Privacy matters at Mailgun: Your data is safe with us

On July 16, 2020, the European Commission Court of Justice (CJEU) invalidated the adequacy of the EU-US Data Privacy Shield’s protection. Here's all you need to know about the invalidation and how it affects your email sending.

Here we go again. There’s been yet another shift in the ever-changing world of data privacy, and we wanted to make sure (as always) that we’re keeping you aware of the changes and helping you stay on top of the topic of data privacy.

So what happened with the Privacy Shield?

You may have heard of the EU-US Data Privacy Shield, which, beginning in 2016, regulated the usage of consumer data in transactions between Europe and the United States. American companies were able to use the Privacy Shield to validate and accredit these transatlantic data transactions. Basically, using the Privacy Shield allowed American companies to actually do those transactions.

Okay, so does the Privacy Shield still protect these companies?

Not anymore. On July 16, 2020, the European Commission Court of Justice (CJEU) invalidated the adequacy of the EU-US Data Privacy Shield’s protection. In other words, American companies can no longer use the Privacy Shield as a way to “allow” transatlantic data transactions. You may wonder, what does this mean for Mailgun?You wouldn’t be the first to ask. Since the ruling, some of our customers have asked about its impact on our services and our business. Because of these questions, we wanted to provide more detailed information on how our company deals with data protection, and how it is impacted by the CJEU’s recent decision.

A little background on the CJEU ruling 

Under the European Union’s General Data Protection Regulation (GDPR), proper safeguards (basically, protections) must be in place for data transfers from any country outside of the European Union, including the United States. Until July 16, 2020, the Privacy Shield was considered an adequate GDPR protection and had complied with its requirements when transferring personal data to the United States. 

To remind you, on July 16, 2020, the CJEU invalidated the adequacy of the protection provided by the EU-US Privacy Shield. For more information on this specific ruling, see the decision here

Since the Privacy Shield framework is now considered inadequate, an alternative protection is required for all data transfers. These alternatives may include the Standard Contractual Clauses (SCCs), also called EU Model Clauses, or Binding Corporate Rules.

Does Mailgun have alternative protection? 

Yup! At Mailgun, we had already gone beyond the minimum requirements of the GDPR (yay!). We did not only rely on the Privacy Shield, but we had already maintained (and continue to maintain) Standard Contractual Clauses (SCCs) for all our data transfers, including transfers with our sub-processors that processed our customers’ personal data. These SCCs, as per the CJEU ruling, continue to be a valid legal mechanism to transfer data under the GDPR. So, if you’re using Mailgun, your data is safe and valid.

To go one step further, we implement additional safeguards beyond the standard contractual clauses (sadly, these safeguards don’t include ninjas), and we make sure to have proper technical and organisational measures in place for any personal data transfers (including data encryption and security).

Mailgun has a vendor management procedure in place, which we use to control and audit all of our sub-processors, including frequent audits on the sub-processors that process the personal data of our customers. This is basically a fancy way of saying that our data processes and data processors are safe, valid, and frequently inspected. We also perform audit risk assessments, and we implement the requisite technical and organisational measures to ensure that proper security and data protection are respected. For further details on our security and privacy measures, see our dedicated page here.

So, I’m good? Do I have to do or change anything related to data privacy?

No, you don’t have to do anything — we’ve already implemented all necessary protections. Mailgun has you covered and balanced like that kitten at the top of the page.We have been, and remain, wholly committed to having a lawful basis for data transfers in compliance with applicable data protection laws. Both Mailgun and Mailjet continue to monitor the evolution of international data transfer mechanisms under the GDPR, and we are committed to ensuring a lawful basis for all our data transfers in compliance with all other applicable data protection laws.

We understand the concerns of our customers and remain steadfast in our commitment to ensure that our customers’ data is secure and protected. And, as long as we’re here, you can rest assured that we’ll be going above and beyond to protect that data—and its transfers—under international laws. So feel free to sit back, look at cute cat GIFs, and leave data privacy to us. 

Do you have any additional questions for our Legal team? Feel free to drop them an email at!

Related readings

Email security best practices: How to keep your email program safe

You may have heard about the recent Log4j security exploit. And if you haven't, you've...

Read more

Mailgun’s active defense against Log4j

On December 10, 2021 the world was rocked by a huge vulnerability that left millions of IT...

Read more

Vulnerability management: Working with the community to patch security threats

Cybersecurity is an endless struggle. The more you scale as a company, the more...

Read more

Popular posts

Mailgun iconSee what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending