210 domains tracked
Report Published 2026-05-11
⚑ Sovereignty Finding
68 / 68 — Every scanned EU institution
routes email through a US company
68 EU bodies use Proofpoint Inc. (Sunnyvale, California) as their primary email security provider — including the EU Data Protection Board and EU Data Protection Supervisor, the bodies responsible for GDPR enforcement.
What is Proofpoint?

Proofpoint Inc. is a US-based cybersecurity company headquartered in Sunnyvale, California, providing email security, anti-phishing, and mail routing services. When an organisation uses Proofpoint, all inbound and outbound email is routed through Proofpoint's infrastructure before reaching the recipient. Proofpoint has full access to email content and metadata for every message processed. Proofpoint was acquired by Thoma Bravo (a US private equity firm) in 2021 and operates as a private company incorporated under US law.

What the US CLOUD Act means

The US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 requires US companies to disclose data stored or processed on their infrastructure to US government agencies upon valid legal demand — regardless of where the data physically resides. Because Proofpoint is a US company, all email routed through its systems is subject to this authority. EU institutions using Proofpoint have no contractual mechanism to prevent access under the CLOUD Act. This is an infrastructure observation, not a legal determination.

All 68 affected domains Email provider: Proofpoint Inc.
Domain / Organisation
Email provider
Hosting
D
acer.europa.eu
ACER — Energy Regulators
Proofpoint
EU
F
amla.europa.eu
AMLA — Anti-Money Laundering
Proofpoint
Non-EU
C
appf.europa.eu
Authority European Political Parties
Proofpoint
EU
D
berec.europa.eu
BEREC — Electronic Communications
Proofpoint
EU
C
cepol.europa.eu
CEPOL — Law Enforcement Training
Proofpoint
EU
F
cert.europa.eu
CERT-EU Cybersecurity
Proofpoint
Non-EU
F
cinea.ec.europa.eu
CINEA — Climate & Energy
Proofpoint
Non-EU
F
cpvo.europa.eu
CPVO — Plant Variety Office
Proofpoint
Non-EU
D
cedefop.europa.eu
Cedefop — Vocational Training
Proofpoint
EU
F
chips-ju.europa.eu
Chips Joint Undertaking
Proofpoint
Non-EU
F
cbe.europa.eu
Circular Bio-based Europe JU
Proofpoint
Non-EU
F
clean-hydrogen.europa.eu
Clean Hydrogen JU
Proofpoint
Non-EU
F
cor.europa.eu
Committee of the Regions
Proofpoint
Non-EU
F
consilium.europa.eu
Council of the EU
Proofpoint
Non-EU
F
curia.europa.eu
Court of Justice EU
Proofpoint
Non-EU
C
eacea.ec.europa.eu
EACEA — Education & Culture
Proofpoint
EU
C
easa.europa.eu
EASA — Aviation Safety
Proofpoint
EU
F
ecdc.europa.eu
ECDC — Disease Prevention
Proofpoint
Non-EU
F
echa.europa.eu
ECHA — Chemicals Agency
Proofpoint
Non-EU
F
eda.europa.eu
EDA — Defence Agency
Proofpoint
Non-EU
F
efsa.europa.eu
EFSA — Food Safety
Proofpoint
Non-EU
F
eige.europa.eu
EIGE — Gender Equality
Proofpoint
Unknown
F
eiopa.europa.eu
EIOPA — Insurance & Pensions
Proofpoint
Non-EU
F
eismea.ec.europa.eu
EISMEA — SME & Innovation
Proofpoint
Non-EU
F
ela.europa.eu
ELA — Labour Authority
Proofpoint
Non-EU
F
ema.europa.eu
EMA — Medicines Agency
Proofpoint
Non-EU
C
emcdda.europa.eu
EMCDDA — Drugs Agency
Proofpoint
EU
C
emsa.europa.eu
EMSA — Maritime Safety
Proofpoint
EU
F
enisa.europa.eu
ENISA — Cybersecurity
Proofpoint
Non-EU
F
epso.europa.eu
EPSO — Personnel Selection
Proofpoint
Non-EU
F
era.europa.eu
ERA — Railway Agency
Proofpoint
Non-EU
F
ercea.ec.europa.eu
ERCEA — Research Council
Proofpoint
Unknown
F
esma.europa.eu
ESMA — Securities Markets
Proofpoint
Non-EU
F
edpb.europa.eu
EU Data Protection Board
Proofpoint
Non-EU
F
edps.europa.eu
EU Data Protection Supervisor
Proofpoint
Non-EU
F
eesc.europa.eu
EU Economic & Social Committee
Proofpoint
Non-EU
C
eeas.europa.eu
EU External Action Service
Proofpoint
EU
F
data.europa.eu
EU Open Data Portal
Proofpoint
Non-EU
C
europa.eu
EU Portal
Proofpoint
EU
F
eppo.europa.eu
EU Public Prosecutor
Proofpoint
Non-EU
F
osha.europa.eu
EU-OSHA — Work Safety
Proofpoint
Unknown
F
euaa.europa.eu
EUAA — Asylum Agency
Proofpoint
Non-EU
C
euipo.europa.eu
EUIPO — Intellectual Property
Proofpoint
EU
F
euiss.europa.eu
EUISS — Security Studies
Proofpoint
Unknown
F
eur-lex.europa.eu
EUR-Lex Legal Database
Proofpoint
Non-EU
F
euspa.europa.eu
EUSPA — Space Programme
Proofpoint
Non-EU
F
eurofound.europa.eu
Eurofound
Proofpoint
Non-EU
F
eurojust.europa.eu
Eurojust
Proofpoint
Non-EU
D
rail-research.europa.eu
Europe's Rail JU
Proofpoint
EU
F
eba.europa.eu
European Banking Authority
Proofpoint
Non-EU
F
ecb.europa.eu
European Central Bank
Proofpoint
Unknown
C
ec.europa.eu
European Commission
Proofpoint
EU
F
european-council.europa.eu
European Council
Proofpoint
Non-EU
F
eca.europa.eu
European Court of Auditors
Proofpoint
Unknown
F
eea.europa.eu
European Environment Agency
Proofpoint
Unknown
C
ombudsman.europa.eu
European Ombudsman
Proofpoint
EU
C
europarl.europa.eu
European Parliament
Proofpoint
EU
C
europol.europa.eu
Europol
Proofpoint
EU
F
fra.europa.eu
FRA — Fundamental Rights
Proofpoint
Unknown
F
frontex.europa.eu
Frontex
Proofpoint
Non-EU
F
hadea.ec.europa.eu
HaDEA — Health & Digital
Proofpoint
Non-EU
F
kdt-ju.europa.eu
KDT JU — Key Digital Technologies
Proofpoint
Non-EU
F
publications.europa.eu
Publications Office
Proofpoint
Non-EU
F
eusatcen.europa.eu
SatCen — Satellite Centre
Proofpoint
Unknown
F
srb.europa.eu
Single Resolution Board
Proofpoint
Non-EU
F
sn-ju.europa.eu
Smart Networks & Services JU
Proofpoint
Unknown
F
ted.europa.eu
TED — EU Tenders
Proofpoint
Non-EU
F
eulisa.europa.eu
eu-LISA — IT Systems
Proofpoint
Non-EU
Methodology: Email provider is determined by querying the MX DNS records of each domain and cross-referencing the mail exchanger hostname against a curated database of known provider signatures. A domain is classified as using Proofpoint when its MX records resolve to hostnames in the pphosted.com domain or other known Proofpoint exchanger patterns. Reproduce with: dig <domain> MX This is a factual infrastructure report. It is not a legal determination of regulatory violation. Full methodology →