Mailgun EU Alternative 2026: Sinch Acquisition Doesn't Remove CLOUD Act Risk
Post #1105 in the sota.io EU Email API Series — Series Post 2/6
When Sinch AB acquired Mailgun in 2021, some European developers assumed the CLOUD Act risk had been resolved. The logic seemed reasonable: Sinch is a Swedish company, listed on Nasdaq Stockholm, with deep EU roots. If a Swedish company owns Mailgun, doesn't Swedish law govern?
It does not. The operating entity that processes your email — Mailgun Technologies, Inc. — remains incorporated in Delaware, United States. A CLOUD Act warrant is served on that entity. Sinch AB's Swedish headquarters does not insulate the US subsidiary from US federal court orders.
This is the second post in our EU Email API Series — a six-post analysis of the major transactional email providers, their CLOUD Act exposure, and what EU-native alternatives exist for GDPR-compliant email delivery.
Company Profile: Mailgun Technologies, Inc. / Sinch AB
| Legal entity (operating) | Mailgun Technologies, Inc. |
| Incorporation | Delaware Corporation |
| HQ | 112 E Pecan St, Suite 1135, San Antonio, TX 78205 |
| Parent company | Sinch AB |
| Parent HQ | Lindhagensgatan 74, Stockholm, Sweden |
| Parent listing | Nasdaq Stockholm: SINCH |
| Acquisition | ~$100M cash, closed December 2021 |
| Founded | 2010 (as Rackspace Email service) |
| Spun off | 2017 (Mailgun Technologies, Inc. incorporated in Delaware) |
| Prior acquisition | Pathwire LLC (formerly Mailgun, 2019–2021) |
| Annual revenue (Sinch group) | ~$697M USD (2023) |
| EU data center regions | AWS eu-west-1 (Ireland) — US regions are default |
| EU DPA / legal representative | Sinch Communications AB (contractual only) |
The ownership chain matters for CLOUD Act analysis:
- Sinch AB (Sweden, public) → owns → Mailgun Technologies, Inc. (Delaware, private subsidiary)
- Mailgun Technologies, Inc. operates the Mailgun API, stores email data, controls the infrastructure
- US federal court → issues §2703 CLOUD Act order → Mailgun Technologies, Inc. (the US entity)
- Sinch AB's Swedish domicile is irrelevant — the warrant is served on the US operating entity
This is a common misunderstanding with cross-border acquisitions. The acquiring parent's jurisdiction does not automatically apply to the acquired US subsidiary. Mailgun Technologies, Inc. is a US person under US law, subject to US federal court jurisdiction.
CLOUD Act Risk Score: 17/25
| Dimension | Score | Rationale |
|---|---|---|
| Parent Jurisdiction | 4/5 | Operating entity is Mailgun Technologies, Inc. (Delaware); Swedish parent Sinch AB does not shield US subsidiary |
| CLOUD Act Coverage | 5/5 | Mailgun is a provider of electronic communication service under 18 U.S.C. §2711 |
| Sub-processor Chain | 3/5 | AWS us-east-1 (default), eu-west-1 (opt-in); US-region default increases exposure |
| Data Category | 3/5 | Email payload, recipient PII, delivery events, open/click tracking, suppression lists |
| Contractual Safeguards | 2/5 | SCCs available but CLOUD Act pre-empts SCCs for US government compulsion |
| Total | 17/25 | High-risk provider for EU personal data |
A score of 17/25 places Mailgun in the same risk tier as JumpCloud (19/25) and above Prismic (9/25). The Swedish parent ownership reduces the score by 2 points compared to a fully US-headquartered provider — but only marginally, because the US operating entity is the legally actionable party.
The Sinch Acquisition: What Changed and What Did Not
After Sinch AB completed its acquisition of Mailgun Technologies, Inc. in December 2021, several things changed:
What changed:
- Corporate parent is now Swedish (Nasdaq Stockholm: SINCH)
- Sinch AB's EU-friendly brand positioning increased
- Mailgun was rebranded as part of "Sinch Email"
- Some EU-facing support operations moved closer to EU time zones
What did not change:
- Mailgun Technologies, Inc. remains incorporated in Delaware
- US federal jurisdiction over the operating entity
- AWS us-east-1 as default infrastructure region (EU opt-in only)
- Mailgun's DPA structure: Sinch Communications AB signs the EU DPA, but Mailgun Technologies, Inc. controls the systems
- CLOUD Act applicability to Mailgun Technologies, Inc.
The DPA structure is particularly important. Your Data Processing Agreement is signed with Sinch Communications AB — but the actual data processing, storage, and retrieval happens in Mailgun Technologies, Inc.'s systems. When a US federal magistrate issues a §2703 order, it goes to Mailgun Technologies, Inc., not to Sinch Communications AB. Sinch Communications AB's Swedish domicile creates no legal barrier.
