SparkPost EU Alternative 2026 — CLOUD Act Risk in Bird's Transactional Email API

Post #1108 in the sota.io EU Email API Compliance Series

SparkPost has an interesting corporate story that matters deeply for EU data protection compliance. In 2021, the Netherlands-based MessageBird BV acquired SparkPost for $600 million. MessageBird later rebranded to Bird. That makes Bird.com a Dutch company — headquartered in Amsterdam, listed on European exchanges, subject to the EU's Autoriteit Persoonsgegevens (AP).

So SparkPost is now European, right? Problem solved?

Not quite. SparkPost Inc. — the actual operating entity processing your transactional email — remains a Delaware corporation. And under 18 U.S.C. § 2703 (the Stored Communications Act) and the CLOUD Act, that Delaware registration is what matters. Not the nationality of the parent.

This post breaks down exactly why SparkPost/Bird scores 16 out of 25 on our CLOUD Act risk scale, how it compares to the other email APIs in this series, and which EU-native transactional email services have zero CLOUD Act exposure.

The EU-EMAIL-API-SERIE: Where SparkPost Fits

This is Post #5 in our six-part series analysing the CLOUD Act exposure of the most widely used transactional email APIs:

SparkPost scores lower than most because its parent is genuinely European. But the 16 points it does score come entirely from that Delaware subsidiary.

SparkPost Corporate History: From Delaware Spinoff to Dutch Acquisition

The Origin Story

SparkPost began life inside Message Systems, a Baltimore-based email infrastructure company known for its Momentum MTA software. In 2014, Message Systems spun off its cloud email service as an independent company: SparkPost Inc., incorporated in Delaware, headquartered in Columbia, Maryland.

Early investors included CRV (Cambridge, Massachusetts) and Constellation Brands. The company grew rapidly, acquiring companies like Port25 Solutions (message deliverability) and ElasticEmail in its early years.

By 2019, SparkPost processed approximately 37% of all legitimate commercial email in the world — a claim that made it simultaneously attractive to acquirers and a significant point of infrastructure concentration for the global internet.

The MessageBird Acquisition (November 2021)

MessageBird BV, founded in 2011 in Amsterdam, built its business as a communications platform (CPaaS) — SMS, voice, and chat APIs. Think of it as Europe's answer to Twilio.

In November 2021, MessageBird acquired SparkPost for $600 million in cash and stock. The stated rationale: adding email infrastructure to a platform that already handled SMS and voice.

Key structural point: The acquisition added SparkPost Inc. (Delaware) as a wholly-owned subsidiary of MessageBird BV (Netherlands). The US entity did not dissolve. SparkPost.com continued operating as a product, with its US staff, US data centres, and US corporate registration intact.

The Bird Rebrand (2023)

In 2023, MessageBird rebranded to Bird — a unified brand for the group's CPaaS and email products. SparkPost became "Bird's email product." The company moved its legal headquarters emphasis to Amsterdam but retained Bird US Inc. and SparkPost Inc. as US operating entities.

Current corporate structure (2026):

• Bird BV — Netherlands (Amsterdam) — Parent holding company
• Bird US Inc. — Delaware — US operations
• SparkPost Inc. — Delaware — Email infrastructure subsidiary
• SparkPost UK Ltd — England/Wales — UK operations

For GDPR and CLOUD Act purposes, the entity that processes your transactional email is still a US corporation.

CLOUD Act Risk Analysis: SparkPost / Bird

Score: 16/25

Let's break down the five scoring dimensions:

Dimension 1: Ultimate Beneficial Owner Jurisdiction (0–5)

Score: 2/5

Bird BV is the ultimate holding company, registered in Amsterdam. The Netherlands is an EU member state with an active data protection authority (Autoriteit Persoonsgegevens). The AP has issued significant GDPR fines, including against major platforms.

However, Bird maintains substantial US operations through multiple Delaware-registered entities. The holding structure provides some insulation, but CLOUD Act warrants target the US subsidiaries directly.

Compare: AWS SES parent is Amazon.com Inc. (Washington State) = 5/5. Postmark parent is ActiveCampaign (Delaware/Illinois) = 5/5.

Dimension 2: Operational Entity Jurisdiction (0–5)

Score: 5/5

SparkPost Inc. remains incorporated in Delaware and maintains US headquarters operations. Delaware incorporation is the most common trigger for CLOUD Act jurisdiction. US courts regularly issue 18 U.S.C. § 2703(d) orders and National Security Letters to Delaware-incorporated email companies.

