Schrems II favourable · Finnish operator · No CLOUD Act exposure

Schrems II Compliant Email — Outside the Third-Country Transfer Problem

Email infrastructure operated by Infotech Pioneers Oy — a Finnish company. No US CLOUD Act exposure, no FISA 702 compulsion on the operator, no SCC + TIA workflow at the processor level. Designed to clean-pass the GDPR transfer questions on EU procurement reviews.

Start free — DPA included →Read the DPA details →

Quick Answer

The Schrems II ruling (CJEU C-311/18, July 2020) invalidated the EU-US Privacy Shield framework and held that US surveillance laws provide insufficient protection for EU personal data transferred to US-based processors. For EU controllers using a US-based ESP, this triggers a requirement for Standard Contractual Clauses, supplementary measures and a documented Transfer Impact Assessment. NexusProMail removes this problem at the processor level by being operated by a Finnish company under EU law — there is no third-country transfer in the controller-to-processor relationship.

Key Takeaways

  • Schrems II concerns transfers from EU controllers to non-EU processors — not the data's physical location
  • A US-incorporated processor with an EU region still triggers the SCC + TIA workflow
  • An EU-operated processor (NexusProMail / Infotech Pioneers Oy) eliminates that workflow at the processor level
  • CLOUD Act and FISA Section 702 do not apply to a Finnish-operated platform
  • Sub-processor sovereignty remains a separate question; addressed via the DPA appendix

What Schrems II Actually Requires

Five practical compliance burdens that fall on the EU controller when their email processor is US-incorporated:

Standard Contractual Clauses

Article 46 SCCs must be in place between controller and processor for every third-country transfer. EU Commission Decision 2021/914 SCCs are the standard. Required even if the data physically sits in an EU region — what matters is the processor's jurisdiction.

Supplementary measures

EDPB Recommendations 01/2020 require additional safeguards on top of SCCs where the third country's surveillance regime is problematic. Encryption with EU-held keys, pseudonymisation, and contractual commitments by the processor to push back on disclosure requests.

Transfer Impact Assessment

A documented assessment of the third country's legal framework, the processor's practices, and the residual risk after SCCs and supplementary measures. Must be reviewed periodically. Substantial paperwork for what should be a routine procurement decision.

Sub-processor cascading

Every sub-processor in the chain inherits the same obligations. If the EU controller's processor is US-incorporated and uses a US sub-processor, the cascading SCC + supplementary measures + TIA chain compounds quickly.

Ongoing monitoring

Schrems II is not a one-time exercise. The TIA must be reviewed when the legal landscape changes (EU-US Data Privacy Framework adoption, ongoing CJEU cases). Compliance posture must adapt with the law.

Data subject impact

GDPR Recital 6 emphasises that data subjects must understand whether their data leaves the EU and what protections apply. Schrems II reinforces transparency obligations. EU controllers using US processors must explain the transfer in their privacy notices.

How NexusProMail Resolves the Question

NexusProMail is operated by Infotech Pioneers Oy, a private company incorporated in Helsinki, Finland. Finnish company law, EU regulations (including GDPR) and EU procedural law govern the entity. The operating company is not subject to the US CLOUD Act, FISA Section 702, or any other extraterritorial US legal compulsion framework.

For an EU controller using NexusProMail, the controller-to-processor relationship is wholly inside the EU. The Schrems II analysis — SCCs, supplementary measures, TIA — does not apply at the controller-processor level because there is no third-country transfer.

The processor-to-sub-processor chain remains a separate question. NexusProMail uses AWS for infrastructure. AWS Europe SARL is the EU operating entity for our region; the AWS DPA includes its own onward-transfer mitigations covered by Article 46 safeguards. We disclose all sub-processors at /subprocessors and the DPA addendum enumerates the safeguards. The chain has been reviewed against EDPB Recommendations 01/2020 — encryption in transit and at rest, no plaintext access from US-based personnel, and contractual commitments by AWS Europe SARL to push back on improper disclosure requests.

The honest framing: NexusProMail is a clean win at the controller-processor level (no SCC + TIA required between you and us). The sub-processor chain involves AWS, which carries the cloud-sovereignty conversation any EU SaaS using AWS must have. We document our position fully; customers needing a non-AWS chain should contact us before signup to discuss Enterprise plan options including EU-sovereign cloud alternatives.

EU Procurement Checklist — What to Ask

If you're reviewing email processors for a Schrems II posture, the following questions cleanly separate compliant from problematic candidates. NexusProMail's answers in italics.

In which country is the operating company incorporated?Finland (Infotech Pioneers Oy, Helsinki).
Which country's law governs the DPA?Finnish law and EU regulations.
Is the operator subject to US CLOUD Act compulsion?No.
Is the operator subject to FISA Section 702 collection?No — not a US electronic communication service provider.
Is the DPA pre-signed and ready to counter-sign?Yes. Email request to receive within one working day.
Is the sub-processor list published?Yes, at /subprocessors with change-notice clauses.
Does the chain require Article 46 transfer safeguards?At the processor level: no (controller-processor wholly inside EU). At the sub-processor level: documented in DPA appendix where applicable.
Is there a documented breach-notification commitment?Yes — without undue delay per Article 33, contact channel published.
Is DSAR tooling built into the platform?Yes — locate, export, delete data by email address through admin UI + API.
Is the DPIA appendix available pre-signup?Available on request to support@nexuspromail.com.

