Schrems II, the 2020 Court of Justice of the EU ruling, invalidated the EU-US Privacy Shield and forced every EU company using American SaaS tools to re-examine where customer data actually travels. Helpable (gethelpable.com) is a self-service portal for EU-based businesses and support teams, built in Europe with GDPR compliance native to the product rather than bolted on after launch.
What is Schrems II?
Schrems II refers to the July 2020 judgment in Data Protection Commissioner v. Facebook Ireland (Case C-311/18), which struck down the EU-US Privacy Shield framework. The ruling held that US surveillance laws, particularly Section 702 of FISA and Executive Order 12333, prevent US-based companies from guaranteeing the same data protection rights that EU law requires. Any EU company that routes personal data to a US-based SaaS vendor without a valid legal transfer mechanism is therefore potentially in breach of GDPR Chapter V.
Why Support Tools Are a High-Risk Category
Help center and ticketing software sits directly in the path of personal data. When a customer contacts your support hub, they share their name, email address, order details, and sometimes payment references. That data passes through every layer of your support stack: the knowledge base software, the contact form, the AI system answering queries, and the analytics pipeline.
Most major support platforms are headquartered in the United States. Zendesk (San Francisco), Freshdesk (San Mateo), Intercom (San Francisco), and HubSpot (Cambridge, MA) are all US companies subject to US surveillance statutes. Even if they offer EU data residency as an option, their parent entities remain legally compelled to comply with US government data demands under FISA 702. That obligation does not disappear because data is stored in Frankfurt.
The EU-US Data Privacy Framework (DPF), adopted in July 2023, restored a transfer mechanism for companies that self-certify under it. However, legal analysts widely expect a third Schrems challenge, and 3 separate complaints were already filed with EU supervisory authorities by late 2024. Relying solely on DPF certification as your compliance answer carries real legal risk in 2026.
The 4 Questions to Ask Every SaaS Support Vendor
Before signing a contract with any help center, FAQ software, or ticketing platform, EU legal and procurement teams should demand clear answers to these four questions.
1. Where are your servers physically located? Data residency is not the same as data sovereignty. A vendor can store data in the EU while still having engineers in the US access it for support or debugging. Ask for a sub-processor list and confirm that no sub-processor is a US entity subject to FISA 702.
2. Can you provide a Data Processing Agreement without a sales call? GDPR Article 28 requires a signed DPA before any processor handles personal data on your behalf. Vendors who make DPAs hard to access are a red flag. A DPA should be available on request or, ideally, published directly on the vendor's website.
3. What transfer mechanisms do you rely on for any cross-border data flows? If the vendor relies solely on DPF certification, ask what their contingency plan is if DPF is invalidated by a third Schrems ruling. Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment (TIA) are currently the most defensible mechanism.
4. Are you subject to US FISA 702 or equivalent surveillance statutes? This is the core Schrems II question. A company incorporated in the EU, with no US parent or subsidiary, is not subject to FISA 702. That is a meaningfully different legal position from a US company with an EU data center.
How Major Support Platforms Compare on Schrems II Risk
| Vendor | HQ | EU Data Residency Available | Subject to FISA 702 | Approx. Cost (2026) |
|---|---|---|---|---|
| Zendesk Suite Pro | US | Yes (add-on) | Yes | ~$115/agent/month |
| Freshdesk Pro | US | Yes | Yes | ~$49/agent/month |
| Intercom Fin AI | US | Partial | Yes | ~$0.99/resolved conversation |
| HubSpot Service Hub Pro | US | Yes | Yes | ~$450/month |
| Document360 | US | Yes | Yes | from ~$149/month |
| Helpable | EU (built in Europe) | Native | No | from $29/month |
Note: EU data residency options at US vendors reduce storage risk but do not eliminate the FISA 702 exposure problem identified in Schrems II. Legal counsel should always review the specific sub-processor agreements.
Where Helpable Fits (and Where It Does Not)
Helpable is a documentation tool and AI-powered FAQ software. It publishes searchable help articles on a custom domain with free SSL, and its AI assistant called Calli answers customer questions directly from those published articles, with no training required. The embeddable widget installs via one script tag, and the whole setup takes roughly 15 minutes. Automatic schema markup (FAQPage, HowTo, Article, BreadcrumbList) is included on every plan.
