GDPR-Compliant Email API: What You Actually Need
GDPR compliance for transactional email is often overcomplicated. Here's what actually matters and how to implement it properly.
What GDPR Requires for Email
For transactional email, GDPR applies to the personal data you process—primarily email addresses and any personalization data in the email content.
The Core Requirements
- Lawful basis — Transactional emails typically fall under "legitimate interest" or "contractual necessity"
- Data minimization — Only process what you need
- Storage limitation — Don't keep data forever
- Security — Encrypt in transit and at rest
- Transfer safeguards — If data leaves the EU, you need legal mechanisms
The Data Transfer Problem
Most email APIs are US-based. When you send an email through Resend, SendGrid, or Postmark, your customer's email address travels to US servers.
This requires:
- Standard Contractual Clauses (SCCs) — Legal agreements for the transfer
- Transfer Impact Assessment — Your evaluation of the risk
- Supplementary measures — Additional safeguards you implement
This isn't illegal, but it creates ongoing compliance overhead.
The Simpler Approach: EU Data Residency
If your data never leaves the EU, you eliminate the transfer problem entirely:
- No SCCs needed for the email provider
- No Transfer Impact Assessment
- Simpler DPA (Data Processing Agreement)
- Easier audit trail
Implementing GDPR-Compliant Email with Truncus
1. Data Processing Agreement
Truncus provides a standard DPA that covers:
- Data processing scope (email addresses, message content)
- Security measures (TLS, encryption at rest)
- Subprocessor list (AWS EU, no US transfers)
- Data deletion procedures
2. Technical Implementation
import { Truncus } from '@truncus/node';
const truncus = new Truncus({
apiKey: process.env.TRUNCUS_API_KEY,
// Data stays in EU
region: 'eu-west-1',
});
// Send with only necessary data
await truncus.emails.send({
from: 'noreply@yourapp.com',
to: userEmail,
subject: 'Your order confirmation',
html: orderConfirmationHtml,
// Set retention for GDPR compliance
metadata: {
retention_days: 30,
},
});3. Webhook Data Handling
When you receive webhooks, process them appropriately:
// Webhook handler
app.post('/webhooks/email', async (req, res) => {
const event = req.body;
// Log delivery status (legitimate interest)
await logDeliveryEvent({
messageId: event.message_id,
status: event.type, // delivered, bounced, etc.
timestamp: event.timestamp,
});
// Don't store the full payload long-term
// Only keep what you need for operations
res.status(200).send('OK');
});4. Data Retention
Truncus automatically deletes:
- Email content: 30 days after send
- Delivery logs: 90 days
- Analytics data: Aggregated, no personal data retained
You can request earlier deletion via API.
Checklist: GDPR-Compliant Email Setup
| Requirement | How Truncus Helps |
|---|---|
| Data Processing Agreement | Standard DPA provided |
| EU data residency | All data stays in EU |
| Encryption in transit | TLS 1.3 required |
| Encryption at rest | AES-256 encryption |
| Access controls | API key scoping, audit logs |
| Data deletion | Automatic retention limits + API |
| Subprocessor transparency | Published subprocessor list |
What You Still Need to Do
Using a GDPR-compliant email API doesn't make you compliant automatically. You still need:
- Privacy policy — Disclose you use transactional email services
- Lawful basis — Document why you send each type of email
- Data minimization — Don't put unnecessary personal data in emails
- Subject access requests — Process SARs within 30 days
Getting Started
- Create your account
- Download the DPA from your dashboard
- Configure your domain
- Send your first email
Questions about GDPR compliance? Contact us at privacy@truncus.co