Compliance & data protection

GDPR by architecture. Not by contract.

Cloud-based email security routes every mail through somebody else's infrastructure. For lawyers, tax advisers, hospitals, public authorities and everyone under strict oversight that's a compliance nightmare. NetCell MailGuard runs on your server — the mail never leaves your infrastructure.

The problem with cloud vendors

Mimecast, Proofpoint, Hornetsecurity and every other cloud email security vendor work the same way: the MX record points at their cluster, every mail is filtered there and then forwarded to your mail server. From a GDPR perspective this triggers three obligations:

  1. Data processing agreement (Art. 28 GDPR): you must conclude a DPA with the cloud vendor. You have to review it, keep it in your record of processing activities, audit it regularly.
  2. Third-country transfer (Chapter V GDPR): with US vendors like Mimecast or Proofpoint, Schrems II applies — you need standard contractual clauses plus a transfer-impact assessment, you need to evaluate and mitigate the risk of US-authority access (CLOUD Act).
  3. Supervisory-authority risk: bar associations (BORA § 43e), tax advisers (StBerG), doctors (§ 203 StGB professional secrecy), public bodies (BDSG) — all have specific confidentiality obligations that make cloud processing of client data, patient data or tax data at least questionable.

The MailGuard solution

NetCell MailGuard runs on your servers or VMs in your own data centre (or at a hosting provider you trust). Mail content is processed exclusively on your infrastructure. Concretely:

No DPA needed You are the controller yourself — nothing is shared with third parties. The Art. 28 data processing agreement falls away entirely because there is no processor.
No third-country clauses All components in the EU/EEA (you choose the data centre). No Schrems II assessment, no transfer-impact assessment, no SCCs.
Gapless audit log Every admin action, every quarantine release, every policy change with timestamp and actor — mandatory evidence for Art. 5 (1) f integrity and confidentiality.
Vendor in Germany NetCell IT, Leverkusen — German support, German contracts under German law, no US CLOUD Act access to the vendor company.
Open-source stack Established open-source components as the foundation, which you can audit yourself if needed. No black-box engine, no proprietary cloud logic.
Threat intel without data flow back We pull external phishing lists (OpenPhish, URLhaus) over HTTP. Nothing is reported back to threat-intel vendors — your mail telemetry stays with you.

Which industries does this matter to?

  • Law firms — client confidentiality under § 43a BRAO, attorney secrecy. Cloud email security typically a breach of trust.
  • Tax advisers — § 57 StBerG confidentiality. The German Federal Chamber of Tax Advisers explicitly recommends self-hosting for confidential client communications.
  • Doctors and hospitals — § 203 StGB professional secrecy, patient data as a special category under Art. 9 GDPR. Cloud processing essentially ruled out.
  • Public authorities — BSI baseline protection, IT Security Act, KRITIS regulation. Self-hosting in an EU data centre is typically mandatory.
  • Banks and insurers — BAIT, VAIT, MaRisk. Outsourcing critical functions to third parties is a notification-relevant event.
  • Hosting providers and resellers — you sell MailGuard white-label to end customers with their own compliance requirements, without having to push their mail through your own cloud.

How does this work technically?

When you install MailGuard the entire mail processing path lives on your machine: SMTP intake, spam and virus scoring, attachment detonation in the sandbox — everything in the address space of your server. The only external communication:

  • DNS lookups (RBL/URIBL queries) — no content, just hash lookups
  • HTTP pull of threat-intel feeds (OpenPhish, URLhaus, PhishTank) — we pull, we don't send anything back
  • Let's Encrypt ACME for TLS certificates (DNS or HTTP challenge, no mail content)
  • Cluster-internal, encrypted replication between your own MailGuard nodes
  • APT updates for software packages (debian.org, security.debian.org, git.netcell-it.de)

Mail content never leaves to third parties. Quarantine, logs and audit trail stay on your server.

GDPR-compliant without legal acrobatics?

Talk to us about your compliance requirements. We know the industry-specifics.

Request a consultation