Frequently asked questions

What is the Schrems II ruling and why does it matter for email?+
In July 2020, the Court of Justice of the European Union ruled in C-311/18 (Schrems II) that the EU-US Privacy Shield framework was invalid. The court held that US surveillance laws (specifically FISA Section 702 and Executive Order 12333) provide insufficient protection for EU personal data when transferred to US-based processors. The practical implication for email: transferring EU customer data to a US-headquartered ESP requires Standard Contractual Clauses plus supplementary measures plus a documented Transfer Impact Assessment. Many EU organisations now actively prefer EU-jurisdiction processors to avoid the SCC + TIA paperwork chain entirely.
How does NexusProMail avoid the Schrems II problem?+
By being operated by a Finnish company. Infotech Pioneers Oy is an EU-incorporated entity governed by Finnish law and EU regulations. There is no third-country transfer in the controller-to-processor relationship between EU customers and NexusProMail — both parties are inside the EU. The Standard Contractual Clauses regime does not apply between EU controllers and EU processors, so the SCC + supplementary measures + TIA workflow is bypassed at the processor level.
But Mailgun and SendGrid have EU regions — isn't that the same thing?+
No. Regional data residency addresses where the data physically sits. Schrems II concerns which legal frameworks can compel disclosure of the data. A US-headquartered company remains subject to US surveillance laws regardless of where its data centres are located. The CLOUD Act explicitly extends US compulsion powers extraterritorially. So an EU region from a US-incorporated provider improves the physical location half of the equation but does not solve the legal-jurisdiction half.
Are there sub-processors with US exposure in your chain?+
NexusProMail currently runs on AWS infrastructure (us-east-1 today, eu-west-1 migration planned for Q3 2026). AWS Europe SARL is the European operating entity for EU customers under their EU Data Processing Addendum. The DPA discloses this and lists Article 46-compliant safeguards for any onward transfer. For customers requiring EU-only physical processing today (pre-migration), this is the gap to be aware of and we discuss accommodations on the Enterprise plan.
What does my DPIA need to say about NexusProMail?+
Most DPIAs for EU controllers using NexusProMail can avoid the Schrems II / third-country-transfer section entirely at the processor level — because the processor is EU-jurisdiction. The DPIA should still document: the categories of personal data processed (email addresses, contact attributes, behavioural signals), the lawful basis (typically consent or legitimate interests for B2B), retention periods, sub-processor list with onward-transfer mitigations where applicable, and the technical and organisational measures from our DPA. We provide a template DPIA appendix on request for procurement teams.
Does this matter if I'm a small SaaS team?+
It depends on your buyer base. If you sell to other EU companies — particularly fintech, healthcare, govtech or enterprise — your buyers' procurement teams increasingly ask the Schrems II question about your processor chain. Being able to answer “our email is operated by a Finnish company, no SCC + TIA needed at the processor level” shortens their review cycle. If you only sell to US customers it matters less.
What about CLOUD Act exposure?+
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US law enforcement to compel US-based companies to produce data regardless of where it is stored. A Finnish company is not subject to CLOUD Act compulsion. This is independent of Schrems II — Schrems II concerns transferred data; CLOUD Act concerns data accessed via compulsion of the operating company. Both vectors are eliminated when the operator is outside US jurisdiction.
What about FISA 702?+
FISA Section 702 authorises US intelligence collection on non-US persons reasonably believed to be outside the US. It applies to US-based electronic communication service providers including major cloud providers. A Finnish-operated email platform is not a US electronic communication service provider for FISA purposes, removing the direct compulsion vector. Cloud-infrastructure exposure (e.g. AWS) is addressed via the safeguards documented in the DPA and is the same concern any cloud-hosted EU service faces.
How do I document this for my legal team?+
Three artefacts: (1) Our published company registration evidence (Infotech Pioneers Oy, Finnish business registry); (2) Our pre-signed Article 28 DPA with the Finnish jurisdiction clause; (3) Our published sub-processor list at /subprocessors with safeguards enumerated. For specific scenarios — e.g. healthcare data, fintech KYC notifications — we work with your legal team to provide additional documentation. Email support@nexuspromail.com.
Is this "Schrems II proof" or "Schrems II favourable"?+
Honest answer: Schrems II favourable, not proof. The legal landscape continues to evolve — the EU-US Data Privacy Framework was adopted in 2023 and faces ongoing legal challenge. We position NexusProMail as a Schrems-II-favourable processor because the operator is EU-jurisdiction, which eliminates the worst-case scenarios (US compulsion of the operator). Cloud-infrastructure questions remain part of the broader EU cloud-sovereignty discussion. We track this actively and update customer documentation when material changes occur.

Clean-pass your DPIA

Start with a free account, request the DPA, get your procurement team the documentation package. Sandbox API key issued immediately on signup.

Start free — DPA on request →

Also read: Data Processing Agreement · GDPR email marketing · EU email marketing · EU email API · Sub-processor list · SendGrid alternative