Introduction

In today's digital age, businesses often require efficient and reliable email communication. Integrating email capabilities into various tools, such as content management systems (CMS) like HubSpot and WordPress, e-commerce solutions, and custom-built applications is common. However, sending transactional emails (personalized, one-to-one messages triggered by user actions, such as password requests or order confirmations, enhancing customer interactions) at scale with speed and reliability is challenging. 

Therefore, many platforms rely on SMTP (Simple Mail Transfer Protocol) email services rather than handling email sending internally. These platforms often provide built-in SMTP plugins for seamless integration with SMTP providers and can also manage marketing campaigns.

When selecting an SMTP relay service provider, it is crucial to ensure compliance with regulatory standards such as HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), and SOC 2 (System and Organization Controls). This article compares the top five email clients based on their compliance with these key regulations, in no particular order.

1. SendGrid

SendGrid is a leading provider of email infrastructure as a service. It delivers over 100 billion non-spam emails monthly for over 80,000 paying customers, including technology giants like Airbnb, Spotify, and Uber. Part of the Twilio product family since 2019, it is a versatile email communication platform that facilitates automated transactional communications and effective email marketing campaigns.

HIPAA

SendGrid is not HIPAA compliant and does not support the transmission of Protected Health Information (PHI). According to their Terms of Service, the platform lacks the necessary encryption and security measures required for HIPAA compliance, and users are prohibited from using the service for any purpose involving PHI or Nonpublic Personal Information.

Despite this limitation, healthcare organizations can still use SendGrid for general communications and marketing campaigns, such as patient reminders, newsletters, and volunteer requests. To handle PHI securely, alternative solutions specifically designed for HIPAA compliance are recommended. Organizations should consider additional measures, such as multi-factor authentication and separate teams for marketing and administrative tasks, to mitigate compliance risks and avoid potential HIPAA violations.

GDPR

SendGrid is committed to GDPR compliance and supports its emphasis on data privacy and security. To ensure compliance, SendGrid offers a GDPR-compliant Customer Data Processing Agreement, which has been incorporated into Twilio’s Terms of Service since January 1, 2020. This agreement addresses GDPR obligations and cross-border data transfers and includes jurisdiction-specific terms. Additionally, SendGrid has updated vendor agreements to include GDPR-compliant terms for all sub-processors.

To further support GDPR compliance, SendGrid has implemented behind-the-scenes changes, including improved access controls, account and record deletion, security measures, and continuous audits. The company actively works with its engineering, product, and security teams to respond to data subject requests and ensure compliance for all new products and enhancements. SendGrid also regularly evaluates and updates its Privacy and Cookie Notices to maintain alignment with GDPR requirements. More information on SendGrid’s privacy and security measures is available on their website.

SOC 2

 SendGrid has earned the SOC 2 Type II certification, reflecting its stringent data protection controls. Access to systems and data at SendGrid is restricted to essential personnel only, ensuring robust support. Key security measures include employee background checks, signed confidentiality agreements, termination/access removal processes, and acceptable use agreements. Employees receive training to identify and address security risks, empowering them to prevent security issues proactively. Moreover, even the data centers they use to host their systems all have SOC 2 Type II reports and the expected physical security measures.

2. Mailchimp

Mailchimp, initially an email marketing solution, has evolved into a comprehensive service offering tools for e-commerce, digital marketing, and audience management. As a result, standalone purchases of specific features, like Mailchimp Transactional's SMTP capabilities, are no longer available. With over 11 million users and 22 years of experience, Mailchimp is one of the world's most-used email marketing platforms.

HIPAA

Mailchimp is not HIPAA compliant and cannot be used to send or manage emails containing PHI. The platform does not provide the necessary assurances or enter into Business Associate Agreements (BAAs) required for handling PHI. While Mailchimp can be used for general marketing and newsletters, it is unsuitable for collecting, maintaining, or transmitting PHI. Covered entities and business associates must obtain authorization to include any PHI in marketing communications sent through Mailchimp, and even then, they must ensure compliance with HIPAA regulations. Mailchimp's terms specify that it is not responsible for ensuring its users' HIPAA compliance. Even though it provides encryption and other security measures, the lack of BAAs prevents it from being automatically HIPAA compliant.

