Proofpoint EU Alternative 2026: CLOUD Act 18/25 and Your Email Security Data

Post #1 in the sota.io EU Email Security Series

Email is the number one attack vector — over 90% of cyberattacks begin with a phishing or spear-phishing email. Every EU organisation running Microsoft 365, Google Workspace, or on-premises Exchange has therefore wired an email security gateway between the internet and their inboxes. For enterprise deployments, that gateway is very often Proofpoint.

What most procurement teams do not assess is what happens to their data inside that gateway. Proofpoint Inc. is a Delaware corporation headquartered in Sunnyvale, California. Since August 2021 it has been privately held by KKR & Co. — Kohlberg Kravis Roberts, a New York-based private equity firm that executed the largest PE cybersecurity buyout in history at $12.3 billion. Every email your employees send and receive, every attachment opened, every phishing simulation click — all of it passes through infrastructure operated by a US company subject to the CLOUD Act.

This post covers Proofpoint's legal exposure, five concrete GDPR risks, and the EU-native alternatives that provide equivalent or stronger protection without the jurisdictional overhang.

What Is Proofpoint?

Proofpoint offers a suite of enterprise cybersecurity products centred on email and human risk:

• Email Protection (SEG): Secure email gateway with spam, malware, and phishing filtering for Microsoft 365 and Google Workspace.
• Targeted Attack Protection (TAP): URL and attachment sandboxing for advanced threats. Every suspicious URL is followed in Proofpoint's US-operated cloud sandbox.
• Email DLP: Data loss prevention rules applied to outbound email. Email content is inspected and logged.
• Email Encryption: S/MIME and TLS-based encryption. Key management operated by Proofpoint.
• Security Awareness Training (SAT) / People Risk Intelligence: Phishing simulations, training campaigns, and employee risk scoring. Tracks which employees click links, fail tests, and their training completion rates.
• Proofpoint Essentials: SMB-tier version of the core SEG.
• Nexus Threat Intelligence: Cross-customer threat data aggregation. Attack patterns from your environment contribute to a shared intelligence pool — under US jurisdiction.

Proofpoint competes directly with Mimecast, Microsoft Defender for Office 365, Cisco Secure Email (IronPort), and Barracuda Networks. It holds significant market share in FTSE 100 and DAX-listed enterprises, financial services, and healthcare.

CLOUD Act Score: 18 / 25

The sota.io CLOUD Act scoring model evaluates 25 risk indicators across five categories: corporate structure, data location, government relationships, cross-service data flows, and contractual protections.

18/25 interpretation: A US government warrant to Proofpoint under 18 U.S.C. §2713 (the CLOUD Act) can compel production of email content, metadata, attachment hashes, URL clicks, sandbox detonation results, and employee behaviour data stored on Proofpoint's infrastructure — regardless of where your EU offices are located, regardless of your DPA with Proofpoint, and regardless of GDPR.

For comparison: Hornetsecurity (Hannover, Germany) scores 0/25 — German GmbH, no US parent, no US government relationships, fully EU-operated.

5 GDPR Risks You're Accepting With Proofpoint

Risk 1: Email Content Under US Jurisdiction (GDPR Art. 44)

Every email your employees send and receive passes through Proofpoint's SEG for inspection. Email content routinely includes personal data: names, addresses, health information, financial details, salary negotiations, HR correspondence, and legal advice. Under GDPR Art. 44, transferring this data to a third country without adequate protection is prohibited.

Proofpoint offers Standard Contractual Clauses and claims EU data residency options. However, the CLOUD Act problem is not about where data is stored — it is about who controls the infrastructure. As a US company, Proofpoint is obligated by 18 U.S.C. §2713 to comply with a US court order regardless of the physical location of the servers. The European Court of Justice ruled in Schrems II (C-311/18, July 2020) that SCCs do not resolve this problem when the data importer is subject to US surveillance law.

Practical consequence: If the US DOJ or FBI obtains a warrant targeting your organisation's email communications via Proofpoint, Proofpoint must comply. Your employees' personal correspondence — and your business-confidential communications — are accessible to US authorities without GDPR Art. 48 mutual legal assistance procedures.

Risk 2: KKR Private Equity Ownership — Reduced Accountability (GDPR Art. 5(2))

When KKR took Proofpoint private in August 2021 for $12.3 billion, Proofpoint stopped filing public financial disclosures with the SEC. The accountability gap under GDPR Art. 5(2) (accountability principle) is real: public companies face shareholder scrutiny and quarterly transparency. Private equity-owned companies face LP investor expectations, which are contractually confidential.

