Dembrane · spashii · Jun 5, 2026 · Jun 4, 2026 · Jun 4, 2026 · coderabbitai
diff --git a/echo/server/.env.sample b/echo/server/.env.sample
@@ -91,7 +91,12 @@ EMBEDDING_API_VERSION=
 # Email (SendGrid)
 ############################################################
 # API key for SendGrid transactional emails. Leave empty to disable sends.
+# For EU data residency this must be an EU regional subuser key.
 SENDGRID_API_KEY=
+# Data residency region: "eu" (default, routes via api.eu.sendgrid.com) or
+# "global". "eu" keeps recipient PII and content in EU data centers and
+# requires the key above to belong to an EU regional subuser.
+SENDGRID_REGION=eu
 EMAIL_FROM=do-not-reply@dembrane.com
 EMAIL_FROM_NAME=dembrane
 # Where "Request upgrade" CTAs route. Shared inbox per matrix v1.1 §11.

diff --git a/echo/server/AGENTS.md b/echo/server/AGENTS.md
@@ -10,6 +10,15 @@ Cross-cutting rules (Directus, BFF, LLM model groups, Dramatiq/gevent, transcrip
 - Embeddings: populate `EMBEDDING_*` env vars (model, key, base URL, version) before calling `dembrane.embedding.embed_text`. The placeholder in `dembrane/embedding.py` is not yet the production implementation
 - Production API uses a **custom asyncio uvicorn worker** (`dembrane.asyncio_uvicorn_worker.AsyncioUvicornWorker`); avoid `uvloop` for `nest_asyncio` compatibility
 
+## Email (two independent senders)
+
+There are two separate email paths and they are easy to conflate. They use different transports, keys, and config.
+
+1. **App transactional email**: `dembrane/email.py` → SendGrid **HTTP API**, keyed by `SENDGRID_API_KEY`. This is the main path: workspace invites, tier notifications, digests, auth emails. Called from `tasks.py` (Dramatiq) and `api/v2/*`. The Python app does **not** read any `*_SMTP_*` vars.
+2. **Directus-native email**: the `echo-directus` container → SendGrid **SMTP** (`smtp.sendgrid.net`), keyed by `EMAIL_SMTP_PASSWORD` (sealed as `DIRECTUS_EMAIL_SMTP_PASSWORD`). Only for emails Directus generates itself. Configured on the Directus deployment, never in `dembrane/settings.py`.
+
+EU data residency: `SENDGRID_REGION=eu` makes `email.py` route through `api.eu.sendgrid.com` (`set_sendgrid_data_residency`), but the key must belong to an **EU regional subuser**, a global-account key is not EU-resident even on the EU host. The Directus path must be moved separately (`smtp.eu.sendgrid.net` + EU key); changing one does not affect the other.
+
 ## Background task design
 
 When fixing or extending Dramatiq flows:

diff --git a/echo/server/dembrane/email.py b/echo/server/dembrane/email.py
@@ -177,6 +177,12 @@ def send_email_sync(
         )
 
         sg = SendGridAPIClient(api_key)
+        # Pin the send to a data-residency region. "eu" routes through
+        # api.eu.sendgrid.com so recipient PII and content stay in the EU.
+        # The key must belong to a subuser in this region.
+        region = settings.email.sendgrid_region
+        if region and region != "global":
+            sg.set_sendgrid_data_residency(region)
         response = sg.send(message)
 
         if response.status_code >= 400:

diff --git a/echo/server/dembrane/settings.py b/echo/server/dembrane/settings.py
@@ -323,6 +323,15 @@ class EmailSettings(BaseSettings):
             "SENDGRID_API_KEY", "EMAIL__SENDGRID_API_KEY", "EMAIL_SMTP_PASSWORD"
         ),
     )
+    # SendGrid data residency region. "eu" routes sends through
+    # api.eu.sendgrid.com so recipient PII and content stay in EU data
+    # centers (GDPR). Requires an EU regional subuser key. "global" uses
+    # api.sendgrid.com. The key must belong to a subuser in this region.
+    sendgrid_region: str = Field(
+        default="eu",
+        alias="SENDGRID_REGION",
+        validation_alias=AliasChoices("SENDGRID_REGION", "EMAIL__SENDGRID_REGION"),
+    )
     from_email: str = Field(
         default="do-not-reply@dembrane.com",
         alias="EMAIL_FROM",