Most companies mention where they're based somewhere near the bottom of their About page. We want to talk about it directly, because for an email infrastructure company, it actually matters where you're located.
OpenMail is built in the EU. Our infrastructure runs in the EU. The data that flows through our platform stays in the EU. And every customer — whether you're an indie developer with one agent or a company running hundreds — is covered by GDPR. Not as a checkbox, but as a legal guarantee that comes with using our service.
Here's what that actually means in practice.
Your data doesn't leave Europe
When your agent sends or receives email through OpenMail, that data lives on servers inside the European Union. It doesn't transit through US data centers. It doesn't get replicated somewhere outside EU jurisdiction for “performance reasons.” It stays in Europe, subject to EU law, full stop.
This matters more than it used to. Cross-border data transfers are genuinely complicated right now — legally, contractually, and reputationally. If your product handles anything sensitive (and email almost always does), being able to tell your customers that their data never leaves the EU is a meaningful thing to be able to say.
GDPR isn't a tier feature
Some providers offer “GDPR compliance” as part of their enterprise plan. Data processing agreements locked behind a sales call. Privacy features that only unlock if you're spending enough.
We don't do that. GDPR applies to every OpenMail customer, on every plan. That means:
A Data Processing Agreement (DPA) is available to everyone.
You don't need to be on an enterprise contract to sign a DPA with us. We provide one, and it covers what you'd expect: lawful basis for processing, your rights as a data controller, our obligations as a processor, sub-processor disclosures, breach notification timelines.
You can request deletion and it actually happens.
If you close your account, your data is deleted. Not archived, not retained “for legal purposes” indefinitely — deleted. We give you a clear timeline and confirmation.
You can access everything we hold about you.
Subject access requests aren't a support ticket that disappears into a queue. We have a process for this, and it's the same process whether you're a solo developer or a larger team.
Why this is particularly important for agent infrastructure
If you're building AI agents that handle email, the data flowing through those inboxes is often sensitive by nature. Support tickets contain customer information. Sales threads reference deal terms. Ops agents process invoices. The email layer is where a lot of real business data lives.
That's not the place to cut corners on where the data sits or what legal framework governs it. Building on EU infrastructure with proper GDPR coverage isn't the most exciting part of your agent stack, but it's the part that matters when something goes wrong, when a customer asks, or when a regulator comes knocking.
We're EU-based because we believe the infrastructure that handles your data should be held to a high standard — by law, not just by policy. And we're telling you that upfront because you deserve to know.