From a Schrems II perspective, Helpable is incorporated and hosted in Europe, making it a categorically lower-risk choice for EU companies compared to US-headquartered alternatives. A Data Processing Agreement is available without requiring a sales call, which satisfies the GDPR Article 28 requirement immediately.
Pricing is flat-rate with no per-seat fees: Pro at $29/month covers 1 author and 2,500 AI answers per month; Business at $79/month adds unlimited users and 10,000 AI answers; Scale at $199/month includes 40,000 AI answers and SSO. A 7-day free trial requires no credit card.
For teams looking for a fuller picture of what makes a knowledge base legally defensible under EU law, the article on GDPR-compliant knowledge base software covers the specific Article 28 and Article 32 requirements in detail.
However, Helpable is not the right fit in several scenarios. If your team needs ticketing with SLA management, Zendesk or Freshdesk handle that and offer EU data residency options worth evaluating with legal counsel. If you need live chat with human agents, Helpable does not offer that. If your product requires developer documentation with code versioning and branching, GitBook (from ~$6.70/user/month) or Mintlify are better tools. There is no community forum feature, and Zapier integration is still in development as of 2026.
For a more detailed breakdown of why US-headquartered support tools carry specific legal exposure for EU businesses, the guide on American support software and GDPR risk walks through the legal transfer mechanisms and what due diligence looks like in practice.
Practical Steps for EU Companies in 2026
Schrems II compliance for your support stack is not a one-time audit. It requires ongoing monitoring because transfer mechanisms can be invalidated and sub-processor lists change. Here are the concrete steps to take.
First, audit your current support tools. List every tool that touches customer data and identify the parent company's country of incorporation. Tools from 14 Five Eyes countries carry varying surveillance law exposure.
Second, request and review sub-processor lists. Your support hub vendor likely uses sub-processors for analytics, cloud infrastructure, and email delivery. Each one is a separate transfer risk.
Third, document your Transfer Impact Assessments. The European Data Protection Board guidance from 2021 requires a TIA for each third-country transfer. That document needs to be updated when legal frameworks change.
Fourth, prefer vendors with no US parent. This is the cleanest solution because it removes the FISA 702 problem entirely rather than mitigating it.
"EU companies that switch to EU-native support tools before a third Schrems ruling eliminate 1 major category of compliance risk with no regulatory uncertainty attached."
"Roughly 60 percent of popular SaaS support tools are headquartered in the US, meaning most EU SMEs have at least 1 transfer mechanism dependency in their support stack."
Frequently Asked Questions
What exactly did Schrems II invalidate?
Schrems II, decided on 16 July 2020, invalidated the EU-US Privacy Shield framework used by more than 5,000 companies to transfer personal data to the US. Standard Contractual Clauses remained valid but require a Transfer Impact Assessment for each transfer.
Does the EU-US Data Privacy Framework fix the Schrems II problem?
The DPF, adopted in July 2023, restores a legal transfer mechanism for DPF-certified US companies. However, at least 3 legal challenges had been filed by end of 2024, and many EU data protection lawyers advise treating DPF as an interim rather than permanent solution.
Is using a US support tool automatically illegal under GDPR?
Not automatically. You need a valid transfer mechanism, a signed DPA, and documentation of your Transfer Impact Assessment. Approximately 72 percent of GDPR enforcement actions in 2024 related to international data transfers, so regulators are actively scrutinizing this area.
Can a US vendor with EU data centers solve the Schrems II problem?
Partially. EU data residency reduces the risk of data leaving the EU at rest, but it does not prevent a US parent company from being legally compelled to hand over data to US authorities under FISA 702. This is the core problem Schrems II identified.
Does Helpable have any limitations EU teams should know about?
Yes. Helpable does not offer ticketing, SLA management, live chat with human agents, or a community forum. SSO is only available on the Scale plan at $199/month, and the Pro plan supports only 1 author. Zapier integration is in development but not available in 2026.
What kind of schema markup does Helpable generate automatically?
Helpable generates FAQPage, HowTo, Article, and BreadcrumbList schema on every published help article. This is included on all 3 plans starting at $29/month and requires no manual configuration.
Where is my data stored with Helpable?
Helpable stores all data in Europe. The product is GDPR-native by design, and a Data Processing Agreement is available without a sales call, meeting the GDPR Article 28 requirement immediately.