There is no legal mechanism by which a Dutch parent company can shield a Delaware operating subsidiary from US law enforcement demands.

Dimension 3: Infrastructure and Data Residency (0–5)

Score: 4/5

SparkPost operates significant US infrastructure, including data centres in Virginia and Oregon. While EU data residency options are available (selecting EU regions routes email processing through EU data centres), the US infrastructure handles bounce processing, suppression lists, and deliverability analytics globally.

Critically: even with EU data residency enabled, your suppression lists and engagement data (opens, clicks) flow through SparkPost's US-accessible systems. A CLOUD Act warrant targeting SparkPost Inc. could compel disclosure of this metadata regardless of which data centre your messages were routed through.

Dimension 4: Prior Legal Process and Government Relationships (0–5)

Score: 3/5

No publicly disclosed CLOUD Act warrants specifically naming SparkPost Inc. (the company is private and not required to publish transparency reports). However:

• SparkPost's deliverability infrastructure means it processes email metadata for billions of messages per week, making it an attractive surveillance target
• MessageBird/Bird has received law enforcement requests across multiple jurisdictions (disclosed in aggregate in their transparency reports)
• The 2022 Twilio breach affected SparkPost customers indirectly (shared infrastructure partners) — demonstrating that major transactional email providers are targets of state-affiliated threat actors

Absence of disclosed CLOUD Act use ≠ absence of CLOUD Act exposure.

Dimension 5: EU Data Protection Regime Alignment (0–5)

Score: 2/5

Bird BV's Netherlands registration gives access to meaningful EU DPA oversight. The Autoriteit Persoonsgegevens actively investigates cross-border data transfers. Bird/SparkPost has implemented SCCs (Standard Contractual Clauses) for EU customers.

However, SCCs do not prevent CLOUD Act warrants. The Schrems II ruling (C-311/18) and subsequent EDPB guidance confirm: if a US subsidiary has access to EU-origin personal data, SCCs cannot block disclosure compelled by US national security orders. The FISA § 702 / Executive Order 12333 conflict with SCCs remains unresolved for all US-incorporated entities.

The SparkPost-Specific GDPR Risks You Need to Know

1. Transactional Email Contains Article 6 Sensitive Data

Every transactional email you send through SparkPost contains:

• Email address — personal data under GDPR Art. 4(1)
• Email content — potentially sensitive (medical notifications, financial alerts, legal correspondence)
• IP addresses — considered personal data by most EU DPAs
• Device fingerprints via tracking pixels — engagement data

If you're sending healthcare communications (HIPAA in the US, GDPR Art. 9 in the EU), SparkPost's open tracking pixels create a separate GDPR Art. 9 compliance issue entirely independent of CLOUD Act. A US court order compelling SparkPost Inc. to produce records could expose health-related engagement data.

2. Suppression Lists as a Data Retention Problem

SparkPost maintains suppression lists — records of email addresses that have unsubscribed or bounced. These lists are stored indefinitely by default and are considered "personal data" under GDPR.

A CLOUD Act warrant doesn't need to target your specific account. It can target SparkPost Inc.'s infrastructure, compelling the company to produce records for all accounts sending to a specific domain or email address. Your suppression list becomes a surveillance asset.

3. The Webhook Problem

SparkPost's webhook system delivers real-time event data to your servers. But it also stores this event data (clicks, opens, bounces, spam complaints) on SparkPost's own infrastructure for analytics.

This stored engagement data — including precise timestamps of when specific email addresses opened specific messages — is accessible to SparkPost Inc. and therefore subject to CLOUD Act demands. For companies sending legal notices, employment communications, or financial disclosures, this creates audit trail exposure under US discovery rules that may conflict with EU data minimisation requirements (GDPR Art. 5(1)(c)).

Bird BV vs SparkPost Inc.: Why the Corporate Structure Matters

This is the most important legal distinction in this post, and it's one that many EU compliance teams get wrong.

Bird BV (Netherlands) is the parent. SparkPost Inc. (Delaware) is the operating subsidiary.

Under the CLOUD Act, jurisdiction attaches to the entity in possession of the data — not the entity that owns that entity. When US law enforcement wants your email metadata from SparkPost, they don't serve Bird BV in Amsterdam. They serve SparkPost Inc. in Delaware.

