Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Mailbox.org

VERIFIED
Private email · Germany
Founded 2014 · mailbox.org ↗

Berlin-based private email + drive + meet + office bundle (Heinlein Support GmbH); ISO 27001 + BSI C5, €1/mo entry.

In short

Mailbox.org, in the Private email category, is an EU-owned service with Germany as its hosting location and no identified CLOUD Act exposure.

Assessment notes

Mailbox.org is operated by Heinlein Support GmbH (Berlin, founded 2014) on own German data centres, holds ISO/IEC 27001:2022 + BSI C5 Type 1 (rare full BSI-standard certification for an SMB email vendor), GDPR-compliant, PGP-supported, 100% renewable energy; entry tier €1/mo; EU-owned, EU-hosted, with no CLOUD Act exposure.

CLOUD ACT
OWNERSHIP
SUB-PROCS
0 none disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Privacy
  • End-to-end encryption
    Optional PGP (Guard/Mailvelope); mail is not zero-access encrypted by default.
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Mailbox.org

Mailbox.org (operated by Heinlein Support GmbH, Berlin) is a procurement-grade German private-email-plus-productivity suite (Mail + Drive + Meet + Office in a single bundled offering), entry tier from €1/mo (Light), business plans from €1/user/mo. The compliance posture is rare: ISO/IEC 27001:2022 + BSI C5 Type 1 (Bundesamt für Sicherheit in der Informationstechnik Type-1 Cloud Computing Compliance certification, the BSI's standard for trusted cloud services in Germany), plus full PGP support for end-to-end-encrypted mail. Servers in own German data centres on 100% renewable energy. Slogan "Ihre Daten. Ihre Kontrolle." For DACH compliance buyers this is one of the cleanest picks across the entire directory.

SUB-PROCESSORS

Sub-processor map · none disclosed

Source ↗
Vendor discloses zero sub-processors. All data processing happens in-house.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
C5
ACTIVE
FEATURES

Capability matrix

Encryption TLS
Mailbox storage 2 GB
Email aliases 3 aliases
Custom domain Yes
IMAP / SMTP Yes
Calendar Yes
Contacts Yes
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option No
PRICING

Pricing & tiers

PAID
from €1/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

DPA accessibility is not scored for this listing. Self-hosted or local software, vendors that are not data processors, and products carrying a SecNumCloud, EUCS or BSI C5 certification are not assessed on DPA accessibility. See How we assess.
  • Data Processing Addendum (DPA)
    — not assessed
    n/a
  • Sub-processors list
    mailbox.org/de…
    Open ↗
  • Terms of Service
    mailbox.org/en…
    Open ↗
ALTERNATIVES

Alternatives in this category

Proton Mail
Switzerland · Founded 2014
EU-SOVEREIGN

Swiss end-to-end encrypted email by Proton AG (Geneva); 100M+ users, Foundation-controlled since June 2024.

E2E Public DPA Sub-processors Open source
FROM
€4/mo
CLOUD ACT
NONE
Tuta
Germany · Founded 2011
EU-SOVEREIGN

Hannover-based end-to-end encrypted mail (formerly Tutanota); post-quantum crypto, own DE data centre, ISO 27001.

E2E Public DPA Sub-processors Open source
FROM
€3/mo
CLOUD ACT
NONE
Posteo
Germany · Founded 2009
EU-SOVEREIGN

Berlin one-person-shop privacy email at €1/mo (Posteo e.K., since 2009); anonymous signup, BSI TR-03108 certified.

E2E Public DPA Sub-processors Open source
FROM
€1/mo
CLOUD ACT
NONE