A GDPR-ready team inbox: what SMBs should check about EU hosting

A mailbox holds some of the most sensitive material a company has: customer requests, contracts, invoices, personal data. Anyone introducing a shared team inbox should therefore not treat data protection as an afterthought. This checklist helps with the selection — and with the conversation with your own data protection officer.

Why server location matters

If personal data is transferred to a third country (e.g. into a US cloud), it needs a solid legal basis — and the situation around that has been in flux for years. Even the question of whether a US provider could access data triggers documentation and assessment duties. A provider that hosts entirely in the EU avoids this risk from the outset and considerably simplifies your own compliance: less transfer impact assessment, less uncertainty, less effort.

The checklist

1. EU hosting

Where are the servers? Ideally exclusively in the EU, with no third-country transfer in normal operation.

2. Encryption at rest

Are credentials and tokens stored encrypted (e.g. AES-256-GCM)? Credentials must never sit in plaintext — and must not appear in log files either.

3. Data processing agreement (Art. 28 GDPR)

Is there a DPA? Who are the sub-processors (hosting, payment provider)? A serious provider discloses this list and signs a DPA with you — that's not a nice-to-have, it's mandatory.

4. No reading along, no logging of content

Mail content should be processed solely to deliver the service and not logged or analysed for advertising. Ask specifically what ends up in logs.

5. Data minimisation & deletion

Can mailboxes, content and accounts be cleanly separated and fully deleted?

6. Data subject rights

Are access, export and deletion practically feasible — not just promised in theory?

7. Self-hosting option

For strict compliance, a strong argument: whoever can host the service themselves keeps full data sovereignty and doesn't have to trust anyone — they can verify.

The special case of AI: don't undermine privacy

AI features are convenient but privacy-relevant — after all, text leaves the system. Watch two points: first, only the context actually needed should go to the AI, not the entire mailbox. Second, a model with your own key (bring-your-own-key) is more transparent: you choose the provider, know its terms and keep cost control. That keeps AI a feature you steer — not an unpredictable data leak.

Open source as a trust anchor

"Trust us" is a weak promise in data protection. If the core of a solution is open source, you can verify what actually happens with data — from encryption to how mail content is handled. That doesn't replace a contractual guarantee, but it makes it verifiable. Open core combines both: an open, auditable core plus a clear contractual basis for the hosted operation.

Quick checklist for the selection meeting

• Are all servers in the EU? Are there any third-country transfers?
• Are credentials stored encrypted at rest?
• Is there a DPA including a sub-processor list?
• Is mail content logged or analysed?
• How do export and deletion work in practice?
• Is there a self-hosting option and inspectable source code?

Conclusion

GDPR compliance doesn't come from a single checkbox but from the interplay of hosting, encryption, clear contracts and lean processing. A team inbox hosted in the EU and built on open source makes that proof far easier than an opaque cloud solution — and takes a lot of documentation work off your plate day to day.

Note: this article is general orientation and does not constitute legal advice.