Tuta
VERIFIEDHannover-based end-to-end encrypted mail (formerly Tutanota); post-quantum crypto, own DE data centre, ISO 27001.
Why this score?
Tuta (formerly Tutanota, Hannover DE, founded 2011 by Arne Möhle and Matthias Pfau) operates its own German data centre, ships end-to-end encrypted mail / calendar / drive with post-quantum cryptography, all clients open-source and auditable, ISO 27001 certified, GDPR + DSGVO, 10,000+ business organisations and millions of consumer users; founder-owned, no US ties — rated 4/5: strong profile in every structural dimension, but the DPA is not publicly accessible — it is reachable only inside a customer account after signing up for a business plan; the rubric reserves 5/5 for a publicly accessible DPA.
- SCORE
- 4.0/5
- CLOUD ACT
- CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
-
None This listing EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
-
- OWNERSHIP
- OWNERSHIP
Where ultimate control over the operating company sits.
-
EU-owned This listing EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
-
- SUB-PROCS
- — not disclosed
JUMP TO
About Tuta
Sub-processor map · not disclosed
Frameworks & certifications
Capability matrix
Pricing & tiers
Public documents
-
missingData Processing Addendum (DPA)— missing
-
missingSub-processors list— missing
-
Open ↗Terms of Servicetuta.com/terms…
Alternatives in this category
Swiss email + groupware (Infomaniak Group SA, Geneva, since 1994), own Swiss DCs, ISO 27001 + B Corp 2025, free tier with @ik.me address.
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
How exposed customer data is to US authorities under the CLOUD Act.
-
None This listing EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
Berlin-based private email + drive + meet + office bundle (Heinlein Support GmbH); ISO 27001 + BSI C5, €1/mo entry.
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
How exposed customer data is to US authorities under the CLOUD Act.
-
None This listing EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
Berlin one-person-shop privacy email at €1/mo (Posteo e.K., since 2009); anonymous signup, BSI TR-03108 certified.
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
How exposed customer data is to US authorities under the CLOUD Act.
-
None This listing EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.