Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Runbox

VERIFIED
Private email · Norway
Founded 1999 · runbox.com ↗

Norwegian private email since 1999 (Runbox Solutions AS), own NO data centre, 100% renewable hydro, PGP + 2FA + PFS, double carbon-negative.

In short

Runbox, in the Private email category, is an EU-owned service with Norway as its hosting location and no identified CLOUD Act exposure.

Assessment notes

Runbox is operated by Runbox Solutions AS, a Norwegian company in continuous operation since 1999 (among the longest-running independent privacy-email vendors in Europe) running its own infrastructure inside a Norwegian high-security data centre powered by 100% certified renewable hydropower, supporting PGP encryption, two-factor authentication, Perfect Forward Secrecy SSL, encrypted Web/POP/IMAP/SMTP, with public privacy policy and terms; Norwegian jurisdiction (EEA, outside EU), no CLOUD Act exposure. Gap: Runbox does not publish a publicly accessible DPA (customers are directed to a DPO contact rather than a self-serve document); no formal ISO 27001 attestation.

CLOUD ACT
OWNERSHIP
SUB-PROCS
0 none disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Privacy
  • End-to-end encryption
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Runbox

Runbox is operated by Runbox Solutions AS, a Norwegian company that has been in continuous operation as a privacy-focused email service since 1999, making it one of the longest-running independent vendors in this category, alongside Posteo (Berlin, 2009) and Mailbox.org (Berlin, 2014 in current form). The product is straightforward: secure IMAP/POP/SMTP email under Norwegian and EEA privacy law, with PGP encryption, two-factor authentication, Perfect Forward Secrecy on SSL, and standard mail-client compatibility; no proprietary lock-in, no advertising, no tracking.

The infrastructure story is genuinely strong. Runbox runs its own infrastructure inside a Norwegian high-security data centre, powered by 100% certified renewable energy from clean Norwegian hydropower, with multiple redundancy layers for high availability. The company is recognised by the Ethical Consumer "Best Buy" designation and carries a Carbon Balanced Certificate (double carbon-negative via World Land Trust), sustainability credentials that match Infomaniak's posture in the same Swiss-Norwegian-Nordic privacy band. As a Norwegian operator, Runbox is explicitly outside the reach of the US CLOUD Act.

For an EU-sovereignty audit the only gaps are formal compliance documentation: no ISO/IEC 27001 attestation, no SOC 2, and no publicly linked DPA or sub-processors list were surfaced at audit. None of those gaps suggest poor practice; they just mean that procurement-grade buyers needing those documents will need to request them. Norway is EEA rather than EU, and no formal certifications were documented at audit.

Pricing is paid-only (no free tier), competitive and storage-tiered: Micro €19.95/year (€1.66/month, 2 GB); Mini €34.95/year (€2.91/month, 10 GB); Medium €49.95/year (€4.16/month, 25 GB); Max €79.95/year (€6.66/month, 50 GB). 20% discount on 3-year subscriptions. Best fit: privacy-conscious EU/EEA users who want a long-established Norwegian privacy-email service with first-class PGP support, ethical / sustainability credentials, and explicit CLOUD-Act-non-applicability, and who do not require a free tier or formal ISO 27001 attestation.

SUB-PROCESSORS

Sub-processor map · none disclosed

Source ↗
Vendor discloses zero sub-processors. All data processing happens in-house.
CERTIFICATIONS

Frameworks & certifications · none listed

We checked the vendor's website and standard certification body registries. No active certifications found at the time of last audit (2026-05-15).
FEATURES

Capability matrix

Encryption TLS
Mailbox storage 2 GB
Email aliases 100 aliases
Custom domain Yes
IMAP / SMTP Yes
Calendar Yes
Contacts Yes
INTEGRATION & ACCESS
REST API No
SSO (SAML / OIDC) No
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option No
PRICING

Pricing & tiers

PAID
from €2/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    runbox.com/about…
    Open ↗
  • Terms of Service
    runbox.com/about…
    Open ↗
ALTERNATIVES

Alternatives in this category

Proton Mail
Switzerland · Founded 2014
EU-SOVEREIGN

Swiss end-to-end encrypted email by Proton AG (Geneva); 100M+ users, Foundation-controlled since June 2024.

E2E Public DPA Sub-processors Open source
FROM
€4/mo
CLOUD ACT
NONE
Tuta
Germany · Founded 2011
EU-SOVEREIGN

Hannover-based end-to-end encrypted mail (formerly Tutanota); post-quantum crypto, own DE data centre, ISO 27001.

E2E Public DPA Sub-processors Open source
FROM
€3/mo
CLOUD ACT
NONE
Mailbox.org
Germany · Founded 2014
EU-SOVEREIGN

Berlin-based private email + drive + meet + office bundle (Heinlein Support GmbH); ISO 27001 + BSI C5, €1/mo entry.

E2E Public DPA Sub-processors Open source
FROM
€1/mo
CLOUD ACT
NONE