SparkPost Inc. has only two legal responses to a valid CLOUD Act warrant:

1. Comply — produce the requested records
2. Invoke the comity provision — argue that complying would violate a "qualifying foreign government's" law

The comity provision (18 U.S.C. § 2523) requires a specific bilateral agreement between the US and the relevant country. The US-EU agreement under the EU-U.S. Data Privacy Framework does not establish a CLOUD Act comity relationship. As of 2026, no EU member state has a bilateral CLOUD Act agreement with the United States.

Result: SparkPost Inc. must comply with valid CLOUD Act warrants, and Bird BV's Dutch headquarters cannot prevent this.

Migration Guide: SparkPost to EU-Native Transactional Email

EU-Native Alternatives at a Glance

Note: Mailpace is UK-based (Ltd), which is post-Brexit and outside EU jurisdiction — not recommended for EU-regulated industries.

The EU-Native Clear Winner: MailerSend

MailerSend (operated by UAB Mailerlabs, Kaunas, Lithuania) consistently scores 0/25 on our CLOUD Act scale because:

• UAB (Uždaroji Akcinė Bendrovė) is a Lithuanian private limited company
• Ultimate beneficial owners are Lithuanian nationals (no US entity in the chain)
• No US data centres, no US subsidiaries
• European infrastructure only (EU-West data centres via Hetzner/OVH)
• GDPR Art. 28 Data Processing Agreement available and EU-law-governed

MailerSend also offers a SparkPost-compatible API layer for migrations.

Migration: SparkPost → MailerSend

Step 1: Export SparkPost Data

# Export suppression list
curl -X GET \
  "https://api.sparkpost.com/api/v1/suppression-list" \
  -H "Authorization: YOUR_SPARKPOST_API_KEY" \
  -H "Accept: text/csv" \
  > sparkpost_suppression_export.csv

# Export sending domains
curl -X GET \
  "https://api.sparkpost.com/api/v1/sending-domains" \
  -H "Authorization: YOUR_SPARKPOST_API_KEY" \
  | python3 -c "import json,sys; [print(d['domain']) for d in json.load(sys.stdin)['results']]"

# Export templates (if using stored templates)
curl -X GET \
  "https://api.sparkpost.com/api/v1/templates" \
  -H "Authorization: YOUR_SPARKPOST_API_KEY" \
  > sparkpost_templates.json

Step 2: Set Up MailerSend

# Install MailerSend SDK (Node.js)
npm install mailersend

# Python
pip install mailersend

Step 3: Migrate Sending Code

SparkPost uses substitution_data; MailerSend uses variables — structurally identical.

// Before: SparkPost
const sparkpost = require('sparkpost');
const client = new sparkpost.SparkPost('YOUR_SPARKPOST_KEY');

await client.transmissions.send({
  content: {
    template_id: 'welcome-email',
  },
  substitution_data: {
    name: 'Alice',
    company: 'ACME GmbH'
  },
  recipients: [{ address: 'alice@example.de' }]
});

// After: MailerSend
const { MailerSend, EmailParams, Sender, Recipient } = require('mailersend');
const mailerSend = new MailerSend({ apiKey: 'YOUR_MAILERSEND_KEY' });

const emailParams = new EmailParams()
  .setFrom(new Sender('noreply@yourapp.eu', 'Your App'))
  .setTo([new Recipient('alice@example.de', 'Alice')])
  .setTemplateId('YOUR_MAILERSEND_TEMPLATE_ID')
  .setPersonalization([{
    email: 'alice@example.de',
    data: { name: 'Alice', company: 'ACME GmbH' }
  }]);

await mailerSend.email.send(emailParams);

Step 4: Migrate SparkPost Webhooks

SparkPost webhooks post JSON event batches; MailerSend uses the same pattern.