GDPR

Mailchimp complies with the GDPR by clearly outlining its data privacy practices, incorporating European Union (EU) Standard Contractual Clauses in its Data Processing Addendum, and ensuring GDPR readiness in its contracts with third-party vendors. It also builds GDPR-friendly features, appoints a Data Protection Officer (DPO), and adheres to the EU-United States (US)/Swiss-US Privacy Shield Frameworks.

To assist customers with GDPR compliance, Mailchimp provides tools and features such as GDPR-friendly forms with opt-in consent options, double opt-in settings, tools for exporting and deleting contact information, and additional fields in its API for managing marketing permissions. Enhanced security features are also available to prevent unauthorized access and manage data control.

SOC 2

Mailchimp completes an annual SOC 2 Type II examination for the Trust Principal Criteria of Security, Processing Integrity, Confidentiality, and Availability. It is also SOC 3 compliant.

3. Mailgun

Mailgun is a flexible and scalable email-sending platform designed to help businesses manage their email communications efficiently. It provides tools for sending, tracking, and optimizing emails, making it suitable for a wide range of applications. With an extensive API and robust integration capabilities, Mailgun supports over 150,000 companies in creating connected experiences and enhancing their email strategies.

HIPAA

Mailgun ensures HIPAA compliance through a secure platform featuring encryption of messages both at rest and in transit, encrypted databases, and comprehensive internal security measures. These include employee training, asset tracking, robust security tools, and malware protection. Mailgun's compliance is documented in its SOC2 Type II and HIPAA reports. As a Business Associate, Mailgun adheres to health regulations and requires customers to sign a BAA to clarify legal obligations.

GDPR 

Mailgun has undertaken significant measures to ensure compliance with the GDPR. This includes a thorough risk analysis of its applications processing personal data, implementing policies and procedures to detect and report data breaches, updating security controls, and appointing a Data Protection Officer. The platform also provides regular data protection training for employees and maintains a record of data processing activities. Mailgun supports data subject rights with self-service features for managing personal data and commits to responding to data subject requests within seven days.

For data processing, Mailgun uses various sub-processors, including major cloud infrastructure providers, and ensures compliance through appropriate measures and agreements. It offers customers a Data Processing Agreement (DPA), adhering to Article 28 of the GDPR. To facilitate legal data transfers outside the European Economic Area (EEA), Mailgun implements EU Model Standard Contractual Clauses and ensures robust technical and organizational measures for data protection and encryption.

SOC 2

Mailgun holds both SOC 2 Type I and Type II compliance. SOC 2 Type I verifies that security controls are established, while SOC 2 Type II tests their effectiveness over time. SOC 2 Type II also covers change management and incident response processes, with Mailgun reporting no breaches in the past 12 months. Mailgun’s audits are conducted by A-LIGN, a reputable firm known for its stringent evaluations and global expertise, ensuring robust and up-to-date security practices.

4. Amazon SES

Amazon Simple Email Service (Amazon SES) allows you to efficiently reach your customers without needing an on-premises SMTP server, using either the Amazon SES API or SMTP interface. It is a cost-effective solution, often chosen by major companies like Amazon, Netflix, and Duolingo, for sending emails on a vast global scale.

HIPAA

As of July 2019, Amazon SES has been deemed HIPAA Eligible, allowing it to be used for HIPAA-regulated workloads if a HIPAA BAA is in place with AWS. Amazon SES supports various encryption methods, including S/MIME and PGP protocols for securing messages, and uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) for communication. However, by default, Amazon SES employs opportunistic TLS, meaning it attempts to secure connections but will send messages unencrypted if a secure connection cannot be established. Although Amazon SES can be configured to require secure connections, this may result in a portion of emails not being delivered if recipients' email systems do not support encryption.

