway ecosystem (Object Storage, Kubernetes, Databases).
Pricing: €1 per 1,000 emails (pay-as-you-go).
When to choose Scaleway: Organisations already on Scaleway for compute/storage. Best for single-vendor EU-native stack.
Migration Path: From US Email API to EU-Native
Switching transactional email providers is one of the lower-risk infrastructure migrations. Your application calls an API — swap the credentials and endpoint, adjust the payload schema if needed.
Step 1: Audit Your Email Sending (1 hour)
# Find all email-sending code in your codebase
grep -r "sendgrid\|mailgun\|postmark\|ses\|sparkpost" \
--include="*.js" --include="*.ts" --include="*.py" --include="*.go" \
--include="*.rb" --include="*.php" -l
Step 2: Map Your Email Types
Categorise every automated email your application sends:
| Email Type | Volume/Month | GDPR Sensitivity | Migration Priority |
|---|---|---|---|
| Transactional (receipts, confirmations) | High | Medium | P0 |
| Password reset / account security | Medium | High | P0 |
| Marketing newsletters | High | Medium | P1 |
| Developer notifications | Low | Low | P2 |
Step 3: Choose Your EU Provider
| Scenario | Recommended Provider |
|---|---|
| Strict compliance required (fintech, health, legal) | MailerSend (0/25) |
| Combined transactional + marketing | Brevo (2/25) |
| Already on Scaleway infrastructure | Scaleway TE (1/25) |
| High volume (>10M emails/month) | Brevo or MailerSend dedicated IPs |
Step 4: Test in Parallel (2 weeks)
Never cut over all traffic at once. Use feature flags or percentage routing:
// Example: 10% test traffic to EU provider
const useEuProvider = Math.random() < 0.10;
if (useEuProvider) {
await mailersend.send(message);
} else {
await sendgrid.send(message);
}
Monitor bounce rates, deliverability scores, and inbox placement side-by-side before full migration.
Step 5: Update Your GDPR Documentation
After migration:
- Remove old DPAs (SendGrid/Mailgun/etc.)
- Sign new DPA with EU provider
- Update your Privacy Policy's "Third Party Processors" section
- Update your Records of Processing Activities (ROPA) under Art. 30
The Series Conclusion: Email Is Personal Data
Every email address in your transactional system is personal data under GDPR Art. 4(1). Every bounce notification, every delivery timestamp, every open/click event creates a detailed behavioural profile of your users.
When you route that data through a US-incorporated email API, you are creating a legal exposure that cannot be fixed by:
- EU data residency (US CLOUD Act applies regardless of geography)
- Standard Contractual Clauses (SCCs cannot override US law enforcement demands)
- Privacy Shield successors (Data Privacy Framework has structural vulnerability to US intelligence override)
The only reliable solution is to use providers incorporated under EU law, processing data on EU infrastructure, with no US entity in the data-access chain.
MailerSend scores 0/25. Brevo scores 2/25. Scaleway scores 1/25.
That's the standard your transactional email should be held to.
Series Summary Table
| Post | Provider | Score | Key Finding |
|---|---|---|---|
| #1104 SendGrid EU Alternative | SendGrid (Twilio) | 19/25 | Delaware corp, Schrems II SCC gap |
| #1105 Mailgun EU Alternative | Mailgun (Sinch) | 17/25 | US operating entity in Swedish parent stack |
| #1106 Postmark EU Alternative | Postmark (ActiveCampaign) | 18/25 | Illinois corp, broad SaaS sub-processor chain |
| #1107 AWS SES EU Alternative | AWS SES (Amazon) | 21/25 | PRISM + CIA contractor + Washington State |
| #1108 SparkPost EU Alternative | SparkPost / Bird | 16/25 | Dutch parent, Delaware operating entity |
| #1109 (this post) | Comparison + EU Alternatives | — | MailerSend 0/25, Brevo 2/25, Scaleway 1/25 |
Deploy on EU-Native Infrastructure
The final piece of a fully EU-native stack is where you run your application code. If your backend processes email sends (building payloads, handling webhooks, storing delivery logs), it should also run on EU-native infrastructure.
sota.io is a managed PaaS built entirely on Hetzner Germany — no US parent, no CLOUD Act exposure, no SCCs required. Deploy any language (Node.js, Python, Go, Rust, Ruby, PHP) in minutes with a git push.
Your EU-native email stack: MailerSend for delivery + sota.io for your application server = zero CLOUD Act vectors in your email pipeline.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.