Your data stays in the EU. Full stop.
API, database, logs, and backups run in the EU. Not “can be configured”: the default, for every plan, including free.
Signed at signup, not after a sales call
Every plan, including free, gets a Data Processing Agreement automatically generated and available in your dashboard the moment you verify a domain. No “contact sales for the DPA” gate.
Request a DPA copy90 days by default, configurable
Free plans keep 7 days of logs. Paid plans get 90 days by default, configurable from 7 to 365 days on Scale. Retention jobs actually delete data on schedule, not a “soft delete forever” pattern hiding in a database somewhere.
Where a message actually goes
Your app
calls the API over HTTPS
Envello API
EU region, Hetzner infrastructure: validates, enqueues
AWS SES (eu-central-1)
sends the message to the recipient's mailbox
Postgres + object storage
EU region: logs and events, 90-day retention
Nothing in this path leaves the EU unless you explicitly configure an integration (e.g. a non-EU webhook endpoint) that sends it there yourself.
| Where | What's stored there |
|---|---|
| Postgres | Account data, API keys (hashed), send/event logs, suppression list |
| Object storage | Raw MIME content for messages older than 30 days |
| AWS SES | Nothing at rest beyond what AWS needs to deliver and report the send. No long-term copy lives there on our side. |
| Application logs | Request metadata only. Recipient addresses are never written to application logs. |
Every vendor we use is EU-based and vetted for GDPR compliance
A full, current subprocessor list is available on request, and we notify active customers by email 30 days before adding or replacing one. Any subprocessor operating outside the EEA is bound by the EU Standard Contractual Clauses (SCCs) as an additional transfer safeguard, on top of their own GDPR compliance.
Request the subprocessor list