Curated collection

Software without US sub-processors

EU and privacy-first SaaS verified to run with no US sub-processors in the data path — compared on ownership, hosting region, CLOUD Act exposure and sub-processor chain.

In short

Software listed here is verified to operate with no US sub-processors in the data path: an EU/EEA/Switzerland operator, no US parent, and no US-incorporated processor in the chain. That combination — not server location alone — is what keeps data outside US CLOUD Act reach, because jurisdiction follows ownership and processor incorporation, not where the servers sit.

Last verified June 2026 DISCLOSURE Some links on this site are affiliate links. We may earn a commission at no extra cost to you. Editorial signals and rankings are never influenced by affiliate relationships.

Software without US sub-processors, as listed on this page, means the operating company is incorporated in the EU, EEA or Switzerland, holds no US parent in its ownership chain, and routes no data through a US-incorporated processor at any point in the stack. That is a chain of three facts — operator incorporation, ultimate ownership and the full sub-processor list — and all three must hold. A product that is EU-hosted but owned by a US parent, or EU-owned but relying on a US-incorporated CDN or managed-database layer, does not clear the bar.

This hub spans all categories in the directory and is benchmarked on the same criteria used across every listing: hosting region, ownership signal, CLOUD Act exposure and the sub-processor chain. Every entry is sourced to the vendor's public sub-processor documentation and re-verified quarterly, so the list reflects current chains rather than a one-time assessment.

Why it matters

The CLOUD Act extends US government reach to data held by any company subject to US jurisdiction, regardless of where the servers physically sit. This is the mechanism that makes a US hyperscaler's "EU region" an incomplete answer to the sovereignty question: the operator's jurisdiction does not change when the data moves to a Frankfurt data centre. The same logic applies one level down. A vendor that is itself EU-incorporated can still re-introduce exposure through its sub-processors — a US-incorporated transactional email service, an analytics layer hosted on a US cloud, or a managed database run by a US subsidiary. Each of those processors is separately reachable under the CLOUD Act.

This is why the directory records ownership and sub-processors as separate, evidenced signals rather than deriving one from the other. A clean ownership chain with a single overlooked US processor is still an exposure. Both must be clear for the "no US sub-processors" flag to apply, and that combination is what this hub surfaces across every product category.

Showing all 68 alternatives in this category updating

		Cert.	Pricing	Signals	Open
Tuta Hannover-based end-to-end encrypted mail (formerly Tutanota); post-quantum crypto, own DE data centre, ISO 27001.	HANNOVER · DE Germany	ISO/IEC 27001	Freemium €3 /mo	E2E Public DPA Sub-processors Open source	→
kDrive (Infomaniak) Swiss kDrive cloud (Infomaniak, Geneva, since 1994), own Swiss DCs, ISO 27001 + B Corp 2025, district-heating heat recycling.	GENEVA · CH Switzerland	ISO/IEC 27001	Paid €4 /mo	Public DPA Sub-processors Open source	→
Mailbox.org Berlin-based private email + drive + meet + office bundle (Heinlein Support GmbH); ISO 27001 + BSI C5, €1/mo entry.	BERLIN · DE Germany	ISO/IEC 27001 C5	Paid €1 /mo	E2E Public DPA Sub-processors Open source	→
Sylius Polish open-source Symfony e-commerce framework (MIT); commercial Plus modules from €800/yr GMV-based.	— Poland	—	Freemium	Public DPA Sub-processors Open source	→
MyCashflow Finnish all-in-one e-commerce SaaS with own Helsinki hosting and 0% commission across plans.	HELSINKI · FI Finland	—	Paid €49 /mo	Public DPA Sub-processors Open source	→
Posteo Berlin one-person-shop privacy email at €1/mo (Posteo e.K., since 2009); anonymous signup, BSI TR-03108 certified.	BERLIN · DE Germany	—	Paid €1 /mo	E2E Public DPA Sub-processors Open source	→
Mailfence Belgian secure email + calendar + docs (ContactOffice, est. 1999); browser-side PGP, donates 15% to EFF + EDRi.	BRUSSELS · BE Belgium	—	Freemium €3 /mo	E2E Public DPA Sub-processors Open source	→
Nextcloud German open-source content-collaboration platform (Nextcloud GmbH, Stuttgart, 2016); fully self-hostable + managed Nextcloud One hosted in DE.	STUTTGART · DE Germany	—	Freemium €6 /mo	Public DPA Sub-processors Open source	→
Infomaniak Mail (kSuite) Swiss email + groupware (Infomaniak Group SA, Geneva, since 1994), own Swiss DCs, ISO 27001 + B Corp 2025, free tier with @ik.me address.	GENEVA · CH Switzerland	ISO/IEC 27001 ISO9001 +2 more	Freemium €6 /mo	E2E Public DPA Sub-processors Open source	→
luckycloud Berlin-based German zero-knowledge cloud (luckycloud GmbH, 2015), own DCs in Berlin/Nuremberg/Frankfurt, ISO 27001 BSI.	BERLIN · DE Germany	ISO/IEC 27001	Paid	Public DPA Sub-processors Open source	→
Filen German zero-knowledge E2E cloud (Filen Cloud Dienste UG, Recklinghausen, 2021), Tier IV ISO 27001 DCs, no US data, open source apps.	DE Germany	—	Freemium €2 /mo	Public DPA Sub-processors Open source	→
Kolab Now Swiss open-source Kolab groupware SaaS (Apheleia IT AG, Bern; Kolab Systems since 2010, Kolab Now since 2013), board incl. FSF Europe founder Georg Greve.	CH Switzerland	—	Paid €5 /mo	E2E Public DPA Sub-processors Open source	→
Koofr Slovenian cloud storage (Koofr d.o.o., est. 2013), German ISO 27001 data centres, optional client-side encryption via Koofr Vault, 10 GB free.	DE Germany	—	Freemium €1 /mo	Public DPA Sub-processors Open source	→
Mailo French family-owned email since 1998 (Mail Object; founders Voyat & Lenoir, reacquired from Lagardère 2007), French-hosted, Free tier €0 + Premium from €1/mo.	FR France	—	Freemium €1 /mo	E2E Public DPA Sub-processors Open source	→
Runbox Norwegian private email since 1999 (Runbox Solutions AS), own NO data centre, 100% renewable hydro, PGP + 2FA + PFS, double carbon-negative.	NO Norway	—	Paid €2 /mo	E2E Public DPA Sub-processors Open source	→
STRATO HiDrive German cloud storage (STRATO GmbH, United Internet/IONOS group), two German data centres, ISO 27001 + Trusted Cloud, optional zero-knowledge E2E.	DE Germany	ISO/IEC 27001	Paid €6 /mo	Public DPA Sub-processors Open source	→
Soverin Independent Dutch paid email (from €3.25/mo); ISO 27001 + NIS2 Ready, all data in Netherlands, full IMAP/SMTP/CalDAV/CardDAV compatibility.	NL Netherlands	ISO/IEC 27001	Paid €3 /mo	E2E Public DPA Sub-processors Open source	→
LeitzCloud (vBoxxCloud) Dutch vBoxx-operated Leitz-branded business cloud, German DCs shared with ITZBund, ISO 27001 + ISO 9001 + ISAE 3402.	DE Germany	ISO/IEC 27001	Paid	Public DPA Sub-processors Open source	→
Jottacloud Norwegian cloud storage & backup (Jotta Group AS, est. 2008), 100% Norway-hosted on renewable power, server-side AES-256, public DPA, no CLOUD Act reach.	NO Norway	—	Freemium €7 /mo	Public DPA Sub-processors Open source	→
AirVPN Italian hacktivist-founded VPN (Perugia, 2010), no-logs, port forwarding — but no longer serves Italian residents (Piracy Shield).	— Italy	—	Paid €7 /mo	Public DPA Sub-processors Open source	→
Anytype Berlin-based local-first peer-to-peer E2E-encrypted knowledge OS (Anytype, 2019); Any Source Available License; data lives on user device.	BERLIN Germany	—	Freemium	Public DPA Sub-processors Open source	→
Aruba Cloud Italian sovereign cloud (Aruba S.p.A.), 4 Italian DCs (Arezzo/Bergamo/Rome), ACN-qualified up to AI3/QC3 for public administration.	AREZZO · IT Italy	ISO/IEC 27001 ISO/IEC 27017 +1 more	Paid €1 /mo	Public DPA Sub-processors Open source	→
BookStack UK solo-dev MIT-licensed self-hosted wiki + documentation platform (Dan Brown, 2015); no SaaS, no vendor counterparty risk.	— United Kingdom	—	Free €0 /mo	Public DPA Sub-processors Open source	→
centralstationCRM Cologne-based German SMB CRM (42he GmbH), all-German hosting on Hetzner + Core-Backbone + Telekom, free tier for 3 users.	DE Germany	—	Freemium €24 /mo	Public DPA Sub-processors Open source	→