Why "EU Region" Does Not Fix the CLOUD Act Problem
Mailgun offers an EU data region (eu-west-1, Ireland) as an opt-in configuration. This is documented in their API settings. The critical limitation: selecting the EU region changes where data is stored at rest — it does not change which legal system governs compelled disclosure.
Under the CLOUD Act (18 U.S.C. §2703), a US federal court can compel any US electronic communication service provider to produce data they "possess, custody, or control" regardless of where that data is physically located. Mailgun Technologies, Inc. controls the eu-west-1 cluster. The warrant is served on Mailgun Technologies, Inc. The data in Ireland is produced.
The European Court of Justice established in Schrems II (C-311/18, 2020) that Standard Contractual Clauses cannot protect against lawful government access by the data importer's home jurisdiction. Mailgun's SCCs do not limit CLOUD Act reach.
Additionally: Mailgun's EU region is not the default. Unless you explicitly configure MAILGUN_REGION=eu in your client or select the EU sending domain in the control panel, your data flows through US regions. Most Mailgun integrations are configured once, early in development, and never revisited. The likelihood that a European SaaS team has correctly configured the EU region — and verified it persists across API version upgrades — is low.
GDPR Articles Implicated
Art. 28 — Processor Obligations: Your DPA is signed with Sinch Communications AB. Mailgun Technologies, Inc. must appear as a listed sub-processor. If a CLOUD Act warrant is executed on Mailgun Technologies, Inc., the resulting disclosure constitutes processing outside the terms of your DPA — you are the responsible controller.
Art. 44–49 — Third Country Transfers: EU-to-US transfers via Mailgun rely on SCCs (Sinch Communications AB as processor, with Mailgun Technologies, Inc. as onward sub-processor). Schrems II established that SCCs cannot protect against US government access. Supplementary measures (encryption, pseudonymization) are impractical when Mailgun itself holds the keys for retry and delivery.
Art. 5(1)(f) — Integrity and Confidentiality: CLOUD Act warrants are often accompanied by gag orders under 18 U.S.C. §2705(b), legally prohibiting Mailgun from notifying you that your users' email data was disclosed. You cannot fulfill your Art. 33/34 notification obligations for a breach you are legally prevented from knowing about.
Art. 32 — Security: Password reset tokens, authentication codes, financial notification emails — all transit through Mailgun's infrastructure. A CLOUD Act disclosure of these payloads is a security incident with direct account-takeover implications.
What Transactional Email Data Is at Risk
| Data Type | CLOUD Act Risk |
|---|---|
| Recipient email addresses | ✗ High — directly identifiable PII |
| Display names in email headers | ✗ High — name + email = uniquely identifiable |
| Email body content | ✗ High — stored 3–7 days for retry logic |
| Click tracking events | ✗ Medium — behavioral PII tied to recipient |
| Open tracking events | ✗ Medium — implies user actions, IP address at open time |
| Suppression / unsubscribe lists | ✗ Medium — consent record with GDPR implications |
| Bounce lists | ✗ Low–Medium — reveals email validity |
| Password reset tokens (in body) | ✗ Very High — account takeover vector if disclosed |
| OTP codes (in body) | ✗ Very High — authentication bypass vector |
| Webhook signing keys | ✗ Medium — enables spoofing if disclosed |
Mailgun retains email body content for 3 days by default for delivery retry logic, and up to 30 days if log storage is enabled. This retention window is the primary CLOUD Act exposure surface.
EU-Native Transactional Email Alternatives
| Provider | HQ | Legal entity | CLOUD Act | Notes |
|---|---|---|---|---|
| Brevo (ex-Sendinblue) | Paris, France | Sendinblue SAS | ✅ None | French SAS. Bpifrance (state-backed) investor. CLOUD Act Score 2/25. |
| MailerSend | Vilnius, Lithuania | MailerSend UAB | ✅ None | Lithuanian UAB (private limited). Mailgun API-compatible. |
| Scaleway Transactional Email | Paris, France | Scaleway SAS | ✅ None | Iliad Group subsidiary. French infrastructure. |
| IONOS Email | Montabaur, Germany | 1&1 IONOS SE | ✅ None | German public company (Deutsche Telekom partial stake). |
| Postal | Open-source | N/A (self-hosted) | ✅ None | Self-hosted MTA. Full control. Requires ops maturity. |
Brevo (Sendinblue SAS) — CLOUD Act Score: 2/25
Brevo is the strongest EU-native alternative to Mailgun for transactional email. Sendinblue SAS is a French Société par Actions Simplifiée — the French equivalent of a joint-stock company. Investors include Bpifrance (French state-backed public investment bank) and PARTECH (Paris-based). No US institutional investor holds a controlling position.
