WooCommerce EU Alternative 2026: Automattic Is a US Delaware Corporation and the CLOUD Act Applies
Post #2 in the sota.io EU E-Commerce Platform Series
WooCommerce is the world's most installed e-commerce plugin, powering an estimated 36–40% of all online stores. It is open-source software — distributed under GPLv3, free to download, and deployable on any server worldwide. For many EU businesses, this creates an impression of jurisdictional neutrality: WooCommerce is just code, and code has no nationality.
This impression is partially correct and significantly misleading. WooCommerce the plugin is indeed open source. But WooCommerce the company is Automattic Inc. — a Delaware corporation headquartered in San Francisco, California. Automattic operates WordPress.com, WooCommerce.com (the commercial extensions and subscriptions marketplace), WooPayments, the Jetpack plugin ecosystem, and the WordPress VIP enterprise platform. Every one of these is a US-operated service, and every one is subject to the US CLOUD Act.
The compliance question is therefore not about the WooCommerce plugin. It is about which Automattic-operated services your store depends on, and whether any of that data flows through US-controlled infrastructure.
Automattic Inc.: Corporate Structure and US Jurisdiction
Automattic Inc. was founded in 2005 by Matt Mullenweg in San Francisco, California. The company is incorporated in Delaware as a US C-Corporation. Its principal office is at 60 29th Street #343, San Francisco, CA 94110. Automattic is a private company and has not disclosed its exact revenue, but has been valued at approximately $7.5 billion in its most recent funding round (2021).
The corporate structure relevant for EU data protection purposes includes several entities:
| Entity | Jurisdiction | Role |
|---|---|---|
| Automattic Inc. | Delaware, USA (San Francisco HQ) | Ultimate parent — US person |
| Aut O'Mattic Ltd | Dublin, Ireland | EU data processor and contractual counterparty |
| WooCommerce Ltd | Dublin, Ireland | WooCommerce EU subsidiary |
| Automattic Inc. (US data infrastructure) | California, USA | WordPress.com, WooCommerce.com servers |
| Stripe Inc. (subprocessor for WooPayments) | Delaware, USA | US payment data controller |
The presence of Irish subsidiaries in Dublin does not change the CLOUD Act analysis. The relevant entity for CLOUD Act purposes is the US parent, Automattic Inc., which maintains control over data held by its subsidiaries. A US court order or FBI National Security Letter is directed at the US parent and requires it to produce data regardless of where that data is physically stored.
The CLOUD Act and Automattic's US Status
The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. §2713), enacted in 2018, requires US providers of electronic communications services to preserve, backup, or disclose data under US legal process regardless of where that data is stored globally. The statute explicitly negates the territorial limitation of the Stored Communications Act that had previously been litigated in the Microsoft Ireland case.
Automattic Inc. satisfies the CLOUD Act definition of a covered provider:
- It is incorporated in the United States (Delaware)
- It operates services over which US courts have jurisdiction
- It is headquartered in a US state (California)
- It employs US persons and has US offices
This means that when a US government agency — the FBI, the Department of Justice, or any agency with compelled-disclosure authority — issues legal process to Automattic Inc. for data related to an EU merchant or their customers, Automattic is legally required to produce that data. The data's physical location in an EU data centre does not affect this obligation.
This is not a theoretical risk. US law enforcement agencies regularly issue compelled-disclosure orders to US technology companies for data related to non-US persons. The CLOUD Act was specifically designed to remove the legal uncertainty that had previously existed around cross-border data requests.
What Automattic Actually Operates: Hosted vs. Self-Hosted
The CLOUD Act risk depends entirely on which Automattic products you use. The distinction is critical:
Services That Carry CLOUD Act Exposure
WordPress.com (automattic.com/products/wordpress-com): The hosted WordPress platform. Websites hosted at wordpress.com, including those using WooCommerce via the commerce plans, are stored on Automattic-operated servers. All data — site content, visitor data, customer data — is subject to Automattic's US parent jurisdiction.
WooCommerce.com / Woo Marketplace: The commercial extensions marketplace where merchants purchase premium plugins, themes, and extensions. Account data, purchase history, and licence keys are stored on Automattic-operated infrastructure. The subscription API that validates licences calls back to Automattic servers.
WooPayments (WooCommerce Payments): The built-in payment solution for WooCommerce. WooPayments is powered by Stripe (specifically Stripe Technology Europe Ltd for EU merchants, but with Stripe Inc. (Delaware) as the ultimate parent). Payment data flows through Stripe's infrastructure, creating a second layer of US jurisdiction exposure on top of Automattic's.
WordPress VIP: The enterprise-grade managed WordPress platform. VIP runs on a combination of cloud infrastructure providers and is operated by Automattic. VIP customers include major media companies and enterprises. All data is under Automattic's operational control.
