Does the US CLOUD Act reach your "EU-hosted" email provider?
"EU-hosted" gets used to mean two different things, and the difference matters more than it looks like on a pricing page. One meaning: the servers are physically in the EU. The other, stronger meaning: the company operating those servers isn't subject to US legal process that could compel data disclosure regardless of where the servers sit. The US CLOUD Act is specifically why that second meaning matters.
What the CLOUD Act actually does
The US CLOUD Act (2018) clarified that US law enforcement can compel a US company, or a company otherwise subject to US jurisdiction, such as a US subsidiary, to produce data it controls, regardless of where that data is physically stored. A US-headquartered provider running EU data centers doesn't escape US legal process just because the servers are in Frankfurt; the compellable party is the company, not the hardware.
The practical distinction worth asking about
This is genuinely a legal question with real nuance, not something a vendor's blog post should present as settled law, and this isn't legal advice. What's fair to say plainly: a company that is itself EU-incorporated, with no US parent entity controlling it, sits in a meaningfully different legal position than a US company's EU subsidiary or EU data center. Envello's legal entity (a UK Ltd or a German UG, under final review at the time of writing) is still being finalized, but both options under consideration are non-US entities with no US parent, which is the fact that actually matters for this question, not which of the two gets chosen.
What to actually ask a vendor
- Is the entity you're contracting with EU-incorporated, or is it a subsidiary of a US parent?
- "EU-hosted" alone doesn't answer the jurisdiction question, ask specifically about corporate structure, not just data center location
- If this matters materially for your compliance posture, get a specific, written answer rather than inferring it from marketing language