KKR itself is a Delaware LP with investors including US pension funds, sovereign wealth funds, and insurance companies. The ownership chain creates multiple layers of US entity involvement. There is no public mechanism to verify Proofpoint's data handling practices have not changed post-acquisition — you are dependent on contractual assertions that cannot be independently audited.

Additionally, KKR's track record includes multiple portfolio company data breaches and security incidents. Private equity cost optimization often targets security and compliance staffing first.

Risk 3: Nexus Threat Intelligence — Your Attack Surface Under US Control (GDPR Art. 9)

Proofpoint's Nexus platform aggregates threat intelligence across its global customer base. When Proofpoint detects a novel phishing campaign targeting your organisation, that attack pattern, the targeted employees, the domains queried, and the attack methodology are incorporated into Nexus threat intelligence — shared across all Proofpoint customers, operated under US jurisdiction.

This creates a specific GDPR Art. 9 problem if your organisation is in healthcare, legal services, or any sector where the identity of who is being targeted reveals special category data. A targeted attack against your oncology department reveals which employees handle cancer patient data. A phishing campaign against your legal team reveals your active litigation. This metadata flows into a US-controlled intelligence platform without explicit consent or a lawful basis beyond Proofpoint's legitimate interest claim.

Under NIS2 Art. 21(2)(g), essential and important entities must implement "vulnerability handling" processes. If your vulnerability intelligence is itself held under US jurisdiction, you have a supply-chain sovereignty problem at the core of your NIS2 compliance posture.

Risk 4: Security Awareness Training — Employee Behaviour Data (GDPR Art. 88)

Proofpoint's People Risk Intelligence and Security Awareness Training products collect detailed employee behaviour data:

• Which employees click phishing simulation links (named individuals)
• Training completion rates by employee
• "Human Risk Score" — a per-employee ranking of security risk
• Click-through rates on simulated malicious URLs
• Reported phishing attempts per employee

This is personal data about employees under GDPR Art. 88, which requires specific protections for employment-context personal data. Many EU member states have additional employee monitoring legislation (Germany's BetrVG, France's Code du travail, Dutch WOR). Storing employee risk scores and behavioural click data on US-controlled Proofpoint infrastructure creates a cross-border transfer problem for HR-adjacent data that is substantially harder to justify than generic threat metadata.

Works councils and employee representatives in German, Dutch, and French companies have successfully challenged employer use of US-based HR analytics platforms. Proofpoint SAT data may require works council approval (Betriebsrat Mitbestimmung §87 BetrVG) that companies have not obtained.

Risk 5: Triple Jurisdiction via Integration Chain (GDPR Art. 44 + Recital 104)

Proofpoint integrates deeply with:

• Microsoft 365 / Exchange Online — US jurisdiction
• Google Workspace — US jurisdiction
• Salesforce — US jurisdiction
• Slack — US jurisdiction
• ServiceNow — US jurisdiction

Each integration creates an additional data-flow leg. A CLOUD Act warrant served on Proofpoint can compel not only Proofpoint's stored data but also data accessible through authenticated Proofpoint API connections to Microsoft 365 and Google Workspace at the time of the warrant.

GDPR Recital 104 specifically addresses "transfer in the context of the provision of services by a cloud service provider" and requires that all processors in the chain provide equivalent protection. When every element of your security stack — email gateway, inbox provider, CRM, ticketing — is under US jurisdiction, the GDPR Art. 44 assessment must consider the cumulative transfer chain, not each service in isolation.

EU-Native Alternatives

Hornetsecurity — German Email Security (0/25 CLOUD Act)

Company: Hornetsecurity GmbH, Hannover, Germany. Founded 2007. Private, no US parent. BSI-recognised. Backed by PSG Equity (US PE — this should be verified for CLOUD Act implications) but operationally a German GmbH.

Note: As of 2022, Hornetsecurity received investment from PSG Equity (US PE). Verify current ownership structure in your DPA assessment. Even with US PE involvement, operational control and data processing may remain EU-based — but review the data processing agreement carefully.

Products:

• 365 Total Protection: Comprehensive Microsoft 365 protection (SEG + AV + Compliance + Backup)
• Advanced Threat Protection: Sandboxing and URL rewriting
• Email Encryption: S/MIME and PGP managed by Hornetsecurity in German data centres
• Compliance & Archiving: 10-year immutable archive, eDiscovery, GDPR-compliant retention
• Security Awareness Service: Phishing simulations and training — data stays in EU

Pricing: From approximately €1.40/user/month (365 Business Security), scaling to €5-8/user/month for full 365 Total Protection Enterprise suite.

Best for: Microsoft 365-heavy organisations, German-speaking markets, regulated industries requiring BSI-acknowledged security controls.