Jetpack: The analytics, security, and performance plugin that hundreds of millions of WordPress sites have installed. Jetpack phones home to Automattic's servers for most of its features. If Jetpack is active on your store, traffic data and site data pass through Automattic-controlled infrastructure.
Akismet: The spam-filtering service. Comments submitted on WordPress sites with Akismet enabled are sent to Automattic's cloud for processing. Customer reviews on a WooCommerce store — including potentially sensitive customer information in review text — transit Automattic's US-controlled servers.
The Self-Hosted Alternative
Self-hosted WordPress + WooCommerce on EU infrastructure is fundamentally different from the above. If you:
- Download WordPress from wordpress.org (the open-source project)
- Download WooCommerce from the plugin repository
- Deploy both on a server hosted by an EU provider (Hetzner, OVH, IONOS, Contabo)
- Disable Jetpack and all Automattic-connected plugins
- Use an EU-native payment processor (Mollie, Adyen, Stripe Europe with appropriate configuration)
...then Automattic has no access to your data and the CLOUD Act does not apply to your deployment. The plugin itself is open source and legally separate from Automattic's services.
This self-hosted path is genuine but requires technical capability and ongoing maintenance. The one-click WordPress.com setup does not carry these protections.
The WP Engine Dispute and Open-Source Governance Risk
In September 2024, Matt Mullenweg — Automattic's founder and CEO, and simultaneously the chairman of the WordPress Foundation — launched a public dispute with WP Engine, a large WordPress-focused managed hosting provider. Mullenweg accused WP Engine of not contributing sufficiently to the WordPress open-source project and blocked WP Engine from accessing WordPress.org infrastructure.
This incident has significant implications for EU businesses relying on "open-source" WordPress/WooCommerce:
Centralised control over infrastructure: WordPress.org — including the plugin update mechanism that all WordPress installations use by default — is effectively controlled by Automattic and Matt Mullenweg personally. The September 2024 dispute demonstrated that this control can be exercised to restrict access.
Update supply chain risk: WooCommerce plugin updates are distributed through WordPress.org's plugin repository. If Automattic were to apply the same treatment to a hosting provider or service used by your store, your ability to receive security updates could be disrupted.
GDPR implications: A governance dispute at the application layer of your e-commerce platform creates operational risk that GDPR's Article 32 (security of processing) and Article 28 (processor contracts) require organisations to manage. If the plugin update channel is disrupted, security patches cannot be applied promptly — creating measurable GDPR risk.
The open-source commons is not the company: The WordPress project and Automattic Inc. are legally distinct, but they are operationally entangled in ways that the September 2024 dispute made publicly visible. For GDPR compliance purposes, this entanglement must be assessed, not assumed away.
Automattic's Data Protection Framework
Automattic provides a Data Processing Agreement (DPA) for its commercial services, primarily through the Aut O'Mattic Ltd (Dublin) entity for EU customers. The framework includes:
Standard Contractual Clauses (SCCs): Automattic uses the European Commission's Standard Contractual Clauses (2021 version) for transfers of EU personal data to its US parent. SCCs provide a legal mechanism for the transfer but do not override US legal process obligations.
Privacy Policy and GDPR Compliance: WordPress.com and WooCommerce.com publish GDPR compliance documentation and provide data subject rights mechanisms.
Sub-processor list: Automattic maintains and publishes a list of sub-processors. At the time of writing, this includes Amazon Web Services, Google Cloud Platform, and other US-based infrastructure providers.
The contractual framework is in place. The structural risk — that a US court order to Automattic Inc. supersedes contractual obligations to EU customers — cannot be resolved through DPAs or SCCs. This is the same structural gap that applies to every US-headquartered technology company.
Post-Schrems II Supervisory Signals
Following the Schrems II ruling (Case C-311/18, July 2020), EU data protection authorities have consistently held that SCCs alone are insufficient when a US company cannot demonstrate that it is able to resist or challenge US government access requests in practice. Automattic, as a Delaware corporation operating under US law, has no practical ability to refuse a properly issued CLOUD Act order. This is not a criticism of Automattic specifically — it applies equally to any US company.
EU DPAs examining US e-commerce platforms have found, in the context of Google Analytics and Meta Pixel cases, that the mere theoretical possibility of US access renders transfers non-compliant. The same analysis applies to Automattic-hosted services.
WooPayments: The Stripe Data Layer
WooPayments, Automattic's first-party payment solution for WooCommerce, is built on Stripe infrastructure. Payment data — including cardholder names, billing addresses, payment method details (tokenised), and transaction metadata — flows through Stripe's processing infrastructure.
