The CLOUD Act problem nobody on a US cloud can solve
The Clarifying Lawful Overseas Use of Data Act, signed into US law in March 2018, gives US authorities the power to compel US-incorporated providers to disclose customer data — regardless of where that data is physically stored. AWS Frankfurt does not change the analysis. Google Cloud's Belgium region does not change the analysis. Microsoft Azure Germany does not change the analysis. If the legal entity above the data center is American, the disclosure obligation reaches across the Atlantic.
For most senders this is theoretical. For others it is contractual: enterprise procurement teams at German Mittelstand companies, French insurers, Dutch healthcare networks, Nordic public sector buyers, Spanish banks, EU institutions, and any regulated entity whose auditor reads the same regulatory guidance increasingly will not sign vendor contracts where the legal stack reaches a CLOUD Act jurisdiction. They are not paranoid. They are reading the post-Schrems II landscape correctly.
The EU-Sovereign tier exists for exactly these buyers. The pricing premium covers the operational and legal cost of guaranteeing the sovereignty position. The product itself is the contractual ability to answer "yes, fully EU-jurisdiction, no foreign access mechanism" to a procurement question and have the documentation that survives an auditor's review.
What is included
- Enhanced Data Processing Addendum with EU-only sub-processor commitment
- Estonian governing law on the master service agreement
- Written warranty of no US legal nexus and no CLOUD Act exposure
- Sub-processor list updated quarterly, with notification of any changes
- NIS2 obligations explicitly addressed in the contract
- Customer right to audit infrastructure annually, with reasonable notice
- Dedicated physical infrastructure (not shared tenancy)
- Tallinn data center primary, optional secondary EU site for DR
- Customer data never leaves EU jurisdiction at any point in processing
- Monitoring and accounting data kept on-premises (not shared with US-headquartered analytics services)
- Backup retention exclusively in EU storage
- EU-only DNS authoritative servers for sending domains
- EU-based engineering team with EU work authorization
- Direct engineer access (no offshore tier-1 ticket queue)
- Quarterly compliance review with customer security team
- Annual procurement-ready compliance documentation refresh
- Named technical account manager for enterprise contracts
Who this is for
The EU-Sovereign tier is the right choice when at least one of these is true for your organization:
- Regulated industry with explicit EU residency requirements. Financial services subject to DORA, healthcare under regional regulations, insurance, energy infrastructure, public sector buyers, and EU institutions all have procurement frameworks that map directly to this requirement.
- Procurement disqualification of US-headquartered providers. If your security or legal team has a list of vendors that fail vendor risk assessment because of CLOUD Act exposure, you are the buyer this tier serves.
- Customer-facing data residency commitments. If your contracts with downstream customers commit to EU-only data processing, you need infrastructure that lets you honor those commitments throughout the chain.
- Sensitive subscriber data. Whistleblower platforms, journalism organizations, NGOs working with vulnerable populations, dissident communications — situations where the question of who can compel disclosure of recipient identities is operationally critical, not just compliance theater.
- Schrems II remediation. If your DPIA flagged your existing email vendor as a Schrems II risk, EU-Sovereign tier removes the issue at the source rather than requiring SCCs and supplementary measures that may not survive future legal challenge.
Who this is not for
If your sending program does not face CLOUD Act questions in procurement, the standard tier of our PowerMTA or MailWizz hosting (which is also EU-jurisdiction by virtue of our Estonian incorporation) is the right answer at lower cost. The EU-Sovereign tier is a premium product for buyers whose contractual or regulatory situation justifies the additional rigor and price.
For comparison: standard plans give you the same Estonian-incorporated infrastructure and the same Tallinn data center, just without dedicated physical isolation, the enhanced DPA, the named TAM, and the contractual non-disclosure warranties. Standard plans satisfy GDPR; EU-Sovereign satisfies GDPR plus the procurement and audit overlay that regulated enterprises require on top.
How procurement reviews actually go
A typical enterprise procurement review for EU-Sovereign engagement runs roughly as follows:
- Week 1. NDA, then we provide the compliance pack: DPA, sub-processor list, infrastructure specifications, SIG/CAIQ responses, certifications status, audit reports.
- Week 2. Customer security and legal team review the pack. We answer follow-up questions in writing, typically 5–15 questions for a thorough review.
- Week 3. Optional video walkthrough of infrastructure with customer's technical team. Optional contractual negotiation on DPA addenda specific to customer's industry requirements.
- Week 4. Contracts countersigned. Provisioning starts.
Faster reviews are possible when the customer's procurement framework is well-defined; slower reviews happen when multiple internal stakeholders need to align. We have done reviews in 10 days and reviews in 3 months. The compliance pack is usable from day one regardless of timeline.
What this costs
EU-Sovereign tier pricing is approximately 20–40% above the equivalent standard plan, with the exact percentage depending on volume, dedicated infrastructure scope, and the specific contractual provisions required. We do not publish a flat price because the underlying configuration varies meaningfully by customer profile.
For context, our standard managed PowerMTA plans range from approximately €500 to €3,500 per month depending on volume tier; EU-Sovereign equivalents range correspondingly higher. Custom enterprise pricing applies above defined volume thresholds, particularly for committed annual contracts.
Compared to the cost of internal compliance work to validate (and continuously re-validate) a US-cloud-based vendor's GDPR posture, the EU-Sovereign premium is generally a budget-positive choice for the buyers it targets. The math is even clearer when the procurement team's time has a budget line.
Need EU sovereignty in writing?
Request the compliance pack and a no-commitment scoping conversation. We can usually tell you within 30 minutes whether the EU-Sovereign tier fits your situation or whether the standard plans already do.