How to choose

Start by narrowing to your category using the filters above — the "no US sub-processors" bar applies equally to password managers, cloud storage, email and analytics, but the sub-processor risk varies by product type. For each shortlisted product, open the profile and read the sub-processor chain against your own transfer-impact assessment: the layers where US processors most often re-enter an otherwise clean stack are transactional email, CDN and DNS, product analytics, and managed databases.

For regulated buyers — financial services, healthcare, public sector — any US-incorporated processor is typically a veto regardless of contractual safeguards, because the CLOUD Act operates independently of contractual terms. For solo founders and small teams, the binding constraint is more often price and developer experience; look for EU-owned products with a short, verifiable sub-processor list rather than spending disproportionate effort on formal transfer-impact assessments. For enterprise procurement, combine this hub with the certification filters (BSI C5, SecNumCloud, EUCS) to build a shortlist that satisfies both the jurisdictional and the security-audit requirements. Use the sort and filter controls on the listing above to match by category, hosting country or compliance score.

FAQ

Frequently asked questions

What does 'without US sub-processors' mean here?

It means the operating company is EU/EEA/Swiss, has no US parent, and uses no US-incorporated sub-processor in the data path — the directory's 'CLOUD Act exposure: none' bar. We record the ownership and sub-processor chain on every listing, so the flag is evidence-based rather than a self-applied label.

Why do US sub-processors matter even with EU hosting?

Under the US CLOUD Act, data held by a company subject to US jurisdiction can be compelled regardless of where the servers sit. A US-incorporated CDN, email relay or managed-database layer re-introduces that exposure even when the primary host is in the EU. Server location changes where data rests; ownership and processor incorporation determine legal reach.

How is this different from a category page?

A category page lists every product in that category. This hub spans all categories but keeps only the products that clear the 'no US sub-processors' bar, with the editorial and CLOUD Act framing a sovereignty-driven buyer needs. Use the filters to narrow by category, country or certification.

Does 'no US sub-processors' guarantee GDPR compliance?

No. It removes one major transfer risk, but GDPR compliance still depends on the DPA, the legal basis, security measures and your own processing. Treat the flag as a strong jurisdictional signal, then confirm the DPA and current sub-processor list directly with the vendor before contracting.

How often is this re-verified?

Quarterly. Sub-processor chains change as vendors add tooling, so a product can move in or out of this list between audits. Each listing carries its last-verified date.

Methodology

How we verified every listing here.

For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.

Read methodology →