The relevant Stripe entities for EU merchants are:
| Entity | Jurisdiction | Role |
|---|---|---|
| Stripe Technology Europe Ltd | Dublin, Ireland | EU data controller for payment processing |
| Stripe Payments Europe Ltd | Dublin, Ireland | EU licensed payment institution |
| Stripe Inc. | Delaware, USA | Ultimate parent — US person |
The Dublin entities are registered with the Central Bank of Ireland as payment institutions and act as EU-facing controllers. However, Stripe Inc. (Delaware) is the US parent and is subject to the CLOUD Act for all data held by or accessible to Stripe globally.
For WooCommerce stores using WooPayments, this creates a dual US jurisdiction exposure: Automattic Inc. for store/customer data, and Stripe Inc. for payment data. Both are Delaware corporations subject to US legal process.
EU-native payment alternatives that avoid this exposure include:
- Mollie BV (Amsterdam, Netherlands) — Dutch holding company, EU-regulated
- Adyen N.V. (Amsterdam, Netherlands) — Dutch listed company, EU-regulated
- Mangopay SA (Luxembourg) — Luxembourg-regulated payment infrastructure
GDPR Risk Assessment: A Two-Track Analysis
The WooCommerce GDPR risk assessment splits cleanly into two tracks:
Track 1: Automattic-Hosted Services (WordPress.com, WooPayments, VIP)
| Risk Factor | Assessment |
|---|---|
| CLOUD Act applicability | HIGH — Automattic Inc. is a US person |
| Data residency in EU | POSSIBLE but does not override CLOUD Act |
| US government access risk | MATERIAL — standard US legal process applies |
| SCCs in place | YES — but do not override CLOUD Act |
| EU supervisory authority exposure | HIGH — consistent with post-Schrems II analysis |
| Overall GDPR risk | HIGH |
Track 2: Self-Hosted WordPress + WooCommerce on EU Infrastructure
| Risk Factor | Assessment |
|---|---|
| CLOUD Act applicability | NOT APPLICABLE — Automattic does not control your server |
| Data residency in EU | ACHIEVABLE with EU hosting provider |
| US government access risk | NOT APPLICABLE to your store data |
| WordPress.org plugin dependency | LOW — plugin repo dependency can be mitigated |
| WooPayments dependency | AVOIDABLE — use EU-native payment processor |
| Overall GDPR risk | LOW to MEDIUM (depends on plugin choices) |
EU-Native Alternatives to WooCommerce
For EU businesses that require jurisdictional certainty and cannot manage the technical requirements of self-hosted WordPress/WooCommerce, the following EU-native platforms offer genuine alternatives:
Shopware AG — Schöppingen, North Rhine-Westphalia, Germany
Shopware AG is a German stock corporation (Aktiengesellschaft) incorporated and headquartered in Schöppingen, NRW. It was founded in 2000 and remains independent, family-owned (Hamann family). Shopware is the market leader for German-speaking e-commerce and has a significant presence across DACH, France, and the Netherlands.
Key EU credentials:
- German AG: Subject to German corporate law, BDSG (Federal Data Protection Act), and BayLDA/LDI NRW supervisory jurisdiction
- No US parent: No private equity or US corporate parent that creates CLOUD Act exposure
- Self-hosted option: Shopware Community Edition is open source and can be self-hosted
- Managed cloud option: Shopware Cloud is hosted on AWS Frankfurt (eu-central-1) — AWS Ireland/Frankfurt infrastructure, but under Shopware's processing agreement
Shopware is particularly well-suited for mid-market B2C and B2B commerce in Europe. Its B2B Commerce Suite is one of the most mature in the market. The platform is technically comparable to WooCommerce for a broad range of use cases.
PrestaShop SA — Paris, France (French SA)
PrestaShop SA is a French société anonyme (SA) incorporated in Paris. It is majority-owned by MerchantPro Group since 2022, a Romanian tech investment group. PrestaShop was previously backed by Softbank and is now independently operated.
Key EU credentials:
- French SA: Subject to French data protection law (Loi Informatique et Libertés) and CNIL supervisory jurisdiction
- No US parent: The MerchantPro Group is Romanian, not US-incorporated
- Open source: PrestaShop is GPL-licensed and self-hostable on any EU infrastructure
- Cloud option: PrestaShop Essentials runs on OVH (French cloud provider, EU jurisdiction) infrastructure
PrestaShop has a large community in France, Spain, Poland, and Latin America. It is a strong choice for cross-border EU commerce.
Medusa Commerce ApS — Copenhagen, Denmark
Medusa Commerce ApS is a Danish private limited company (anpartsselskab) incorporated in Copenhagen. Medusa is an open-source, headless commerce framework funded by investors including Notion Capital and Bain Capital Ventures.
Note: Bain Capital Ventures is a US fund. However, Medusa itself is a Danish company, and the platform is open-source software that can be self-hosted entirely on EU infrastructure without any ongoing dependency on Medusa ApS services.
