KVKK and Data Sovereignty: The Risks of Offshore Email
Microsoft and Google store your emails in overseas data centers. What do KVKK compliance, the CLOUD Act and cross-border data transfer mean for you? A practical guide.
Contents
Where are the emails you store in Microsoft 365 and Google Workspace physically located? Mostly in data centers in the U.S., Ireland or the Netherlands. But is that a problem?
The answer depends on your industry, your data type and your legal obligations. In this guide we examine the topic in four layers: legal compliance, technical access risk, operational dependency, and migration practice.
1. Legal Layer — What Does KVKK Say?
The Turkish Personal Data Protection Law (KVKK), Law No. 6698, sets specific conditions under Article 9 for transferring personal data abroad:
- The data subject’s explicit consent, or
- Transfer to a country with adequate protection (KVKK’s “adequate countries” list is still limited), or
- A written undertaking + Board approval
Because Microsoft and Google physically store data of customers in Türkiye in U.S. or EU data centers, this usage counts as a transfer abroad. Companies in this situation are required to sign a Data Processing Agreement (DPA) and Standard Contractual Clauses (SCC). Most SMBs skip this step — because they’re not aware of it. During a KVKK audit, this gap can lead to administrative fines starting from 50,000 TL.
Ulakmail’s approach: All data is kept within Türkiye’s borders. There is no “transfer abroad” under KVKK Article 9; no DPA or SCC is required.
2. Technical Layer — The CLOUD Act and Foreign Courts
The U.S. CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which came into force in 2018, allows U.S.-based cloud providers to be required by U.S. court order to hand over customer data.
The critical point: The physical location of the data is irrelevant. If you entrust data to a U.S. company — Microsoft, Google or Amazon — U.S. law can theoretically reach that data.
| Provider | Company HQ | Within CLOUD Act scope? |
|---|---|---|
| Microsoft 365 | U.S. | Yes |
| Google Workspace | U.S. | Yes |
| Amazon WorkMail | U.S. | Yes |
| Ulakmail | Türkiye | No |
The EU’s Schrems II ruling has further complicated U.S.–EU data transfer compliance. Even though Türkiye does not yet have an enforcement mechanism as comprehensive as GDPR, companies must still track these developments.
3. Operational Layer — Real-World Risks
Beyond the legal questions, the following scenarios can play out in practice:
Service outage or account lockout During the war in Ukraine, Microsoft locked some Russian companies out of their accounts. Geopolitical tensions can affect Türkiye too. A foreign company’s commercial decision can instantly cut off your access to all your customer correspondence.
Content moderation Major platform companies can suspend accounts algorithmically or manually. The appeal process is in English, the support line is international, and resolution takes days or weeks.
Provider bankruptcy or acquisition This risk is higher for small cloud services, but large platforms can also unilaterally change their terms of service. Your data passes into the control of another company.
Billing interruption If a credit card fails or a payment issue arises, an account can be suspended within 30–60 days. All your customer communication stops at that moment.
You may say “these aren’t very likely.” Correct. But on the risk matrix, low probability × high impact is not zero.
4. KVKK Compliance Cost — Offshore vs. Domestic Comparison
Typical steps for companies using a foreign provider that want to comply with KVKK:
| Step | Description | Estimated Cost |
|---|---|---|
| Data Processing Inventory | What data is processed where | 1–2 weeks of labor |
| DPA / SCC documentation | Lawyer review and signing | 5,000–15,000 TL |
| Explicit consent flow design | User consent mechanism | Software development cost |
| VERBİS registration | Notification to the Board | Free, but preparation time matters |
| Continuous auditing | Annual review | Consultancy fees |
With a domestic provider, the offshore-transfer dimension disappears. VERBİS and the inventory are still required, but their scope is much narrower and easier to manage.
5. Which Sectors Is This Critical For?
| Sector | Risk Level | Why |
|---|---|---|
| Healthcare | Very High | Patient data is “special category” under KVKK Article 6 |
| Legal / Accounting | High | Client confidentiality and professional secrecy |
| Finance | High | BDDK and SPK regulations |
| Public sector / SOEs | High | Domestic hosting is mandated |
| Defense industry | Very High | Most contracts require domestic hosting |
| General SMB | Medium | KVKK obligations exist; risk is manageable |
6. Migration to a Domestic Provider — Step by Step
Migration does not mean losing years of accumulated email:
Step 1 — IMAP migration Your existing emails are transferred to the new server with automated tools. Folder structure and dates are preserved.
Step 2 — DNS updates MX, SPF, DKIM and DMARC records are configured once. See our guides for MX record configuration and SPF/DKIM/DMARC setup.
Step 3 — Parallel operation period The old and new systems work side by side until the DNS TTL expires. No emails are lost during this period.
Step 4 — Close the old account Once the new system is running smoothly, the data at the old provider is deleted — the offshore-data risk disappears entirely.
Ulakmail manages this migration free of charge. Average duration: 2–4 hours. Downtime: zero.
Frequently Asked Questions
Are Microsoft 365 or Google Workspace KVKK-compliant? Both attempt to ensure compliance through DPA and SCC mechanisms; however, because data is physically stored abroad, it counts as a transfer abroad under KVKK Article 9. Without a signed DPA this requirement remains incomplete and creates a fine risk during audits.
Where are my emails stored at Ulakmail? All data is held in data centers within Türkiye’s borders. There is no transfer abroad under KVKK Article 9; no additional legal step is required.
How does the CLOUD Act affect me? U.S.-based providers like Microsoft or Google may be required by U.S. court order to share your data — regardless of the data’s physical location. Ulakmail is a company subject to Turkish law; only Turkish jurisdiction applies.
Do these risks really matter for a small SMB? They are critically important for sensitive sectors such as healthcare, legal and finance. While the risk is lower for general SMBs, KVKK obligations apply to all businesses. Domestic hosting both reduces the compliance burden and keeps you in control.
What documents are requested in a KVKK audit? VERBİS registration, the Data Processing Inventory, DPA/SCC or explicit consent records for offshore transfers, and a data breach notification procedure. With a domestic provider, the need for DPA/SCC documents is reduced.
How are old emails managed under KVKK after migration? Emails moved via IMAP are transferred to servers in Türkiye. When you close your Microsoft and Google accounts, the data there is deleted — the offshore-transfer risk disappears entirely.
Offshore data storage is not “dangerous” per se — but it is a dependency outside your control. KVKK compliance, the CLOUD Act, geopolitical risk and operational dependency are all low-probability but high-impact events. Domestic infrastructure does not eliminate these risks; it gives control back to you.
Email security → • Business email plans → • Contact us for KVKK compliance →
Related Articles
Email Security
· 0 min read
- Business Email
Email Migration for Companies: A Zero-Downtime Transition Guide
· 3 min read
- Cybersecurity
How to Secure Corporate Email Against Phishing Attacks
· 3 min read
Did you find this article useful?
Try Ulakmail free for 10 days. No credit card required — domestic infrastructure, end-to-end encrypted.
Create Account Compare plans