REST API · Finnish company · EU jurisdiction

The EU Email API for Teams That Need More Than a Regional Endpoint

A modern REST email API operated by Infotech Pioneers Oy, a Finnish company subject to EU law. No US CLOUD Act exposure on the operator. Pre-signed Article 28 DPA, signed webhooks, sandbox key on signup, 1,000 free sends to evaluate.

Get a sandbox API key →Read the integration guide →

1,000 free sends · No credit card · Pre-signed DPA · Node.js & Python SDKs

Quick Answer

An EU email API is a REST email-sending service where both the data processing and the operating company sit inside the European Union. Regional data residency alone (e.g. an “EU endpoint” from a US-incorporated provider) does not solve GDPR transfer concerns because the operator remains under foreign legal compulsion. NexusProMail is operated by Infotech Pioneers Oy, a Finnish company under EU law, with a pre-signed Article 28 DPA, signed-HMAC webhooks and suppression enforcement at the API layer. EU data residency is on the roadmap for Q3 2026.

Key Takeaways

  • Operator jurisdiction (the company processing your data) often matters more for GDPR than data centre location
  • US-incorporated providers retain CLOUD Act and FISA Section 702 exposure even with EU regional endpoints
  • A pre-signed Article 28 DPA removes weeks of legal back-and-forth from procurement reviews
  • Modern REST API: send, schedule, batch, contacts, segments, webhooks, suppression — same primitives as the US incumbents
  • Sandbox API key on signup with 1,000 free sends per month — evaluate without committing DNS changes

Operator Jurisdiction vs Data Residency

Two distinct questions get conflated in many vendor evaluations. The first is where customer data physically sits. The second is which country's legal framework binds the company that processes it. For GDPR, Schrems II and most EU procurement reviews, the second question matters as much as the first.

Operator jurisdiction

Which country's laws govern the company controlling the platform. Determines whether US frameworks (CLOUD Act, FISA Section 702, NSL gag orders) can compel disclosure of customer data regardless of where it sits. For NexusProMail, the operator is Infotech Pioneers Oy — Finnish, EU-jurisdiction, outside US compulsion.

Data residency

Where customer data is physically processed and stored. Addresses GDPR Article 44 transfer requirements when set to an EU region. NexusProMail currently runs on AWS us-east-1; eu-west-1 (Ireland) migration is planned for Q3 2026. Processing today is governed by Finnish law regardless of physical region.

Sub-processor chain

The list of downstream processors that touch customer data — typically the cloud host, analytics vendors, and CDN. Published transparently. Each sub-processor change carries a notice period during which customers can object. The pre-signed DPA enumerates the current chain by reference.

What the API Actually Lets You Do

The API surface covers the full transactional and marketing email lifecycle. If you've integrated Mailgun, SendGrid, Postmark or Resend, the concepts will be familiar — different field names, similar primitives.

Send a single message

POST /v1/api/send with to, from, subject and html (or template_id). Returns immediately with a message ID for tracking.

Batch send

POST /v1/api/send/batch accepts up to 1,000 recipients per call with per-recipient variable substitution.

Schedule a future send

Pass a send_at ISO-8601 timestamp. The API queues the message and returns the scheduled ID — cancel until 5 minutes before send.

Contact + list management

CRUD for contacts, lists, segments and custom attributes. Bulk import via CSV up to 1M rows. Segment by engagement, custom field, lifecycle stage.

Webhook events

Register endpoints to receive delivered, opened, clicked, bounced, complained, unsubscribed events. Payloads HMAC-signed for authenticity.

Suppression enforcement

The API checks the suppression list before every send. Sends to suppressed addresses fail at the API layer with HTTP 422.

Template management

Store templates server-side with variable placeholders. Send by template_id with a per-call variables object — no client-side rendering needed.

Multi-domain sending

Configure multiple sending domains under one account, each with isolated DKIM keys and reputation. Useful for multi-brand or multi-product senders.

Full integration guide with code samples →

The Compliance Story EU Buyers Actually Ask About

EU procurement reviews for new processors tend to ask the same questions. We've published the answers up-front so legal and compliance reviewers can move through the gate without back-and-forth.

Article 28 DPA on file?Yes. Pre-signed. Available via email request.
Operating company jurisdiction?Infotech Pioneers Oy — registered in Finland, governed by Finnish law and EU regulations.
Sub-processor list published?Yes, at /subprocessors with change-notice clauses.
CLOUD Act applicability?No. The operating company is not US-incorporated and is not subject to US legal compulsion frameworks.
Schrems II analysis required?Not required for the processor relationship — there is no third-country transfer in the processing chain on the operator side.
Standard Contractual Clauses?Not applicable for the customer-NexusProMail relationship (both inside the EU). SCCs apply to sub-processors that may sit outside the EU; documented in the DPA addendum.
Data Subject Access Request (DSAR) tooling?Built into the platform. Locate, export and delete data by email address. Configurable retention windows.
Audit trail?Every send, bounce, complaint, suppression and unsubscribe is logged with timestamps. Logs available via the analytics dashboard and API.
Incident notification?Personal data breaches notified to controllers without undue delay per Article 33, with the minimum information required by the regulation.