NoSpamProxy — German Secure Email Gateway (0/25 CLOUD Act)

Company: Net at Work GmbH, Paderborn, Germany. Founded 1994. Wholly German-owned.

Products:

• NoSpamProxy Cloud: SaaS secure email gateway with spam, malware, and phishing filtering
• NoSpamProxy Gateway: On-premises deployment option for full data sovereignty
• NoSpamProxy Encryption: Certificate-based encryption (S/MIME, PGP, TLS)
• NoSpamProxy Large Files: Secure large file transfer replacing dangerous email attachments
• NoSpamProxy Archive: Compliance email archiving

Differentiator: Available as both SaaS and on-premises. For organisations that cannot accept any cloud dependency for email security, NoSpamProxy Gateway running on EU-based infrastructure (Hetzner, OVH, Ionos) achieves full data sovereignty.

Pricing: NoSpamProxy Cloud from approximately €2/user/month. On-premises perpetual licensing also available.

Best for: Financial services, legal firms, healthcare organisations requiring on-premises option. German privacy-first deployments.

SEPPmail — Swiss Email Encryption Gateway (0/25 CLOUD Act)

Company: SEPPmail AG, Münsingen, Switzerland. Founded 2002. Swiss-owned.

Products:

• SEPPmail Secure Email: Secure email gateway with encryption as default
• Managed Secure Email (Cloud): Hosted in Swiss/EU data centres
• SEPPmail .cloud: Cloud-native version for Microsoft 365 and Google Workspace

Differentiator: Switzerland operates under the nFADP (new Federal Act on Data Protection), providing strong privacy guarantees. Switzerland-US data transfers require separate adequacy assessment, but Swiss companies are not subject to the US CLOUD Act.

Best for: Banking, insurance, legal, and government organisations requiring strong encryption-first email security. Swiss nFADP compliance.

Self-Hosted EU Stack: Rspamd + ClamAV + Postfix (0/25 CLOUD Act)

For organisations with in-house infrastructure capability, a self-hosted email security stack on EU VPS provides complete data sovereignty:

Components:

• Rspamd: High-performance spam filter, greylisting, DKIM/DMARC/SPF verification, Bayes filtering
• ClamAV: Open-source antivirus, regularly updated signatures
• Postfix: MTA with milter support for Rspamd integration
• MailScanner: Message scanning layer combining Rspamd + ClamAV
• Haraka: Modern Node.js MTA alternative with plugin architecture

Infrastructure: Hetzner (CX21, €5.83/mo) or OVH VPS (VPS Value, €3.99/mo) — both 100% EU, 0/25 CLOUD Act

Total cost for 100 users: ~€15-30/month infrastructure + staff time for maintenance

Limitations: No advanced sandboxing, no threat intelligence sharing, requires security expertise. Not suitable for organisations without dedicated security staff.

Retarus — Enterprise European Email Infrastructure (low CLOUD Act)

Company: Retarus SE, München, Germany. Founded 1992. European company.

Products: Enterprise Messaging Platform, Email Security, Transactional Email, Fax Services

Note: Retarus is primarily known for enterprise transactional messaging and fax-to-email. Their email security positioning is less mature than Proofpoint or Hornetsecurity for inbound threat protection. Verify current product capabilities before procurement.

Comparison Table

Legend: ✅ = available, ⚠️ = limited/partial, ❌ = not available

Migration Guide: Proofpoint → EU-Native Stack

Phase 1 — Legal Assessment (Weeks 1–2)

Before touching any technical configuration, document your current legal exposure:

1. Audit your current Proofpoint DPA. Identify which Standard Contractual Clauses are in place, whether they use 2021 EU SCCs (new modular format) or legacy 2010 SCCs, and whether a Transfer Impact Assessment (TIA) was conducted under Schrems II requirements.
2. Data mapping. Enumerate what categories of data flow through Proofpoint: email body content, attachment content, URL clicks, employee names/email addresses, recipient lists, subject lines, behaviour data from SAT.
3. Regulator risk assessment. If you are in a NIS2 "essential entity" sector (energy, finance, health, transport, digital infrastructure), document this email security gap in your NIS2 Art. 21 risk register.

Phase 2 — Parallel Running (Weeks 3–6)

Deploy your chosen EU alternative in shadow mode:

1. For Hornetsecurity or NoSpamProxy Cloud: Add the new gateway as a secondary MX record with lower priority. Route 5% of traffic through it for two weeks to validate spam/phishing detection rates.
2. Configure SPF, DKIM, DMARC on the new gateway. Verify DMARC reports show correct alignment before switching primary MX.
3. Shadow-run SAT replacement if applicable. Start phishing simulations via Hornetsecurity Security Awareness Service in parallel with Proofpoint simulations to compare detection/click rates.

