Amazing to see such a support

The spam scoring caught my eye — 45+ heuristic signals is a lot. How do you handle false positives for transactional emails? A password reset or order confirmation might legitimately trigger some of those signals (no unsubscribe, image-heavy, urgent language) even though they're completely clean emails. Does the transactional exemption you mention cover most of those cases or is there still manual tuning needed?

Worth separating two things the thread keeps conflating: data residency and data sovereignty are not the same, and the CLOUD Act is the clearest proof. Residency = where data physically sits. Sovereignty = who legally controls it. You can store data on AWS Frankfurt and still have zero sovereignty, the controlling entity is US-domiciled and fully subject to the CLOUD Act. Geographic residency without legal sovereignty is essentially compliance theater. Real sovereignty requires the controlling entity, jurisdiction, and infrastructure layer to sit outside US reach which typically means infrastructure you actually operate, not just "hosted in your region" SaaS.

(Disclosure: I work at IOMETE where we think about this a lot. I am happy to go deeper if useful.)