Key EU credentials:
- Danish ApS: Subject to Danish data protection law and Datatilsynet supervisory jurisdiction
- Headless architecture: No lock-in to Medusa-operated services
- Developer-first: Designed for custom deployments on EU infrastructure
Medusa is best suited for technical teams building custom commerce experiences. It is not a hosted SaaS — it requires development resources.
Sylius sp. z o.o. — Warsaw, Poland
Sylius is a Polish private limited company (spółka z ograniczoną odpowiedzialnością — sp. z o.o.) based in Warsaw. Sylius is a Symfony-based open-source e-commerce framework and is particularly popular in Poland, Germany, and France for enterprise and custom commerce builds.
Key EU credentials:
- Polish entity: Subject to Polish data protection law (UODO) and UODO supervisory jurisdiction
- Open source: MIT-licensed framework, fully self-hostable
- Symfony foundation: Enterprise-grade PHP framework from Sensio Labs (French company)
Sylius is aimed at enterprise and mid-market retailers who need a highly customisable platform built on mature PHP infrastructure.
Comparison: WooCommerce vs. EU Alternatives
| Criterion | WooCommerce (hosted) | WooCommerce (self-hosted) | Shopware AG | PrestaShop SA | Medusa Commerce |
|---|---|---|---|---|---|
| Corporate jurisdiction | US (Delaware) | N/A — your server | Germany (AG) | France (SA) | Denmark (ApS) |
| CLOUD Act exposure | HIGH | LOW | LOW | LOW | LOW |
| EU supervisory authority | No EU DPA | Your provider | LDI NRW | CNIL | Datatilsynet |
| Adequacy decision needed | YES (US—EU transfers) | NO | NO | NO | NO |
| Self-hosted option | NO (hosted) | YES | YES | YES | YES |
| Managed EU cloud option | WordPress.com (US) | EU hosting required | AWS Frankfurt | OVH (French) | Self-managed |
| WooPayments / EU payments | Stripe (US parent) | EU processor possible | Mollie/Adyen native | Mollie/Adyen native | Mollie/Adyen native |
| Market maturity | Very high | Very high | High | High | Medium |
| Technical complexity | Low (hosted) | High | Medium | Medium | High |
Practical Assessment for EU Businesses
For non-technical EU businesses that want the simplicity of hosted e-commerce: WooCommerce on WordPress.com carries material GDPR risk due to Automattic's US jurisdiction. Shopware Cloud (on AWS Frankfurt with Shopware as processor) or PrestaShop Essentials (on OVH) are structurally safer alternatives, though both involve some cloud provider dependency that should be assessed in a Transfer Impact Assessment.
For technical EU teams comfortable with self-hosting: Self-hosted WordPress + WooCommerce on EU infrastructure (Hetzner, OVH, IONOS) with an EU-native payment processor is a compliant and cost-effective path. The key requirements are: EU hosting provider, EU payment processor, disabled Jetpack and Automattic telemetry plugins, and active patch management independent of WordPress.org governance disputes.
For enterprise EU commerce: Shopware Enterprise or PrestaShop Enterprise offer the combination of EU corporate jurisdiction, enterprise-grade SLAs, and documented compliance frameworks. Both are materially lower risk than Automattic-hosted services for Article 28 processor assessments.
Key Takeaways
WooCommerce as an open-source plugin is jurisdictionally neutral — it is code, not a company. Automattic Inc., the company that operates every commercial WooCommerce service, is a Delaware corporation subject to the US CLOUD Act.
The practical implications for EU merchants are:
-
WordPress.com with WooCommerce commerce plans = Automattic-hosted = US jurisdiction. CLOUD Act applies. Material GDPR risk.
-
WooPayments = Stripe + Automattic. US jurisdiction applies to payment data through Stripe Inc. (Delaware parent).
-
Self-hosted WooCommerce on EU infrastructure ≠ Automattic. If properly deployed without Automattic-connected services, jurisdictional risk is eliminated.
-
WP Engine dispute 2024 demonstrated that open-source does not mean decentralised governance. Automattic's centralised control over WordPress.org infrastructure is a material operational and compliance risk.
-
EU-native alternatives exist: Shopware AG (Germany), PrestaShop SA (France), Medusa Commerce ApS (Denmark), and Sylius sp. z o.o. (Poland) offer e-commerce platforms headquartered in EU member states with no US parent company exposure.
For EU businesses processing significant volumes of customer data, a Transfer Impact Assessment (TIA) under the SCCs framework is required before using Automattic-operated services. The TIA should assess the probability of US government access in light of Automattic's inability to resist properly issued CLOUD Act orders.
Part of the sota.io EU E-Commerce Platform Series. Part 1 covers Shopify — Canada Five Eyes, GCP CLOUD Act chain, and GDPR e-commerce risk.
sota.io provides EU-sovereign PaaS infrastructure for developers and businesses that require genuine data residency and jurisdictional clarity. Learn more about our approach to EU data sovereignty.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.