Where Is Your Email Data Stored? Why UK Businesses Should Care

The Question You Cannot Afford to Dodge

Imagine you are sitting across the table from a potential client. The meeting has gone well. They like your proposal, your pricing works, and they are ready to move forward. Then their compliance officer leans in and asks: "Where is our data going to be stored? Which country? Under whose jurisdiction?"

You look at your email provider's name on your phone. You think about it. And you realise you have absolutely no idea where the emails you exchange with this client will actually be stored. Not a clue. Is it the UK? Germany? The United States? A data centre in Singapore that you have never heard of?

This scenario is not hypothetical. It is happening in meeting rooms across the UK every week. Businesses that handle client data — which is virtually every business — are increasingly being asked to demonstrate where that data lives. And the most fundamental, most frequently overlooked piece of data infrastructure in any business is email.

Think about what passes through your email system on a typical day. Client names and addresses. Financial information. Contract terms. Employee personal details. Health information if you work in healthcare. Case details if you work in law. Payment records if you work in accounting. Tender responses if you work with the public sector. Every one of these is personal data under UK law, and every piece of personal data is subject to rules about where it can be stored and processed.

Most UK business owners chose their email provider based on price, features, or convenience — and rightly so. But very few asked the question that increasingly matters most: where, physically, will my data be? And under UK data protection law, that is a question you are legally obligated to be able to answer.

This guide explains why data location matters, where the major email providers actually store your data, what "data sovereignty" means for your business in practical terms, and how to ensure you can answer that question with confidence the next time someone asks.

Why Data Location Matters — Explained for Non-Lawyers

Data protection law can seem impenetrably complex, but the core principles that apply to email data location are surprisingly straightforward. Here is what you need to understand, without the legalese.

Your Emails Contain Personal Data

Every email you send and receive is likely to contain personal data as defined by UK GDPR. Personal data is any information that identifies or can be used to identify a living person. In a typical business email, that includes: the name and email address of the sender and recipients, phone numbers and postal addresses in signatures, financial information in invoices and payment discussions, employee details in HR correspondence, client information in project communications, and health or legal information in regulated industries.

You do not need to be processing "sensitive" data for UK GDPR to apply. A name and an email address are personal data. A salary figure is personal data. A delivery address is personal data. If your business sends and receives email — which it does — you are processing personal data.

You Are Responsible for Knowing Where It Is

Under UK GDPR, the business that collects and uses personal data is the data controller. Your email provider, which stores and processes the data on your behalf, is the data processor. As the data controller, you have a legal obligation to know where your data processor stores and processes personal data, to ensure that storage and processing complies with UK GDPR, to have a written agreement (a Data Processing Agreement) with your processor that sets out the terms, and to be able to tell data subjects (the people whose data you hold) where their data is if they ask.

In practical terms: if a client asks "where is my data stored?", you need to be able to answer. "I don't know" is not a legally acceptable answer. "Somewhere in the cloud" is not a legally acceptable answer. You need to know the country, and you need to be confident that the data protection laws of that country provide adequate protection.

International Transfers Need Legal Justification

If your email data leaves the UK, additional rules apply. UK GDPR permits data transfers to countries that the UK Government has determined provide an "adequate" level of data protection. This currently includes all EU and EEA countries, plus a list of other countries such as Japan, South Korea, and New Zealand. Transfers to the United States are permitted under the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework), but this arrangement has been subject to legal challenges and uncertainty — the previous arrangement (Privacy Shield) was struck down by the courts in 2020.

For transfers to countries without an adequacy decision, you need additional legal mechanisms: Standard Contractual Clauses (pre-approved contract terms), a Transfer Impact Assessment (an evaluation of whether the destination country's laws provide sufficient protection), or Binding Corporate Rules (for transfers within a corporate group).

None of this is impossible, but it is complex, it requires legal awareness, and it creates ongoing compliance obligations. The simplest way to avoid all of this complexity is to ensure your email data stays within the UK or EU in the first place.

