The U.S. CLOUD Act enables U.S. law-enforcement authorities to request data from U.S.-based companies, but only under strict and clearly defined legal conditions. Such requests require valid judicial authorization (such as a warrant) and must be narrowly targeted to specific individuals or accounts, not broad data sets or full customer environments.
At Proofpoint, we want to make one point absolutely clear: Proofpoint does not grant U.S. authorities direct, unrestricted access to customer data.
Any request is handled through our legal department and reviewed carefully to ensure compliance with applicable law and protection of customer privacy wherever possible.
Maximum Protection for European Customers
We apply a multilayer protection approach that reflects both U.S. legal standards and the privacy expectations of the European Union.
We defend our customers’ data through:
1. Strict legal review: Every request undergoes in-depth assessment by our compliance and legal teams to verify its legitimacy, scope, and proportionality.
2. Challenging overreach requests: If a request is overly broad, unsupported, or inconsistent with established privacy protections, we challenge it through all available legal and procedural avenues, including seeking judicial review and contesting the scope to ensure it meets strict legal standards.
3. Data minimization: Only the specific data explicitly named in a valid legal order will ever be considered for disclosure.
4. Customer notification: Whenever permitted by law (including if we believe a request is unlawful), we promptly notify affected customers, including in cases involving nondisclosure orders. We actively work to lift or limit such orders to allow customers to exercise their rights under their own national laws.
Commitment to European Standards
Although Proofpoint must comply with applicable U.S. laws, we operate according to EU-aligned principles of data minimization, proportionality, and transparency. Data does not leave its region unless required by a valid order and fully reviewed through our legal processes. Further, Proofpoint has never received a valid CLOUD Act request for customer data. This underscores the very narrow and exceptional circumstances in which such requests occur for non-email mailbox providers, such as Proofpoint.
Our commitment remains firm: We are dedicated to safeguarding customer data across borders and upholding privacy rights worldwide.
© 2025 Proofpoint. All rights reserved. The content on this site is intended for informational purposes only.
Last updated November 21, 2025.
