GDPR-Compliant Hosting: What It Actually Means for Your Data

What GDPR Actually Says About Hosting

The General Data Protection Regulation doesn't just govern how companies collect and use data — it governs how they store and protect it. Two articles are particularly relevant for hosting decisions.

Article 32 requires data controllers and processors to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. For sensitive personal communications like email, this means encryption, access controls, integrity measures, and the ability to ensure ongoing confidentiality. A simple "our servers are in the EU" claim does not satisfy Article 32 by itself.

Article 28 governs the relationship between data controllers and processors — in practice, between you and your hosting provider. When you use a cloud platform to host personal data, that cloud platform becomes a data processor under GDPR. They must sign a Data Processing Agreement (DPA) with you, they must only process data on your documented instructions, and they must provide sufficient guarantees of security. Many cloud providers offer DPAs — but signing a DPA does not make a hosting arrangement GDPR-compliant if the underlying infrastructure creates legal risks that the DPA cannot override.

The most significant of those risks is extra-European legal reach — which brings us to the cloud problem.

The US Cloud Problem

The three dominant cloud platforms — AWS, Google Cloud, and Microsoft Azure — are US companies. This creates a fundamental problem for GDPR-sensitive data.

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted in the US in 2018, allows US law enforcement to compel American companies to produce data stored anywhere in the world, including on servers physically located in the EU. Critically, the CLOUD Act does not require the US government to first notify EU authorities or the data subject. A US court order served on AWS can reach data stored in AWS Frankfurt without ever involving a German court.

The Schrems II ruling by the Court of Justice of the EU (2020) invalidated the EU-US Privacy Shield, the previous framework for transatlantic data transfers, precisely because US surveillance law was incompatible with EU fundamental rights. The successor framework — the EU-US Data Privacy Framework — was adopted in 2023, but legal experts already anticipate a Schrems III challenge, and it does not meaningfully address the CLOUD Act problem for highly sensitive data.

The practical consequence: if your email hosting runs on AWS, Google Cloud, or Azure — even in a European region — your data is potentially reachable by US authorities without your knowledge and without EU legal oversight.

What Genuine EU-Only Hosting Looks Like

Genuine GDPR-compliant hosting for sensitive personal data requires more than a server physically located in the EU. It requires:

• European company ownership — the hosting provider must not be a subsidiary of a US parent company, which would bring it under US corporate law and potential CLOUD Act exposure
• No US legal nexus — the provider should not have significant operations, assets, or personnel in the United States that could be used to compel data production under US law
• Physical EU infrastructure — servers must be physically located in EU member states, not merely routed through EU regions of a global cloud
• Transparent data processing agreements — clear documentation of who can access data, under what conditions, and what the legal process for requests looks like
• Appropriate technical measures — encryption at rest and in transit at minimum, with ideally zero-knowledge architecture so that even the hosting provider cannot access plaintext data

enemail's Hosting Setup

enemail runs on EU-based dedicated hosting by Evolushost, with servers in Frankfurt, Berlin, and Vienna. Evolushost is a European company with no US parent, no US operations, and no CLOUD Act exposure. Their infrastructure is physically located in EU data centres, and their legal obligations run to EU law exclusively.

This means that data stored on enemail's servers is subject solely to EU and member-state law. A request for user data must go through EU legal channels — which means judicial oversight, proportionality requirements, and data subject rights that US-accessible infrastructure cannot guarantee.

On top of this infrastructure foundation, enemail applies zero-knowledge encryption. Even in the worst case — a valid court order compelling us to produce user data — what we can hand over is encrypted ciphertext. The keys to decrypt it exist only on the user's device. This is the gold standard: genuine EU infrastructure combined with encryption that neutralises even legitimate legal requests.

Questions to Ask Your Hosting Provider

Whether you're evaluating an email service or any service that handles sensitive personal data, here are the questions that matter:

• Is your company incorporated in the EU? A US-incorporated company with EU servers is still a US company for CLOUD Act purposes.
• Do you have US-based parent companies, investors, or significant operations? Corporate structure matters for legal exposure.
• Are your servers exclusively in EU data centres? "EU region" on a US cloud platform is not the same as EU-only infrastructure.
• Do you sign Data Processing Agreements under GDPR Article 28? A provider that won't sign a DPA is not a serious partner for GDPR-sensitive data.
• What encryption do you apply to stored data? "Encrypted at rest" with provider-controlled keys is very different from zero-knowledge encryption with user-controlled keys.
• What is your process when you receive a legal request for user data? Transparency here is a strong signal of trustworthiness.
• Have you ever received a government request for user data? What did you do? This is the most revealing question of all.