Phase 3 — Cutover (Week 7)

1. Update MX records to route all inbound mail through the EU gateway. Typical DNS propagation: 24–48 hours with TTL set to 300s before cutover.
2. Maintain Proofpoint in receive-only mode for 2 weeks as a safety net. Update MX priority so Proofpoint is secondary.
3. Update Microsoft 365 / Google Workspace connector IP allowlists to include the new gateway's egress IPs.
4. Test outbound DLP rules if using email DLP — verify that your EU replacement's DLP policy covers the same categories.

Phase 4 — Decommission and Document (Week 10)

1. Remove Proofpoint from MX records and revoke API integrations from Microsoft 365 / Google Workspace.
2. Update your GDPR Records of Processing Activities (RoPA) under Art. 30 to reflect the new processor. Remove Proofpoint from your third-party processor list.
3. Issue updated DPA with the new EU provider.
4. Update NIS2 incident response procedures — notify your CSIRT/competent authority contact that your email security provider has changed.

NIS2 Art. 21 Decision Framework

For organisations subject to NIS2 Directive (2022/2555/EU), the email security choice intersects directly with mandatory security measures:

For NIS2 Essential Entities: The European Network and Information Security Agency (ENISA) guidance on supply chain security explicitly highlights ICT service provider jurisdiction as a risk factor. An email security gateway operating under CLOUD Act exposure is a documented supply chain risk under NIS2 Art. 21(2)(e) that should appear in your management-approved risk register.

For DORA-regulated Financial Entities: The Digital Operational Resilience Act (EU 2022/2554) requires ICT third-party risk management with enhanced contractual requirements for critical ICT providers. If Proofpoint is designated as a critical ICT provider in your DORA register, the lack of audit rights (KKR private), the CLOUD Act exposure, and the absence of an independent EU legal entity create material DORA compliance gaps.

Three Decision Scenarios

Scenario A — Large Enterprise (10,000+ employees, NIS2 Essential)

Recommendation: Hornetsecurity 365 Total Protection Enterprise

You need sandboxing, SAT, archiving, and enterprise integrations. Hornetsecurity matches Proofpoint feature-for-feature in the Microsoft 365 context with zero CLOUD Act exposure. Procurement timeline: 6–8 weeks with proper parallel running and DPA documentation. Expect 20–30% cost reduction versus enterprise Proofpoint licensing.

Scenario B — Mid-Market (500–5,000 employees, NIS2 Important)

Recommendation: NoSpamProxy Cloud + SEPPmail for encryption

NoSpamProxy provides a clean SEG with compliance archiving. SEPPmail adds S/MIME encryption for sensitive communications. The on-premises option for NoSpamProxy Gateway is valuable if your risk register requires zero cloud dependency for email security. Total cost: €3–5/user/month.

Scenario C — Tech-Forward SMB (under 500 employees, security-conscious)

Recommendation: Self-hosted Rspamd + ClamAV + Postfix on Hetzner

If you have in-house Linux and networking expertise, a self-hosted stack at €15–30/month for 100 users delivers the lowest CLOUD Act score possible (0/25). No vendor lock-in, full log access, customisable filtering rules. Trade-off: no commercial threat intelligence feed, no sandboxing of novel malware.

What sota.io Adds

If you are migrating your email security infrastructure as part of a broader EU-sovereignty initiative — moving your entire development and deployment stack to EU-controlled infrastructure — you face the same jurisdictional question for every service layer.

sota.io is an EU-native managed PaaS built on Hetzner Germany: no US parent company, no CLOUD Act exposure, no forced data residency workarounds. Git-push deployments for any language or framework, PostgreSQL 17 included, from €9/month. The same reasoning that makes Hornetsecurity a better choice than Proofpoint for email security applies to your deployment infrastructure.

Summary

Proofpoint is an effective email security platform. It is also a 18/25 CLOUD Act risk for EU organisations processing personal data in email — which is every EU organisation. The KKR private equity acquisition reduces public accountability. The Nexus threat intelligence platform aggregates your organisational attack surface under US jurisdiction. The SAT platform stores employee behaviour data on US-controlled infrastructure.

EU-native alternatives at 0/25 CLOUD Act score — Hornetsecurity, NoSpamProxy, SEPPmail — now match Proofpoint's feature set for all but the most advanced enterprise threat sandboxing use cases. The migration investment is 6–10 weeks. The compliance improvement under GDPR Art. 44, NIS2 Art. 21(2)(e), and DORA ICT third-party risk is permanent.

Next in the EU Email Security Series: Mimecast EU Alternative 2026 — Permira PE acquisition, Lexington MA, and the threat data aggregation problem.