Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Tuta

VERIFIED
Private email · Germany
Founded 2011 · tuta.com ↗

Hannover-based end-to-end encrypted mail (formerly Tutanota); post-quantum crypto, own DE data centre, ISO 27001.

In short

Tuta, in the Private email category, is an EU-owned service with Germany as its hosting location and no identified CLOUD Act exposure.

Assessment notes

Tuta (formerly Tutanota, Hannover DE, founded 2011 by Arne Möhle and Matthias Pfau) operates its own German data centre, ships end-to-end encrypted mail / calendar / drive with post-quantum cryptography, all clients open-source and auditable, ISO 27001 certified, GDPR + DSGVO, 10,000+ business organisations and millions of consumer users; EU-owned, no US ties, no CLOUD Act exposure. One gap: the DPA is not publicly accessible and is reachable only inside a customer account after signing up for a business plan; no public sub-processors list.

CLOUD ACT
OWNERSHIP
SUB-PROCS
0 none disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Privacy
  • End-to-end encryption
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Tuta

Tuta (Hannover, Germany, founded 2011 by Arne Möhle and Matthias Pfau; Tutanota until 2023 rebrand) is one of the cleanest privacy-first email picks in Europe: own German data centre, end-to-end encryption by default, post-quantum cryptography (forward-looking against future quantum attacks), 100% open-source clients for Android, iOS, Windows, macOS, Linux, and browser. Free tier permanent for personal use; paid Revolutionary tier from ~€3/mo. Products: Tuta Mail, Tuta Calendar, Tuta Drive. Customer base: 10,000+ organisations including medical, journalism, human-rights, plus millions of consumers. 100% renewable-energy-powered. Founder-owned, no US VC, no PE, no CLOUD Act exposure.

SUB-PROCESSORS

Sub-processor map · none disclosed

Source ↗
Vendor discloses zero sub-processors. All data processing happens in-house.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
FEATURES

Capability matrix

Encryption TLS E2E
Mailbox storage 20 GB
Email aliases 15 aliases
Custom domain Yes
IMAP / SMTP No
Calendar Yes
Contacts Yes
INTEGRATION & ACCESS
REST API No
SSO (SAML / OIDC) No
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option No
PRICING

Pricing & tiers

FREEMIUM
from €3/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    tuta.com/privacy-policy…
    Open ↗
  • Terms of Service
    tuta.com/terms…
    Open ↗
ALTERNATIVES

Alternatives in this category

Proton Mail
Switzerland · Founded 2014
EU-SOVEREIGN

Swiss end-to-end encrypted email by Proton AG (Geneva); 100M+ users, Foundation-controlled since June 2024.

E2E Public DPA Sub-processors Open source
FROM
€4/mo
CLOUD ACT
NONE
Mailbox.org
Germany · Founded 2014
EU-SOVEREIGN

Berlin-based private email + drive + meet + office bundle (Heinlein Support GmbH); ISO 27001 + BSI C5, €1/mo entry.

E2E Public DPA Sub-processors Open source
FROM
€1/mo
CLOUD ACT
NONE
Posteo
Germany · Founded 2009
EU-SOVEREIGN

Berlin one-person-shop privacy email at €1/mo (Posteo e.K., since 2009); anonymous signup, BSI TR-03108 certified.

E2E Public DPA Sub-processors Open source
FROM
€1/mo
CLOUD ACT
NONE