Getting It Wrong Has Real Consequences

The consequences of non-compliance are not just theoretical. The Information Commissioner's Office (ICO) has the power to impose fines of up to seventeen and a half million pounds or four per cent of annual global turnover — whichever is higher. In practice, fines at this level are reserved for the most serious breaches by the largest organisations. But the ICO has issued fines running into hundreds of thousands of pounds to mid-sized businesses for data protection failures, including failures related to inadequate data processing agreements and insufficient oversight of data processors.

More commonly, the practical consequences are commercial rather than regulatory. Failed client audits. Lost public sector contracts. Due diligence questions that you cannot answer satisfactorily. A competitor who can demonstrate clear data residency wins the work that you lose because you cannot.

Where the Big Providers Actually Store Your Data

Let us look at what the most popular email providers actually do with your data. This is not about criticising any specific provider — it is about giving you the information you need to make an informed decision for your business.

Google Workspace

Google operates one of the largest data centre networks in the world, spanning the United States, Europe, Asia, and South America. When you sign up for Google Workspace — the business version of Gmail — your email data is processed across this global infrastructure. Google's default position is that data can be stored and processed in any of their data centres worldwide, wherever Google determines is most efficient.

Data residency controls are available, but only on higher-tier plans. Google Workspace Business Plus and Enterprise plans allow you to select a data region (such as Europe), which restricts where the primary copy of your data is stored at rest. However, even with data region selected, certain types of processing — including indexing, caching, and some aspects of spam filtering — may still occur outside your chosen region.

On the most popular small business plans — Business Starter and Business Standard — there is no data residency guarantee whatsoever. Your emails could be stored in the United States, Ireland, Finland, the Netherlands, Singapore, or anywhere else Google operates. You cannot specify, and Google does not promise.

For a UK small business owner, this means that unless you are paying for one of the more expensive plans, you cannot tell a client or a regulator exactly where their data is stored. And even on the higher plans, the data residency story has nuances that require careful explanation.

Microsoft 365

Microsoft's approach is somewhat more structured than Google's, but still complex. When you sign up for Microsoft 365 with a UK billing address, Microsoft typically provisions your data in their UK data centres (located in London and Cardiff). However, this is not guaranteed on all plan tiers, and certain data types may be processed outside the UK.

Microsoft introduced the EU Data Boundary in stages from 2023, which aims to keep EU and EEA customer data within the EU. For UK customers, the picture is more nuanced because the UK is no longer in the EU. Microsoft does offer UK data residency commitments, but the specifics depend on your plan, your configuration, and the type of data being processed.

The data processing addendum that Microsoft provides is a complex legal document. It covers Microsoft's entire cloud service portfolio, not just email, and runs to dozens of pages. For a small business owner without in-house legal counsel, extracting a clear, simple answer about where email data is stored requires significant effort.

Generic Shared Hosting

Many small UK businesses get their email through the same hosting provider that runs their website — a shared hosting plan that includes email as an add-on feature. The data location question with these providers is often the murkiest of all.

Shared hosting providers may operate their own data centres, but many resell infrastructure from larger providers — often based in the United States or continental Europe. The reseller may not even know exactly where the physical servers are located, because they are leasing virtual infrastructure from a provider who manages the physical layer. Ask your shared hosting provider "which country is my email stored in?" and the answer may be genuinely uncertain: "Our servers are provisioned through [cloud provider], which operates data centres in multiple regions."

This is not necessarily a sign of incompetence — shared hosting is designed to be affordable and convenient, and data residency has historically not been a priority for most small business hosting customers. But it does mean that if data location matters to your business, generic shared hosting may not provide the clarity you need.

Specialist UK Email Providers

At the other end of the spectrum are email providers that specifically target UK and EU businesses and operate infrastructure within the UK and EU as standard on all plans. These providers typically offer clear data residency commitments on every plan tier (not just enterprise plans), straightforward Data Processing Agreements, infrastructure subject to UK and EU law (not US law), and simple, transparent answers to the question "where is my data?"

The trade-off is usually that these providers are smaller than Google or Microsoft, with less brand recognition. But for a business whose priority is data location clarity and regulatory compliance, a specialist provider offers a significantly simpler compliance story.

What Data Sovereignty Means in Practice

Data sovereignty is a term that sounds abstract but has very concrete implications for your business. In plain language, data sovereignty means that you control where your data lives, and the laws of your chosen jurisdiction govern how it is protected. Here is what that looks like in practice.