Brevo's Transactional Email API is broadly compatible with Mailgun's API semantics. Both support SMTP and REST. Client libraries exist for Python, Node.js, PHP, Go, and Ruby. EU data residency is default (AWS eu-west-3, Paris) rather than an opt-in.
MailerSend (MailerSend UAB) — CLOUD Act Score: 1/25
MailerSend is operated by MailerSend UAB, a Lithuanian UAB (Uždaroji akcinė bendrovė — private limited company). Same team as MailerLite. No US parent entity. EU-hosted by default.
MailerSend explicitly positions itself as a Mailgun alternative with a compatible API structure. They offer a free tier (3,000 emails/month), competitive pricing for SMBs, and a webhook system compatible with most Mailgun webhook handlers. Migration from Mailgun typically requires only DNS updates (MX/SPF/DKIM) and a client library swap.
# Mailgun (before)
import mailgun
mg = mailgun.Client(api_key="key-xxx", domain="mg.yourdomain.com")
mg.send_message(
from_="noreply@yourdomain.com",
to=["user@example.com"],
subject="Welcome",
text="Hello World"
)
# MailerSend (after — EU-native UAB Lithuania)
from mailersend import emails
mailer = emails.NewEmail(mailersend_api_token="mlsn.xxx")
mail_body = {}
mailer.set_mail_from({"email": "noreply@yourdomain.com"}, mail_body)
mailer.set_mail_to([{"email": "user@example.com"}], mail_body)
mailer.set_subject("Welcome", mail_body)
mailer.set_plaintext_content("Hello World", mail_body)
mailer.send(mail_body)
Migration: Mailgun to EU-Native Provider
Step 1: Audit current Mailgun configuration
# Check which region your Mailgun is using
# US region (default): api.mailgun.net
# EU region (opt-in): api.eu.mailgun.net
grep -r "mailgun" config/ --include="*.env" --include="*.yaml" | grep -i "region\|host\|url"
# If you see api.mailgun.net → your data is in US regions
# If you see api.eu.mailgun.net → your data is in EU region
# Either way: Mailgun Technologies, Inc. (Delaware) is still the operating entity
Step 2: Export suppression lists
# Export your Mailgun unsubscribes, bounces, and complaints
# before migrating — these are your GDPR consent records
curl -s --user "api:YOUR_KEY" \
"https://api.mailgun.net/v3/YOUR_DOMAIN/unsubscribes" > unsubscribes.json
curl -s --user "api:YOUR_KEY" \
"https://api.mailgun.net/v3/YOUR_DOMAIN/bounces" > bounces.json
curl -s --user "api:YOUR_KEY" \
"https://api.mailgun.net/v3/YOUR_DOMAIN/complaints" > complaints.json
Step 3: Update DNS records for new provider
# Remove Mailgun DKIM/SPF records
# Add new provider records — example for Brevo:
yourdomain.com. TXT "v=spf1 include:spf.brevo.com ~all"
mail._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=<brevo-dkim-key>"
Step 4: Import suppression lists to new provider
Most EU-native providers (Brevo, MailerSend) accept suppression list imports via API or CSV. Import your exported lists before sending any transactional email through the new provider to avoid re-sending to opted-out addresses.
Step 5: Update your GDPR Records of Processing Activities (ROPA)
Under Art. 30 GDPR, you must maintain records of processing activities. Switching email providers is a change in your sub-processor chain — update your ROPA to reflect the new processor, their legal entity, and their jurisdiction.
GDPR Compliance Checklist for Transactional Email Migrations
- New provider's legal entity is EU-incorporated (not just EU-hosted)
- DPA signed with the operating entity (not just a contractual shell)
- EU data residency is default, not opt-in
- Sub-processor list obtained and reviewed
- ROPA updated with new processor details
- Suppression lists imported before first send
- Existing templates reviewed for GDPR Art.21 unsubscribe compliance
- DNS (SPF/DKIM/DMARC) updated and verified
- Bounce and complaint webhook handlers re-implemented for new provider
- Legacy Mailgun API keys rotated and invalidated
The EU Email API Series
This is post 2 of 6 in our EU Email API Series analyzing CLOUD Act exposure across the major transactional email platforms used by European SaaS developers:
- SendGrid (Twilio Inc., Delaware) — CLOUD Act Score 19/25 → read post
- Mailgun (Mailgun Technologies Inc., Delaware / Sinch AB) — CLOUD Act Score 17/25 ← this post
- Postmark (Wildbit LLC / ActiveCampaign) — CLOUD Act analysis coming
- SparkPost (Bird, formerly MessageBird) — CLOUD Act analysis coming
- Amazon SES (Amazon.com Inc., Delaware) — CLOUD Act analysis coming
- Comparison Finale — Full matrix + migration decision framework coming
For EU-native managed infrastructure — including managed databases, build pipelines, and app hosting — sota.io provides an EU-native PaaS alternative to Railway and Render with no US parent entity and no CLOUD Act exposure.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.