GDPR-friendly email platforms: who can you trust?
A deep-dive comparison of GDPR compliance for the most popular email marketing platforms. Data residency, DPA status, consent management, audit trails, and sub-processors per platform.
GDPR isn’t a buzzword — it’s the law. And for businesses using email marketing in Europe, it’s essential to know exactly where your contacts’ data resides, who has access, and which legal mechanisms protect it.
This guide gives you the full picture for the most popular email marketing platforms. Not legal advice (contact your DPO or lawyer for that), but a practical overview you can use to evaluate your current platform or choose a new one.
Why data residency matters
The central GDPR question for email marketing is: does your contacts’ personal data leave the EU?
When you import an email list into Mailchimp, names, email addresses, tags, behavioral data, and everything else are sent to servers in the US. That’s not illegal — but it requires a legal basis, and that basis has an uncertain history.
Brief history of EU-US data transfers
| Year | Mechanism | Status |
|---|---|---|
| 2000-2015 | Safe Harbor | Invalidated by EU Court of Justice (Schrems I) |
| 2016-2020 | Privacy Shield | Invalidated by EU Court of Justice (Schrems II) |
| 2023-present | EU-US Data Privacy Framework | Active, but under pressure |
The EU-US Data Privacy Framework is the third attempt. It’s legal, widely used, and most businesses operate under it. But the pattern is clear: each attempt holds for 4-7 years before being invalidated.
This doesn’t mean you should panic. It means you should make a conscious decision about your risk profile. And that you should have a migration plan.
The 5 platforms — GDPR deep-dive
Mailchimp
| Parameter | Status |
|---|---|
| Company | Intuit Inc. (USA) |
| Data residency | USA |
| EU data residency option | No |
| DPA | Yes, online |
| Legal basis for transfer | EU-US Data Privacy Framework |
| Consent management | Double opt-in, consent tracking |
| Right to erasure | Yes (manual or API) |
| Audit trail | Limited |
| Sub-processors | 20+ (primarily US-based) |
| SOC 2 | Yes |
| ISO 27001 | No |
Assessment: Mailchimp is legal to use under the current framework. But data resides in the US, sub-processors are primarily American, and there’s no option for EU hosting. The DPA is available as a click-through agreement. Consent management is basic — double opt-in works, but there’s no granular consent control (e.g., separate consents for newsletter vs. product updates).
Audit trail is limited: you can see when a contact was added and when they unsubscribed, but not a complete log of all data processing activities.
Risk: Medium-high. If the EU-US Data Privacy Framework is invalidated, you lose the legal basis for data transfer.
Brevo
| Parameter | Status |
|---|---|
| Company | Brevo SA (France) |
| Data residency | EU (France) |
| EU data residency option | Standard |
| DPA | Yes, online |
| Legal basis for transfer | Not required (EU-to-EU) |
| Consent management | Double opt-in, consent tracking, multi-list consent |
| Right to erasure | Yes (automated) |
| Audit trail | Medium |
| Sub-processors | 15+ (mix of EU and US) |
| SOC 2 | No |
| ISO 27001 | Yes |
Assessment: Brevo is a French company with data hosted in France. This eliminates the transatlantic data transfer issue entirely. A DPA is available, and GDPR compliance is strong.
One nuance: Brevo uses some US-based sub-processors (including for CDN and analytics). This means metadata could potentially cross EU borders, even though core data (contact details, email content) remains in the EU.
Consent management is better than Mailchimp’s: you can create separate consent categories and let contacts manage their preferences granularly.
Risk: Low. EU company, EU hosting. Sub-processor risk is real but manageable.
ActiveCampaign
| Parameter | Status |
|---|---|
| Company | ActiveCampaign LLC (USA) |
| Data residency | USA (standard), EU (Enterprise) |
| EU data residency option | Yes, Enterprise plan |
| DPA | Yes, online |
| Legal basis for transfer | EU-US Data Privacy Framework (standard), no transfer required (Enterprise EU) |
| Consent management | Double opt-in, consent tracking |
| Right to erasure | Yes (manual or automation) |
| Audit trail | Medium |
| Sub-processors | 25+ (primarily US-based) |
| SOC 2 | Yes |
| ISO 27001 | No |
Assessment: ActiveCampaign’s GDPR situation is split. On Standard and Plus plans (which 95% of users are on), data is hosted in the US under the Data Privacy Framework. On the Enterprise plan, you can choose EU hosting.
The problem: the Enterprise plan costs significantly more and typically requires an annual contract. For most small and medium businesses, paying enterprise pricing solely for EU hosting isn’t realistic.
Consent management is functional but not best-in-class. You can track consent via custom fields and tags, but there’s no dedicated consent center like in Brevo.
Risk: Medium (standard plans). Low (Enterprise EU). Most users are on standard plans.
MailerLite
| Parameter | Status |
|---|---|
| Company | MailerLite (Lithuania) |
| Data residency | EU (Lithuania/Germany) |
| EU data residency option | Standard |
| DPA | Yes, online |
| Legal basis for transfer | Not required (EU-to-EU) |
| Consent management | Double opt-in, GDPR fields, consent log |
| Right to erasure | Yes (automated) |
| Audit trail | Basic |
| Sub-processors | 10+ (mix of EU and US) |
| SOC 2 | No |
| ISO 27001 | No |
Assessment: MailerLite is a Lithuanian company with data hosted in the EU. They have an explicit GDPR focus and have built consent management directly into the platform’s signup forms.
MailerLite’s GDPR fields in signup forms are clever: you can add checkbox-based consent directly in the signup form and track it automatically. This makes compliance easier for non-technical users.