Your Email Server Is Physically in the UK or EU

Data sovereignty starts with physical location. Your email data — the messages, attachments, calendar entries, and contacts — is stored on a server that is physically located in a data centre within the United Kingdom or the European Union. This is not a virtual guarantee or a "best efforts" commitment. It is a verifiable, physical fact. The server has an address. The data centre has a postcode. If challenged, you can point to a specific physical location and say: "My data is there."

The Company Operating the Server Is Subject to UK or EU Law

Physical location alone is not sufficient if the company operating the server is incorporated in a jurisdiction with different data protection standards. True data sovereignty means that the company responsible for your email infrastructure is subject to UK or EU data protection law — and only UK or EU data protection law. This eliminates the risk that a foreign government can use its own legal mechanisms to access your data.

No Foreign Government Can Compel Access Under Their Own Laws

This is where data sovereignty becomes particularly relevant for businesses handling sensitive client data. When your email provider is an American company — even if your data is stored in a UK data centre — the US CLOUD Act potentially allows US authorities to compel access to your data without going through UK legal channels. The practical likelihood of this affecting a typical UK small business is low, but the legal possibility exists, and for regulated industries — law firms, financial services, healthcare — even the possibility may be unacceptable.

When your email provider is a UK or EU company operating UK or EU infrastructure, this concern does not arise. Access to your data can only be compelled through UK or EU legal processes, with the protections those processes provide.

You Can Answer Questions With a Simple, Clear Statement

Perhaps the most practical benefit of data sovereignty is this: when a client, a regulator, an auditor, or a potential business partner asks where your email data is stored, you can give a clear, honest, one-sentence answer. "Our email data is stored in UK data centres operated by a UK company under UK data protection law." No caveats. No asterisks. No "it depends on which plan tier you have." Just a clean answer.

That clarity has commercial value. It makes due diligence straightforward. It makes compliance demonstrable. It makes you the easy choice for clients who care about data protection — and an increasing number of them do.

Who Cares About This? More People Than You Think

You might assume that data location is only relevant to large enterprises or highly regulated industries. That assumption is increasingly wrong. Here is who is asking the question — and why it matters to businesses of all sizes.

Any Business With Clients

If you provide services to other businesses — any services — your clients are increasingly including data handling questions in their supplier assessments. This is not limited to technology companies or data-heavy industries. Accountancy firms, marketing agencies, recruitment consultancies, facilities management companies, and professional services of every type are being asked: where do you store our data?

The driver is simple: your clients are responsible for their own data, and that responsibility extends to any third party they share it with. When they send you an email containing personal data, they need to know that you handle it in compliance with UK GDPR. They need to know where it is stored. And they need to be confident that your email provider meets the same standards they are required to meet.

If you cannot answer these questions clearly, you are creating a compliance problem for your client. Some clients will accept the risk. Increasingly, many will not — and will choose a supplier who makes compliance easy rather than difficult.

Regulated Professions

Several professions in the UK have explicit regulatory requirements around data handling that go beyond the baseline of UK GDPR:

• Solicitors — The Solicitors Regulation Authority (SRA) requires law firms to have adequate systems and controls for the protection of client confidential information. This includes knowing where electronic communications are stored and ensuring they are adequately protected. Client legal privilege makes the sensitivity of email data even higher in legal practice.
• Accountants — The Institute of Chartered Accountants in England and Wales (ICAEW) and other professional bodies impose data handling standards on their members. Client financial data in email is subject to professional confidentiality obligations.
• Financial services — The Financial Conduct Authority (FCA) requires regulated firms to have adequate data protection measures. For firms handling client financial data, knowing where email is stored is part of their regulatory compliance.
• Healthcare — Organisations handling patient data are subject to strict rules under UK GDPR, the Data Protection Act 2018, and NHS-specific guidance. Patient data in email must be stored and processed in jurisdictions that provide adequate protection.

Public Sector Suppliers

If your business supplies goods or services to the UK Government — whether central government, local authorities, the NHS, or other public bodies — data residency requirements are increasingly non-negotiable. Government procurement frameworks often explicitly require UK data residency for services that handle personal data or sensitive government information.

