The full list of companies that touch your data

"EU-hosted" is on the homepage of nearly every European alternative now. So is "EU-only", "GDPR-compliant", and "your data never leaves Europe". The trouble is that those phrases are easy to write and hard to check — and some of the products using them run on the Frankfurt region of a US cloud, which keeps the bytes in Germany while keeping the company under US jurisdiction, the CLOUD Act included. Where your data physically sits and who can be compelled to hand it over are two different questions.

The only way to tell a sovereign service from a relabelled one is to make it show you the list: which companies, exactly, can touch your data. So here's ours. The whole thing.

The companies that process your data

Three. That's the entire list.

Company	Role	Where
OVHcloud (OVH SAS)	Infrastructure — compute, storage, backups, network	France
Mollie B.V.	Payment processing	Netherlands
Moneybird B.V.	Invoicing and accounting	Netherlands

• OVHcloud is where everything runs: compute, storage, backups, network. A French company on French soil, the ground the rest sits on.
• Mollie processes payments. When you enter card details they go to Mollie, not to us — we never see or store a card number. Mollie sees what a payment processor has to: the charge, and the billing name and email attached to it.
• Moneybird is our invoicing and accounting system. It holds the billing side of your account — company name, billing address, invoice lines. It never touches your mailbox, files, or calendar.

All three are EU companies, in the EU, under EU law. That's the same list as in our Data Processing Agreement, and if it ever changes we give 30 days' notice before the change takes effect, so you can object first.

Everything else, we run ourselves

The list is three companies long instead of thirty because the actual product — the parts that hold your email, files, and identity — isn't bought in from anyone. We run it ourselves, on the OVH infrastructure above, using European open-source software:

• Mail — Stalwart, our own mail servers
• Drive and documents — Seafile and ONLYOFFICE
• Calendar, contacts and webmail — Bulwark
• Identity and single sign-on — Authentik
• Chat — Zulip
• Video meetings — La Suite Meet, the French government's own video stack
• Billing engine — Lago
• Newsletter — Listmonk
• Analytics — Umami, self-hosted and cookieless. No Google Analytics, no third-party tracker; the numbers stay on our own cluster.
• Anti-bot — Altcha, a proof-of-work check your browser solves locally. No reCAPTCHA, no hCaptcha, nothing phoned home to a US verification service.

None of those is a service we send your data to. They're programs we operate. When you send an email it goes from our server to the recipient; it doesn't detour through anyone's API on the way.

The honest edge cases

A transparency post that lists only the flattering parts isn't transparent. Here are the things a careful reader will rightly ask about, with the straight answers:

• Transactional email — your signup code, password resets, this newsletter — is sent by Remails, which is us: email.eu is a trade name of Remails B.V., and the relay runs on our own EU infrastructure. First-party, not a third party we hand you off to.
• DNS is at TransIP, a Dutch registrar. They resolve email.eu's domain records; they never see your mail or files.
• Source code and the build pipeline live on GitHub (US). That's where we write and compile the software — it never contains customer data.
• Fonts are downloaded once when we build the site and served from our own servers. Your browser never makes a request to Google Fonts.
• Paying sends you briefly to Mollie's own checkout to enter card details. Mollie is Dutch; the redirect is what keeps card data off our systems, which is what you want.
• Migrating from Gmail or Microsoft 365 connects to your old provider to copy your mail across. That's you reaching back into your own existing account to pull your data out — at your instruction, with an app password you can revoke afterwards — not us sending your data anywhere new.

That's all of it. No US cloud, no US email API, no US analytics, no US anti-bot service, and no advertising trackers anywhere in the product.

Why this is the test

You shouldn't have to take "EU-only" on faith — not from anyone, and not from us either. The list above is the same one in our DPA. You can read it, check who each company is and where it sits, and hold us to it. A sovereignty claim you can verify in ten minutes is worth more than one you can't.

If you think we've missed something, tell us. Keeping this list correct, and keeping it short, is most of the job.