The sub-processor list includes some US-based services (including AWS, which however has EU regions). MailerLite is transparent about this in their DPA.
Risk: Low. EU company, EU hosting. Similar sub-processor nuance as Brevo.
Hermod
| Parameter | Status |
|---|---|
| Company | Brokk & Sindre (Denmark) |
| Data residency | EU |
| EU data residency option | Standard (only option) |
| DPA | Yes |
| Legal basis for transfer | Not required (EU-to-EU) |
| Consent management | Granular, audit log, automated |
| Right to erasure | Yes (automated + audit trail) |
| Audit trail | Complete |
| Sub-processors | Minimal (EU-focused) |
| SOC 2 | In progress |
| ISO 27001 | In progress |
Assessment: Hermod is built with GDPR as an architectural decision, not a compliance add-on. Data is hosted in the EU and never leaves Europe. Consent management is granular — you can define separate consent categories, and contacts can manage their preferences.
Audit trail is complete: every change to contact data, consent, or processing activity is logged with timestamp and actor. This makes it possible to document compliance for data protection authorities.
As a new platform, Hermod doesn’t yet have SOC 2 or ISO 27001 certifications. They’re in progress but not completed.
Risk: Low. EU company, EU hosting, GDPR-native architecture. Lacks formal certifications.
Overall GDPR comparison
| Parameter | Mailchimp | Brevo | ActiveCampaign | MailerLite | Hermod |
|---|---|---|---|---|---|
| Company country | USA | France | USA | Lithuania | Denmark |
| Data in EU | No | Yes | Enterprise | Yes | Yes |
| DPA | Yes | Yes | Yes | Yes | Yes |
| Double opt-in | Yes | Yes | Yes | Yes | Yes |
| Granular consent | Basic | Good | Medium | Good | Advanced |
| Audit trail | Limited | Medium | Medium | Basic | Complete |
| Right to erasure | Manual | Automated | Manual/auto | Automated | Automated |
| ISO 27001 | No | Yes | No | No | In progress |
| GDPR risk | Medium-high | Low | Medium | Low | Low |
What should you do in practice?
1. Check your current DPA
Have you signed a Data Processing Agreement with your email platform? If not, do it now. It’s legally required. Most platforms have a click-through DPA in their account settings.
2. Document your legal basis
If you use a US-hosted platform, you need to document that you base data transfers on the EU-US Data Privacy Framework (or Standard Contractual Clauses). Keep this documentation.
3. Assess your risk profile
Ask yourself: what happens if the EU-US Data Privacy Framework is invalidated?
- Low risk: You’re already using an EU-hosted platform (Brevo, MailerLite, Hermod). No action needed.
- Medium risk: You use Mailchimp or ActiveCampaign, have a small list, and can migrate within 3 months. Acceptable risk for most.
- High risk: You use a US-hosted platform, have a large list (50,000+), complex automations, and migration would take 6+ months. Consider migrating proactively.
4. Implement granular consent
Regardless of platform: ensure your signup forms collect explicit consent. “Yes, I want to receive newsletters” is a minimum. Better: separate consents for different communication types.
Read our guide to consent management for the full walkthrough.
5. Clean your list
GDPR requires data minimization. Contacts who haven’t interacted in 12+ months should either be re-confirmed or removed. This isn’t just good GDPR practice — it also improves your deliverability.
Sub-processors: the overlooked risk point
When you choose an email platform, you’re not just choosing that platform. You’re also choosing their sub-processors — the third parties that process data on the platform’s behalf.
Mailchimp uses 20+ sub-processors, primarily US-based: AWS, Google Cloud, Twilio, Cloudflare, etc. Each sub-processor is a potential point where data can be accessed or exposed.
Brevo and MailerLite use fewer sub-processors, and more of them are EU-based. But both use some US-based services for specific purposes (CDN, monitoring).
Hermod minimizes sub-processors and focuses on EU-based services. But as a smaller platform, they’re dependent on cloud infrastructure ultimately owned by large tech companies.
The point is: 100% EU data residency is extremely difficult in practice, as the EDPB guidelines on data transfers acknowledge. But there’s a significant difference between a platform that hosts core data in the EU with a few US-based auxiliary services, and a platform that sends everything to the US.
Consent management per platform
Consent management is about more than double opt-in. It’s about giving your contacts control over what they’ve agreed to, and documenting it.
Mailchimp: Double opt-in and unsubscribe. No granular consent management. You can use groups as a workaround, but it’s not built for consent.
Brevo: Consent tracking with multiple lists and categories. Contacts can manage preferences via a preference center. Better than Mailchimp, but requires setup.
ActiveCampaign: Consent via custom fields and tags. No dedicated consent center out-of-the-box, but can be built with automations. Functional but manual.
MailerLite: GDPR fields in signup forms with automatic consent tracking. Simple and effective for basic needs. Lacks granular preference management.
Hermod: Granular consent management with separate categories, audit log per consent change, and automated compliance. The most GDPR-native consent system in this comparison.
Conclusion
GDPR compliance in email marketing isn’t binary. It’s a spectrum from “technically legal under current rules” to “GDPR-native in the architecture.”
For European businesses that want to minimize risk, EU-hosted platforms (Brevo, MailerLite, Hermod) are the safest choice. Mailchimp and ActiveCampaign are legal to use but carry a risk that depends on the future of the EU-US Data Privacy Framework.
The most important thing is to make a conscious decision. Know where your data is. Have a DPA. Document your consent. And have a plan for what you’ll do if the rules change.
Read more in our guide to GDPR and email marketing or see our comparison of the best platforms for Danish businesses.