Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Threema

VERIFIED
Video conferencing · Switzerland
Founded 2012 · threema.com ↗

Swiss E2EE messenger (Pfäffikon SZ, founded 2012), ISO 27001, all-Swiss hosting, no phone number required; consumer + enterprise (Threema Work) + on-prem.

In short

Threema, in the Video conferencing category, is an EU-owned service with Switzerland as its hosting location and no identified CLOUD Act exposure.

Assessment notes

Threema GmbH (Pfäffikon SZ, Switzerland, CHE-221.440.104) processes personal data exclusively on servers in Swiss data centres for all essential functions, holds ISO 27001 certification, publishes a public DPA, and is Swiss-incorporated with EU adequacy: no CLOUD Act exposure, EU-adequate jurisdiction (CH), ISO 27001 certified, public DPA, all-Swiss hosting confirmed in the DPA, open-source clients with reproducible builds.

CLOUD ACT
OWNERSHIP
SUB-PROCS
0 none disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Threema

Threema is a Swiss end-to-end encrypted messaging application developed and operated by Threema GmbH (Pfäffikon SZ, Switzerland, Commercial Register: CHE-221.440.104), founded in December 2012 by three Swiss developers as a privacy-first alternative to WhatsApp, launching on Apple's App Store the same month the app was conceived. The legal entity was formally registered as Threema GmbH in spring 2014 to support professional expansion. Key milestones: post-Snowden traction in 2013, Threema Work (business edition) launched 2016, surpassed 10 million users in early 2021 following WhatsApp's controversial terms-of-service update, and a new CEO appointed in 2024.

The product portfolio is three-tier. Threema Private (consumer): one-off purchase app for iOS + Android + desktop, no phone number or email required for sign-up; fully anonymous use possible. Threema Work (business): managed admin console, MDM integration, enforced encryption policies, SSO via SAML/OIDC, priced at €3/user/month (Core) or €5/user/month (Professional); 30-day free trial for up to 30 users. Threema OnPrem (self-hosted): the full Threema Work stack deployable on customer infrastructure, for buyers who require complete data sovereignty inside their own security perimeter. All three tiers share the same cryptographic core: end-to-end encrypted messages, voice calls, video calls, group chats, file transfers, and polls using the NaCl/libsodium cryptography library; encryption by default with no plaintext fallback.

Compliance posture is among the strongest in the messenger category. ISO/IEC 27001 certified. Data processing for all essential functions runs exclusively on Threema's own servers in Switzerland (confirmed in the publicly available DPA). Switzerland holds an EU adequacy decision (Art. 45 GDPR), SCC-free for EU↔CH transfers. The DPA (threema.com/en/dpa) is publicly accessible without login and references standard contractual safeguards for any third-party functions. The company explicitly positions Threema as compliant with NIS 2, DORA, and CER EU directives. Ownership: Threema was acquired by Comitis Capital GmbH (a German investment firm focused on purpose-driven companies) from Afinum Management GmbH in early 2026, still EU-controlled, no US capital. Open-source: a Google-free Android version (Threema Libre) ships via F-Droid with reproducible builds for independent verification; the app source code is publicly auditable. Best fit: privacy-conscious individuals replacing WhatsApp or Signal with a Swiss-hosted option; German and EU enterprises needing an auditable E2EE messaging platform under their own IT control; regulated sectors subject to NIS 2 / DORA that need a compliant internal comms layer.

SUB-PROCESSORS

Sub-processor map · none disclosed

Source ↗
Vendor discloses zero sub-processors. All data processing happens in-house.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
FEATURES

Capability matrix

Self-hostable Yes
Max participants 16 participants
Screen sharing Yes
End-to-end encryption Yes
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option Yes
PRICING

Pricing & tiers

FREEMIUM
from €3/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

  • Data Processing Addendum (DPA)
    threema.com/en…
    Open ↗
  • Sub-processors list
    threema.com/en…
    Open ↗
  • Terms of Service
    threema.com/en…
    Open ↗
ALTERNATIVES

Alternatives in this category

Element (Matrix)
United Kingdom · Founded 2017
EU-HOSTED

UK-headquartered open-source Matrix protocol commercialisation; powers Bundeswehr BwMessenger + French Tchap + NATO + UN.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MATERIAL
kMeet (Infomaniak)
Switzerland · Founded 1994
EU-SOVEREIGN

Free Swiss browser-based video meetings (Infomaniak, Geneva, since 1994); no guest account, own Swiss DCs, ISO 27001, no CLOUD Act.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
NONE
Olvid
France · Founded 2019
EU-BASED

French E2EE messenger (Olvid SAS, Paris, founded 2019), ANSSI CSPN certified, mandated for French government ministers; no phone number/identifier, content + metadata encrypted.

Public DPA Sub-processors Open source
FROM
€10/mo
CLOUD ACT
MINOR