The takeover of the German email security provider Hornetsecurity by the US group Proofpoint is causing unrest in the industry – and rightly so. This is because it shows once again how important it is to consciously opt for email security solutions that are not only technologically convincing, but also uncompromising in terms of data protection, location and sovereignty.
In times of growing geopolitical tensions, complex regulatory requirements and increasing cyber threats, the question is coming into focus: Who do we trust with our email communication – and under whose legal framework is our data processed?
The takeover of Hornetsecurity: A factual classification
Hornetsecurity was acquired by Proofpoint, a leading provider of IT and email security based in the USA, with effect from the beginning of 2025. Proofpoint in turn belongs to the Thoma Bravo group of companies – a private equity investor with a broad technology portfolio.
This means that a German provider with a strong market presence and a large customer base is finally passing into American hands. Although the technical expertise remains the same, the legal framework under which data processing will take place in the future is shifting significantly. The influence of the US CLOUD Act, which allows US authorities to access data from US companies worldwide under certain circumstances, can no longer be ruled out.
This is a critical point, especially for data-sensitive organizations such as those in the public sector.
What does this mean for companies and authorities?
The case impressively demonstrates that the email security market is not a purely technical matter. It is closely linked to issues of digital sovereignty, compliance with data protection standards and long-term control over business-critical communication processes.
IT managers need to ask themselves:
- Who operates my e-mail filter?
- Where is my data processed and stored?
- What law is my provider subject to?
- How transparent and comprehensible is the data processing?
- Are there real alternatives – without geopolitical dependencies?
Why “Email security made in Germany” is now more important than ever
1. full GDPR compliance – without gray areas
Only if data is processed entirely in Germany or the EU can GDPR compliance be guaranteed without a doubt. US providers – even with European branches – are still subject to US law in case of doubt. The resulting uncertainty not only jeopardizes data protection, but also the trust of customers and partners.
2. no cloud dependency, no hidden risks
Many solutions are based on cloud platforms of large hyperscalers. These are often US-based – and therefore potentially a risk. An independent German provider such as eXpurgate operates its infrastructure entirely in-house – without third-party clouds and without transferring data abroad.
3. secure digital sovereignty – especially for critical infrastructures
At a time when IT security is part of national services of general interest, government agencies and sensitive industries need to take a particularly close look. Control over communication channels is not an optional convenience feature – it is a legal obligation and a strategic necessity.
4. technological expertise from Germany
With over 20 years of experience in the field of email security, eXpurgate is one of the most experienced providers in Europe. Billions of emails are processed every day and threats are detected and averted in real time – with intelligent filter technology developed and operated in Germany.
5. trust is created through proximity, transparency and clear responsibilities
eXpurgate is developed, operated and supported exclusively in Germany. No anonymous hotlines, no unclear support process, no black box technology. Customers know exactly who they are dealing with – and where their data is located.
A plea for a conscious choice of provider
The market is changing – and IT decision-makers must actively accompany these changes. It is no longer enough to focus solely on technical features. They are at least as important:
- Legal conformity according to EU standards
- Avoidance of international dependencies
- Local support and assistance
- Long-term data sovereignty
Companies that invest in email security today are making a strategic decision – with implications for the confidentiality, integrity and legal security of their digital communication.
Conclusion: If you want sovereignty, you have to take a close look at security
The takeover of Hornetsecurity by Proofpoint is not an isolated case, but part of a larger trend: the consolidation of European IT providers by international corporations. At the same time, there is a growing awareness of the importance of digital sovereignty, particularly in public administration, critical infrastructures and data-sensitive companies. With solutions such as eXpurgate, there are still powerful alternatives that meet the highest data protection and security requirements – without compromising on location or control.
Email remains a central communication channel – it also deserves central attention when it comes to security. Security starts with the location. And trust begins with the decision as to who you entrust with your data.