// SparkPost webhook payload (before)
// POST /webhooks/sparkpost
app.post('/webhooks/sparkpost', (req, res) => {
  const events = req.body;
  for (const event of events) {
    if (event.msys.message_event?.type === 'bounce') {
      handleBounce(event.msys.message_event.rcpt_to);
    }
    if (event.msys.message_event?.type === 'open') {
      handleOpen(event.msys.message_event.rcpt_to);
    }
  }
  res.status(200).send('OK');
});

// MailerSend webhook payload (after)
// POST /webhooks/mailersend
app.post('/webhooks/mailersend', (req, res) => {
  const { type, data } = req.body;
  if (type === 'activity.bounced') {
    handleBounce(data.email);
  }
  if (type === 'activity.opened') {
    handleOpen(data.email);
  }
  res.status(200).send('OK');
});

Step 5: Import Suppression List to MailerSend

import csv
import requests

MAILERSEND_API_KEY = 'YOUR_MAILERSEND_KEY'
headers = {
    'Authorization': f'Bearer {MAILERSEND_API_KEY}',
    'Content-Type': 'application/json'
}

# Read SparkPost export
with open('sparkpost_suppression_export.csv', 'r') as f:
    reader = csv.DictReader(f)
    batch = []
    for row in reader:
        batch.append({
            'email': row['email'],
            'reason': 'Customer unsubscribed (migrated from SparkPost)'
        })
        # MailerSend accepts batches of 1000
        if len(batch) == 1000:
            requests.post(
                'https://api.mailersend.com/v1/suppressions/unsubscribes',
                headers=headers,
                json={'suppression_list': batch}
            )
            batch = []

    if batch:  # flush remaining
        requests.post(
            'https://api.mailersend.com/v1/suppressions/unsubscribes',
            headers=headers,
            json={'suppression_list': batch}
        )

SparkPost (Bird) vs AWS SES: When the US-Subsidiary Risk Is Similar

A common migration path we see: teams replacing AWS SES with SparkPost/Bird, believing the Dutch parent makes it more GDPR-friendly.

While Bird BV's EU headquarters is a genuine improvement over Amazon.com Inc.'s Washington State registration, the operational difference is smaller than it appears:

The 5-point difference reflects the EU parent and lower government contract exposure. But both are Delaware-incorporated operating entities. Both are subject to CLOUD Act warrants. Both require EU customers to rely on SCCs that cannot block national security orders.

For developers migrating away from AWS SES for GDPR reasons: migrating to SparkPost reduces risk but does not eliminate it. Only migrating to a fully EU-native provider (MailerSend, Brevo, Scaleway) achieves zero CLOUD Act exposure.

GDPR Article 28: What Your Data Processing Agreement Must Cover

When using SparkPost/Bird, your DPA with Bird BV must address:

Clause 1: Subject matter
→ Processing of transactional email data (To/From/Subject metadata,
  engagement events) on behalf of EU data controller

Clause 2: Duration
→ Duration of your subscription + 30-day deletion window

Clause 3: Nature and purpose
→ Email delivery and deliverability analytics

Clause 4: Type of personal data
→ Email addresses, device fingerprints, IP addresses,
  engagement timestamps

Clause 5: Categories of data subjects
→ Your end users / customers / employees

Clause 6: Sub-processors
→ Must disclose SparkPost Inc. (Delaware) and all US infrastructure
  providers. Failure to disclose the Delaware subsidiary as a
  sub-processor violates GDPR Art. 28(3)(d).

⚠️  CRITICAL: If Bird BV's DPA does not list SparkPost Inc. (Delaware)
as a sub-processor, the DPA is incomplete. Request an updated DPA or
switch providers.

EU Email API Series: Complete CLOUD Act Risk Matrix

After analysing five providers in this series, here's the full picture before the final comparison post:

Pattern: Every major transactional email provider with roots in the US market maintains a Delaware-incorporated operating entity. Delaware incorporation = CLOUD Act jurisdiction. The EU parent of Bird/SparkPost reduces systemic risk compared to pure-US companies but cannot eliminate the core legal exposure.

Next post in this series: EU Email API Comparison Finale — a complete decision framework for EU-regulated businesses choosing a transactional email provider.

Why sota.io Uses EU-Native Infrastructure

At sota.io, we deploy on Hetzner (Germany) exclusively. Our platform processes deployment pipelines and build logs — data that can include environment variables, API keys, and database credentials. We couldn't route this through Delaware-incorporated entities even if we wanted to.

If you're building EU-compliant applications and need a platform that gives you zero CLOUD Act exposure at the infrastructure level — not just for email, but for your entire application stack — sota.io is designed for exactly that.

Deploy to EU infrastructure today → sota.io

Quick Reference: SparkPost / Bird CLOUD Act Facts