What It Costs

Contact + send-volume based pricing. The free tier covers small-volume transactional workloads completely; paid plans add headroom and product features.

Free
€0/mo
250 contacts · 1,000 sends · sandbox API key on signup · no credit card
Standard
from €12/mo
Higher volume tiers · campaign builder · multi-brand on Premium
Premium
from €35/mo
Multi-brand isolation · API + webhooks · domain warming · DPA
Enterprise
Quote
Dedicated IP · custom data residency · SLA · bank-transfer billing
Detailed transactional API pricingSee /api-pricing →

Frequently asked questions

What makes an email API an "EU email API"?+
There are two angles to evaluate. The first is data residency — where customer data is physically processed and stored. The second, often more important under GDPR, is the operating company's jurisdiction — which country's legal framework governs the entity that controls the platform. A genuine EU email API answers both questions in favour of the EU: data processed inside the EU, and the operating company subject to EU law rather than to extraterritorial frameworks like the US CLOUD Act. NexusProMail is operated by Infotech Pioneers Oy, a Finnish company, with EU data residency on the roadmap (eu-west-1 migration planned for Q3 2026) and processing currently governed by Finnish law in all cases.
How is this different from Mailgun's EU region or SendGrid's EU endpoint?+
Mailgun and SendGrid offer regional data residency, which addresses one half of the question. The operating companies remain US-incorporated (Sinch/Mailgun, Twilio/SendGrid), so customer data remains under US legal compulsion — including the CLOUD Act and FISA Section 702 — regardless of which region a customer selects. NexusProMail removes that exposure at the company level, not just at the data-centre level. For most EU GDPR-driven compliance teams this is the distinction that matters in a Data Protection Impact Assessment.
What does the REST API actually let me do?+
The API covers the full transactional and marketing email lifecycle: send a single message, send a batch, schedule a future send, manage contacts and lists, segment audiences, register webhooks for delivery events (delivered, opened, clicked, bounced, complained, unsubscribed), retrieve message metadata, and import or export suppression lists. Authentication is via Bearer API keys with separate sandbox and production keys. Webhook payloads are HMAC-signed so receivers can verify authenticity.
Is a DPA included or does it need to be negotiated separately?+
Pre-signed by default. Every paid plan ships with an Article 28-compliant Data Processing Agreement that references the current sub-processor list, lists the technical and organisational measures, sets retention periods and includes a Finnish jurisdiction clause. Email support@nexuspromail.com and the signed PDF arrives within one working day. No negotiation, no legal back-and-forth.
What languages and SDKs are supported?+
The REST API works with any HTTP-capable language. We publish first-party SDKs for Node.js and Python with feature parity. A Postman collection is available for ad-hoc testing. Community SDKs exist for PHP and Ruby; we treat them as best-effort. The API surface is documented at /developers and /developer-api-guide.
What's the free tier?+
250 contacts and 1,000 sends per month, with sandbox API key issued immediately on signup. No credit card required. The sandbox sends real emails to verified addresses and exercises the full API surface including webhooks. When you're ready to go live, rotate the key to production and add SPF/DKIM/DMARC for your sending domain.
Does the API enforce suppression lists?+
Yes — at the API layer, before each send. If you attempt to send to an address that is suppressed (unsubscribed, hard-bounced, complained), the API returns a 422 with the reason. This prevents accidental sends to opted-out contacts even when application logic forgets to check. Suppression entries are scoped per sending account.
What about EU data residency for the actual infrastructure?+
NexusProMail currently runs on AWS us-east-1. Migration to eu-west-1 (Ireland) is scheduled for Q3 2026. Processing today is governed by Finnish law (the operating company's jurisdiction) regardless of physical location, which is the GDPR-relevant question. After the eu-west-1 migration, both the operator jurisdiction and the physical data location will be inside the EU. Customers needing EU-only physical processing today should contact us before signup to discuss the Enterprise plan options.

Get a sandbox API key

Sandbox key issued on signup. 1,000 free sends per month. No credit card. DNS changes only when you cut over to production.

Start free — DPA included →

Also read: Transactional email API · API pricing · Data Processing Agreement · Schrems II compliance · GDPR email marketing · SendGrid EU alternative · Mailgun EU alternative · Resend EU alternative