Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001:2022 certification. We also achieve ASD Essential Eight Maturity Level 3 for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

ASD Essential Eight Email Guide 2026: ISM Controls, PSPF & Maturity Level 3

For Australian government agencies and organisations that handle government data, the ASD Essential Eight has become the gold standard for security assurance. As agencies expand contractor supply chains and enforce upstream security requirements, Maturity Level 3 alignment is increasingly a non-negotiable prerequisite for winning and retaining government contracts.

What Is the ASD Essential Eight?

The ASD Essential Eight is a set of baseline mitigation strategies developed by the Australian Signals Directorate (ASD) to help organisations protect against cyber threats. It covers eight strategies assessed at Maturity Levels 0–3: application control, patching applications, configuring Microsoft Office macros, user application hardening, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups. Maturity Level 3 is the highest level and is required for many government contracts.

Note: ASD Essential Eight Maturity Level 3 assessments should be reviewed regularly. Always ask for the assessment date and scope. An assessment older than 24 months without a review is a significant red flag.

Key ISM Controls That Apply to Email Systems

ISM-0270: Email gateways must filter inbound and outbound email for malicious content.
ISM-0272: DMARC, DKIM, and SPF must be implemented for all email domains — at enforcement level.
ISM-0273: TLS 1.2 or later required for all email in transit.
ISM-0559: Email must be encrypted at rest using AES-256 or equivalent.
ISM-1026: Multi-factor authentication must be enforced for all email access.
ISM-1217: Email logs must be retained for audit purposes (typically 7 years for government use).
ISM-1553: Email systems must implement content filtering to detect sensitive data exfiltration.

Understanding Classification Levels for Email

UNOFFICIAL: No special controls required, but standard security good practices still apply.
OFFICIAL: Standard business information — ISM baseline controls including encryption in transit.
OFFICIAL: Sensitive — Stronger access controls, encryption at rest, audit logging, and user awareness training.
PROTECTED: Highly sensitive government information — ASD Essential Eight Maturity Level 3, enhanced MFA, strict access controls, and Australian data residency mandatory.
SECRET and above: Must use classified networks — standard cloud email is not appropriate.

Preparing Your Email Environment for ASD Essential Eight Assessment

Document your email architecture completely — data flows, access controls, and all integration points.
Implement MFA on all email accounts — all exceptions must be formally risk-accepted by your security team.
Deploy DMARC at p=reject enforcement for all email domains, not just p=quarantine.
Enable and retain email audit logs for the required retention period.
Identify what classification levels are handled in your email environment.
Include all third-party integrations in scope — each must be assessed.
Conduct a gap assessment against ISM controls before the formal ASD Essential Eight assessment.

What to Look for in an ASD Essential Eight Compliant Email Provider

Current ASD Essential Eight assessment — ask for the scope document, maturity level, and date.
Australian data residency — all email data, backups, DR systems, and audit logs within Australia.
Maturity Level 3 capability — if you handle sensitive government information, the provider must achieve ML3 across all eight strategies.
ISM control mapping — reputable providers will share their control mapping on request.
Third-party transparency — all sub-processors disclosed; ideally also ASD Essential Eight aligned.
ACSC incident notification capability — mandatory reporting for significant cyber incidents.

ASD Essential Eight vs ISO 27001: You Need Both

Some organisations ask whether ISO 27001 certification is sufficient for government procurement. The short answer is no. ISO 27001 is an internationally recognised standard demonstrating sound security management — it does not specifically map to Australian government ISM/PSPF requirements. ASD Essential Eight alignment fills this gap. The strongest assurance comes from providers holding both ISO 27001 certification (systematic management) and ASD Essential Eight Maturity Level 3 (Australian government compliance). Most government procurement teams now require both documents before approving a supplier.

ASD Essential Eight for Email: A Complete Guide for Australian Government and Enterprise