The Government Digital Service (GDS) and the National Cyber Security Centre (NCSC) publish guidance on cloud service selection that emphasises data location as a key consideration. If you want to do business with the public sector, demonstrating clear UK data residency is becoming a prerequisite, not a differentiator.

Businesses Under Cyber Essentials

Cyber Essentials — the UK Government's cybersecurity certification scheme — includes questions about how your organisation handles data, including where it is processed and stored. While Cyber Essentials does not mandate specific data locations, the assessment process encourages businesses to understand and document their data flows. Having a clear answer about email data location makes the certification process smoother and demonstrates a mature approach to data management.

Any Business That Values Simplicity

Beyond regulation and compliance, there is a purely practical argument for knowing where your email data is stored: it makes your life simpler. When you know where your data is, you can answer client questions without hesitation. You can complete supplier assessment forms in minutes rather than hours. You can respond to Subject Access Requests with confidence. You can sleep at night knowing that a change in international data transfer regulations will not suddenly create a compliance crisis for your business.

Simplicity is underrated. In a world where data protection regulations are becoming more complex, not less, having a simple, clean data location story is a competitive advantage.

How to Check Where Your Email Data Is Stored

If you are reading this and realising that you do not actually know where your email data is stored, here is how to find out. These steps are straightforward and do not require technical expertise.

Ask Your Provider Directly

Send your email provider a direct question: "In which country are my business emails physically stored?" A good provider will give you a clear, specific answer: "Your emails are stored in our data centre in the United Kingdom" or "Your data is held in data centres in London and Frankfurt." If the answer is vague, evasive, or includes phrases like "our global infrastructure" without specifying locations, press for specifics. You are entitled to know, and they are obligated to tell you.

Request a Data Processing Agreement

Under UK GDPR, you should have a Data Processing Agreement (DPA) in place with any third party that processes personal data on your behalf — and your email provider is one of the most important. The DPA should specify where data is stored and processed, what security measures are in place, how data is retained and deleted, and what happens in the event of a data breach.

If your provider does not have a DPA ready, or does not know what one is, that is a significant red flag. It suggests that data protection compliance is not a priority for them, which should make you question whether they are the right custodian for your business data.

Check for Independent Certifications

Look for ISO 27001 certification — the international standard for information security management. ISO 27001 certification means that the provider's data handling practices have been independently audited against a rigorous set of requirements. SOC 2 (Service Organisation Control) certification is another indicator of robust data handling, particularly common among providers serving regulated industries.

These certifications do not guarantee specific data locations, but they demonstrate that the provider takes data security seriously and has submitted to external scrutiny. A provider without any independent certification is not necessarily insecure, but a provider with certification provides tangible evidence of their commitments.

Look for a Published Data Residency Policy

Providers who prioritise data sovereignty typically publish a clear data residency policy on their website. This policy states where data is stored, whether backups are in the same jurisdiction, and what legal framework governs access to the data. If you can find this information publicly on the provider's website, it is a strong signal that they take data location seriously. If you cannot find it, it may mean they do not have a clear policy — or that they prefer not to be specific, which amounts to the same concern.

The Cost of Getting It Wrong

The consequences of not knowing where your email data is stored — or of storing it in a jurisdiction that creates compliance problems — fall into two categories: regulatory and commercial. Both are worth understanding.

Regulatory Consequences

The ICO has the power to investigate any organisation that processes personal data in the UK, and to impose enforcement actions ranging from warnings and reprimands to fines. The maximum fine under UK GDPR is seventeen and a half million pounds or four per cent of annual global turnover, whichever is higher. In practice, fines at this level are reserved for the most egregious breaches by the largest organisations.

For small and medium-sized businesses, ICO enforcement is more likely to take the form of an enforcement notice (requiring you to take specific action within a timeframe), a reprimand, or a fine in the thousands to tens of thousands of pounds. The ICO's published enforcement actions include cases where organisations failed to have adequate data processing agreements in place, failed to ensure adequate protection for international data transfers, or could not demonstrate where personal data was being processed.

