Compliance · GDPR

GDPR compliance — structural, not just claimed.

Hosting in certified EU data centres, no US data path, downloadable DPA, transparent sub-processor list. As a European provider, Mailantis is built the way an EU data protection officer would want.

Read the privacy policy Request DPA

app.mailantis.eu / demo-kunde.at

Art. 32 · Processing overview

Which providers are sending in your name?

#	Provider	Mails	Pass
01	Microsoft 365 (EU)	59,688	100%
02	Mailgun (EU)	8,412	100%
03	Unknown (RU)	142	0% · GDPR risk

Key topics

GDPR-relevant aspects at Mailantis

GDPR aspect	Mailantis implementation	Status
Data processing (Art. 28)	Standard DPA available for download in the account area, Enterprise customisation possible	available
Records of processing (Art. 30)	Mailantis-internal records of processing activities available on request	available
EU storage (Art. 44 et seq.)	Certified EU data centres (Germany), EU-only. No third-country transfer of mail data	met
Data minimisation (Art. 5(1)(c))	Mail bodies are not processed, forensic reports pseudonymised	met
Storage limitation (Art. 5(1)(e))	Aggregate reports configurable (30/90/365 days), forensic 30 days by default	met
Data subject rights (Art. 15-22)	Self-service export in the account, deletion on request within 30 days	met
Security of processing (Art. 32)	TLS, MFA, encryption at rest, audit log, annual penetration test	met
Data protection impact assessment	DPIA template available on request for controller-side DPIAs	available

Cloud Act and Schrems II: Mailantis uses no US cloud providers in the data path — no AWS, no Azure, no GCP for customer data. US-touched sub-processor relationships exist only with Stripe (payment processing; account and billing data only, never mail traffic data) and Google Analytics (marketing-site reach measurement only, loaded only with consent via the cookie banner).

Sub-processors

Who processes your data and for what purpose

Stripe Payments Europe Ltd.

Dublin, IE · Payments

Processing of credit card and SEPA payments. Receives only billing and contact data — no mail data.

Sectigo Limited

Salford, UK · CA for S/MIME

Issuance of S/MIME certificates. Receives the validation data provided in the application (name, email, company data if applicable).

Cloudflare Inc.

EU tier · Static front-end

CDN/DDoS protection for the static marketing site (mailantis.com). Does not process login or mail data — those go directly to our EU data centres.

Google Ireland Limited

Dublin, IE · Reach measurement

Google Analytics 4 for the marketing site (mailantis.com). Loaded only after explicit consent via the cookie banner. IP anonymisation enabled. No processing of login or mail data.

DSK position

Sensitive data: transport TLS is not enough

Art. 32 GDPR requires technical measures "appropriate to the risk". The German DPA Conference (DSK — Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder) has clarified what this means in practice for the email transmission of sensitive data:

When transmitting sensitive personal data — e.g. in healthcare, legal or financial sectors — simple transport encryption is insufficient. The use of end-to-end encryption (e.g. S/MIME) is a mandatory requirement.^[1]

The practical difference: MTA-STS and TLS only protect the "wire" between two mail servers. As soon as the message lands on a server — Microsoft 365, Google Workspace, your own Exchange — it sits there in cleartext. If that server is compromised (token theft, insider, misconfiguration), all content is exposed.

S/MIME closes that gap: the message is encrypted on the sender's device and can technically only be decrypted on the recipient's device. Neither providers nor server admins can read it — and the recipient can cryptographically prove that the email arrived unchanged from the stated sender.

Breaches of Art. 32 GDPR can attract fines of up to EUR 20M or 4% of global annual turnover.

Sector triggers for an E2E obligation: healthcare (patient data, findings), legal (client correspondence), tax / accounting, banking / financial services (DORA consistency), social services, HR (sensitive employee data). For these use cases, Mailantis provides automated S/MIME certificates via the Sectigo CA.

FAQ

Common privacy questions

Where is my data stored?

Exclusively in the EU. Hosting in certified EU data centres in Germany, including backups. No US sub-processors in the data path.

What personal data does Mailantis process?

Account data (name, email, company), login data, audit logs. In forensic report mode, mail headers (sender, recipient, subject) — pseudonymisation available. We do not process mail bodies.

Is there a DPA?

Yes. A standard Data Processing Agreement (DPA) under Art. 28 GDPR is available for download in the account area. For Enterprise customers with special needs we adapt the DPA individually.

Who are the sub-processors?

Stripe (EU/USA, payments — only account data, no mail data), Sectigo (certificates), Cloudflare (static marketing front-end only, EU tier), Google Ireland (Google Analytics for the marketing site, only with consent). Hosting in certified EU data centres in Germany. The full list with purposes and legal bases is in the DPA annex.

How are forensic reports GDPR-compliant?

Forensic reports potentially contain personal data (email addresses). Mailantis pseudonymises by default, retains data for only 30 days and allows complete opt-out. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) for spoofing defence.

Sources

[1] Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder (DSK) — Guidance on the email transmission of sensitive personal data; Mayer Brown — Management liability in cyber attacks. Fine ranges under Art. 83(5) GDPR. As of May 2026.

Privacy that's more than a label.

EU-only, pseudonymised, downloadable DPA — documented in an auditable way.