GDPR

Amazon SES follows the Amazon Web Services (AWS) Shared Responsibility Model, where AWS secures the underlying infrastructure, and customers manage their content and configurations. Under GDPR, AWS is the data processor, and customers are responsible for managing and securing the personal data they handle through SES.

Amazon SES can be configured to meet GDPR requirements, including data encryption in transit using TLS. However, customers must ensure proper setup and management of encryption settings and secure configurations on their end. AWS provides tools to support GDPR compliance, such as AWS Identity and Access Management (IAM) and AWS encryption solutions. Still, the customer retains responsibility for ensuring their use of SES aligns with GDPR. For additional guidance, AWS offers resources like the AWS Security Best Practices whitepaper and the GDPR Center.

SOC 2

AWS SOC Reports provide third-party evaluations of AWS's compliance with key controls and objectives, with SOC 1, 2, and 3 reports conducted each year. The SOC 2 report, specifically, assesses AWS's control environment concerning system security, availability, confidentiality, and privacy. 

Ernst & Young LLP conducts these audits, with AWS issuing SOC 2 reports twice per year, covering a 12-month period. The SOC 2 report is intended for users who need an independent review of AWS's compliance in these critical areas. The report is available from AWS Artifact.

5. Brevo

Brevo, formerly known as Sendinblue, rebranded in March 2023 and caters to new and growing businesses with its comprehensive suite of marketing tools. Offering marketing automation, SMS marketing, Facebook ads, and more, Brevo provides a robust platform for managing and optimizing customer interactions. Originating as a digital agency, Brevo has expanded its services and now supports email sending via SMTP, although this feature requires activation through its team. With over 175,000 client companies and offices across Europe, the United States, and India, Brevo is a well-established player in the marketing technology space.

HIPAA

Brevo is not HIPAA compliant, like most other major SMTP email service providers. However, it does encrypt emails, so you could take some additional steps and become HIPAA compliant, though it would not be advisable without legal counsel. Additionally, some external integrations (not officially associated with Brevo) like Keragon exist, which can be used with Brevo to make your emails HIPAA compliant.

GDPR

To ensure GDPR compliance, Brevo collaborated with users, account managers, product and technical teams, and legal counsel to identify critical milestones. They provide resources for GDPR compliance, including importing contacts, building email subscription forms, and creating email campaigns. Brevo ensures rights to rectification, portability, and being forgotten, manages email subscriber preferences, and maintains proof of consent. They promptly notify users of data breaches and have implemented advanced security measures and a data traceability system. Brevo ensures GDPR compliance across its data processing chain, verifies partners' Privacy Shield certification, and updates legal documentation. Internally, Brevo has optimized procedures, increased employee awareness, and appointed a DPO to maintain ongoing GDPR compliance. It is interesting to note that Brevo’s servers are in the EU, making GDPR compliance an absolute necessity. They even encrypt account details before backing it up.

SOC 2

Brevo does not provide information on whether it conducts SOC reports, though it boasts robust security measures and International Organization for Standardization (ISO) security certifications.

Summary Table

These are the main highlights in comparing how these services adhere to different compliances. Check out this article to see a detailed overview of other features and pricing for the services included in this guide.

Conclusion

In conclusion, when selecting an SMTP email service provider, it's essential to consider compliance with key regulatory standards like HIPAA, GDPR, and SOC 2. Among the top five providers, Mailgun and Amazon SES stand out for their HIPAA compliance, while SendGrid, Mailchimp, Mailgun, Amazon SES, and Brevo all ensure GDPR compliance. SendGrid, Mailchimp, Mailgun, and Amazon SES also provide SOC 2 compliance, with Brevo lacking information on SOC 2 but maintaining robust security measures. Evaluating these compliance factors can help businesses choose the right provider for secure and reliable email communication according to their specific needs.