The ICO does not actively audit every business in the UK — they do not have the resources. But investigations are triggered by complaints, data breaches, and sectoral reviews. If a data breach occurs and the ICO investigates, one of the first questions they will ask is: where was the data stored, and what agreements did you have in place with your data processor?

Commercial Consequences

In practice, the commercial consequences of poor data location management are often more immediately impactful than regulatory fines. These include:

• Failed client audits — When a client conducts a supplier data protection audit and you cannot demonstrate where their data is stored, the audit fails. Depending on the client, this may result in a requirement to remediate within a timeframe, or it may result in the loss of the contract.
• Lost procurement opportunities — Public sector procurement and large private sector tenders increasingly include data residency requirements. If your data location does not meet the specified criteria, your bid is non-compliant and excluded before it is evaluated on any other basis.
• Reputational damage — In a market where data protection awareness is growing, being unable to answer basic questions about data location creates an impression of carelessness that can damage your reputation with clients and partners.
• Compliance disruption — International data transfer mechanisms are subject to legal challenges. The EU-US Privacy Shield was invalidated by the European Court of Justice in 2020, creating immediate compliance problems for any business that relied on it. If your email data is stored in a jurisdiction whose adequacy status changes, you face an urgent and potentially disruptive compliance exercise.

The simplest way to avoid all of these risks is to know where your data is, ensure it is within the UK or EU, and have the documentation to prove it.

How epost.plus Handles Data Sovereignty

Data sovereignty should not be complicated. It should not require enterprise-tier plans, legal analysis of international data transfer mechanisms, or hours spent deciphering complex data processing addendums. For a UK business owner, the answer to "where is my data?" should be simple, clear, and available from day one.

epost.plus is built on the Axigen mail server platform and provides exactly this clarity.

UK and EU Data Centres on All Plans

Every epost.plus email plan — from the smallest to the largest — stores data in UK and EU data centres. This is not a feature reserved for enterprise clients or higher-tier plans. It is the standard for every account. Your email messages, attachments, calendar entries, contacts, and backups are all held within the UK and EU, on infrastructure operated under EU jurisdiction.

There are no asterisks. No "data may be processed in other regions for performance optimisation." No complex configuration required to enable data residency. Your data is in the UK and EU because that is where the servers are. Full stop.

Clear Data Processing Agreement

epost.plus provides a straightforward Data Processing Agreement that states in plain language where data is stored, how it is processed, what security measures protect it, and how it is handled in the event of a breach. The DPA is designed to be understandable by a business owner, not just a data protection lawyer. It is available on request and can be included in your own compliance documentation.

Axigen Server Under EU Jurisdiction

The Axigen mail server that powers epost.plus is developed by a European company subject to EU data protection law. This means that the entire chain — from the email platform software to the physical servers that run it — is within the EU legal framework. There is no US parent company that could be subject to the CLOUD Act or equivalent legislation. The legal jurisdiction is clear and consistent.

No Data Processing Outside the UK and EU

epost.plus does not transfer, replicate, or process email data outside the UK and EU. There are no offshore backup locations, no global content delivery networks processing email content, and no third-party analytics services ingesting your email data. Everything stays within the UK and EU, all the time.

For businesses that need to demonstrate data residency to clients, regulators, or procurement teams, this provides the cleanest possible compliance story. You can say, with confidence: "Our email is stored in the UK and EU by a provider subject to UK and EU law, and it never leaves that jurisdiction."

Complete Email Security Stack

Data sovereignty is one aspect of email security; the rest of the stack matters too. epost.plus runs the complete email authentication and encryption stack: DMARC at p=reject with strict alignment, SPF, DKIM, DNSSEC, MTA-STS in enforce mode, and DANE certificate pinning. Two-factor authentication is available on all accounts. All connections are encrypted by TLS with no fallback to unencrypted delivery.

You can view business email plans and order through smartxhosting.uk. For organisations with public sector or regulatory requirements, public administration email plans are available with additional compliance features. For dedicated infrastructure, public administration email at smartxhosting.uk provides a fully managed solution. If you have questions about data residency or compliance, get in touch with the support team.

Frequently Asked Questions

See Also

• Email for Regulated Professions: What UK Law Expects
• How to Protect Your Business from Email Fraud
• How to Choose the Right Email Provider for Your UK Business