Skip to content
Back to Blog
gdpr
guide
compliance

GDPR-Compliant Email API in 2026: A Buyer’s Guide

PostStack Team·

If you ship product to European customers in 2026, your email infrastructure is no longer a back-office choice — it is a compliance decision your DPO will eventually ask you to defend. This post walks through what "GDPR-compliant email API" actually means in practice, the four traps most US-headquartered providers fall into, and how to evaluate any vendor against the criteria your future audit will use.

The criteria nobody writes down

GDPR doesn't certify email APIs. There is no checkmark a provider can buy. So "GDPR-compliant" gets used loosely. Here's what European data protection law actually expects, in practical terms:

  • Data residency — personal data of EU residents must be stored and processed in a way you can defend. The bar isn't "in the EU" specifically; it is "with adequate safeguards." After Schrems II struck down Privacy Shield, the Standard Contractual Clauses route to the US is fragile, and several DPAs (Bavaria, Austria, France) have ruled US-hosted services non-compliant on specific grounds.
  • Sub-processor disclosure — your provider must publish their sub-processors and let you object to changes. Email providers chain to AWS, Cloudflare, MaxMind, etc. — every link is a sub-processor.
  • Data Processing Agreement (DPA) — a signed DPA, not a click-through. Several providers still don't offer this without enterprise contracts.
  • Data subject rights — you must be able to honour erasure, rectification, and access requests within 30 days. That means your email provider needs an erasure API, or your runbook breaks.
  • Retention controls — you should set how long bodies, headers, and logs are kept, not the provider.
  • Breach notification — 72-hour notification flows down. Your provider's breach is your breach.

Trap 1: "GDPR-ready" instead of GDPR-compliant

Read carefully. "GDPR-ready" means "we'll help you be compliant if you configure us correctly." That is not the same as "we are compliant by default." If a provider stores email bodies in US-East by default and only routes EU traffic to EU on a paid tier, you are buying a configuration trap. The defaults matter because they're what will hold up in an audit.

Trap 2: The CLOUD Act asterisk

The 2018 US CLOUD Act allows US authorities to compel a US company to hand over data it holds — including data hosted on EU servers. So even when SendGrid or Postmark route mail through Frankfurt, the parent company is still subject to US jurisdictional reach. That asterisk is why several European buyers have shifted toward EU-headquartered infrastructure providers in the last 24 months. PostStack is one example; OVHcloud, Hetzner, and Scaleway are infrastructure-layer examples.

If "no US CLOUD Act exposure" is on your DPIA, neither US-owned providers nor US-EU hybrids satisfy that requirement, regardless of where the data sits.

Trap 3: Open and click tracking

A pixel that tracks opens fetches a 1×1 image with a unique identifier from the recipient's IP address. That is personal data. A click tracker rewrites every link in the email and records the IP, user agent, and timestamp on click. Also personal data.

Both are explicitly named in the EDPB's 2023 guidance on cookies and similar technologies. The legal basis for tracking opens and clicks in marketing email is normally consent, not legitimate interest. If your email API can't disable tracking on a per-message basis (or per-list basis for marketing email), you're stuck with consent at every send. Many providers can. Some can't.

PostStack lets you disable tracking per send. The tracking documentation covers the legal basis and the technical disable flags.

Trap 4: Logs are personal data too

The contents of an email — to, from, subject, body, attachments — are personal data. So are the access logs that track what your team viewed in the dashboard. A 14-day log retention is fine; an indefinite "we keep everything for analytics" is not. Ask the provider what they retain, where, and for how long. If they can't tell you in one paragraph, they don't know.

What to look for in a GDPR-compliant email API

A short checklist your procurement team can use, written so the answers are yes/no/where:

  1. Where is email content (bodies, attachments, headers) stored at rest? In which country and on whose hardware?
  2. Is the provider headquartered in the EU? If not, are they a wholly-owned EU subsidiary?
  3. Is the standard DPA signable as a click-through, or is it gated behind a sales call?
  4. Is there a public sub-processor list and a notification channel for changes?
  5. Can opens and clicks be disabled per send and per list?
  6. How long are message logs retained, and is that configurable per plan?
  7. Is there an API for erasure (deleting all data for a contact / domain)?
  8. What is the breach notification SLA, and can it meet your 72-hour obligation?
  9. Is bounce/complaint data hashed or kept in plaintext?

How PostStack scores

PostStack is a Danish company hosting on Hetzner and Equinix infrastructure in Germany and Finland. There is no US presence and no US sub-processor in the data path. Specifically:

  • Email content is stored in Germany; backups are encrypted and stored in Finland.
  • DPA is published at /dpa and signable from any plan, free included.
  • Sub-processors are listed at /sub-processors with a 30-day change notification.
  • Open and click tracking are opt-in per send.
  • Log retention is 14 days on Free, 30 on Starter, 90 on Pro, 365 on Scale.
  • Erasure is exposed via the contacts API (DELETE per contact) and via DPO request at the account level.
  • Breach notification SLA is 24 hours, well inside the 72-hour requirement.
  • Suppression data is hashed (SHA-256) before storage.

If you want the technical and legal posture in one document, the trust page covers infrastructure, data flows, and the security audit log.

What about SES + your own SMTP relay?

A common DIY answer is "we'll just use Amazon SES inside our EU AWS region." This works technically — SES has eu-west-1, eu-central-1, and eu-north-1. But the same CLOUD Act analysis applies; AWS Europe is a wholly-owned subsidiary of AWS US. Several European DPAs have explicitly named AWS as a problematic processor for personal data.

The other DIY answer — running your own Postfix server — is fine, and cheaper than any provider, but the operational cost is real. Bounce handling, DMARC alignment, IP warm-up, RBL monitoring, and TLS rotation are not weekends-and-coffee work. Several teams have come to PostStack precisely because they tried this and burned out.

The decision framework

If you are a US company shipping primarily to US customers, US-hosted is fine; pick whichever provider has the best DX for your stack. If you are a European company shipping to European customers, the bar is higher and the choice narrows considerably. The questions to answer in order:

  1. Is the provider EU-headquartered? If no, every other answer can be undone by a CLOUD Act request.
  2. Is the data path entirely inside the EU? Including backups, CDNs, DNS, and analytics.
  3. Are GDPR features defaults, not opt-ins? "EU region" should not be a paid tier.
  4. Will the answers hold up to a DPIA? Read the DPA before you sign it.

Try PostStack

If the criteria above describe what you need, PostStack is built for it. Free tier is 3,000 emails per month. Paid plans start at €5/month for 10,000 emails. The full comparison against the major US-headquartered providers is at /alternatives, and the migration guides are at /migrate.

Most teams migrate in under an hour from Resend, SendGrid, or Postmark — typically because their compliance review came back asking for an EU-only provider.

Ready to get started?

Send your first email in under 5 minutes. Free plan included.