Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

Australian Data Sovereignty: Why Business Emails Must Stay in Australia

When you send an email using Gmail, Microsoft Outlook, or virtually any mainstream global email provider, that email is likely processed, stored, and backed up on servers in the United States, Ireland, or Singapore — not Australia. For individuals, this may be inconsequential. For Australian businesses handling client data, government contracts, or commercially sensitive communications, it's a significant and often overlooked legal and competitive risk.

What Is Data Sovereignty and Why Does It Matter?

Data sovereignty is the principle that digital data is subject to the laws of the country in which it is stored and processed. When your Australian business email is stored on servers in the United States, it becomes subject to US laws — including the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which can compel US companies to hand over data stored anywhere in the world to US law enforcement, without notifying you or your clients.

The Australian Privacy Act 1988 and APP 8

Under Australian Privacy Principle 8 (APP 8) of the Privacy Act 1988, when an Australian business discloses personal information to overseas entities — including through offshore email hosting — it remains accountable for how that information is handled. You cannot outsource your Privacy Act obligations to a foreign email provider.

Key risk: If an overseas email provider mishandles your clients' personal data, the Office of the Australian Information Commissioner (OAIC) may hold your Australian business responsible — not just the overseas provider. Penalties for serious breaches now reach $50 million.

Five Real Risks of Overseas Email Hosting for Australian Businesses

Foreign government access: US CLOUD Act, EU data retention directives, and Singapore MAS regulations can compel providers to share your data without your knowledge.
Privacy Act liability: You may be personally liable under APP 8 for offshore disclosure of personal information about your clients.
Competitive intelligence exposure: Pricing, strategy documents, and client lists stored on foreign servers are outside Australian legal protection.
Government contract disqualification: Federal and state agencies increasingly require demonstrated Australian data sovereignty from suppliers.
NDB scheme liability: If your overseas provider is breached, you must still notify the OAIC and affected clients under the Notifiable Data Breaches scheme.

Which Australian Industries Face the Highest Risk

Legal practices: Solicitor-client privilege can be undermined by foreign government access to email communications.
Healthcare providers: Clinical notes, Medicare information, and patient communications are tightly regulated under the Privacy Act and My Health Records Act 2012.
Financial services: ASIC-regulated businesses must maintain accessible records and protect client financial data.
Government contractors: ASD and DSPF frameworks require data to remain within Australian borders as a contract condition.
Defence industry: ITAR obligations and Australian defence security requirements mandate strict data sovereignty.

What to Verify When Choosing a Sovereign Email Provider

Server location: All email data physically stored in Australia — ask for the specific data centre locations.
Backup and DR: Disaster recovery and backup systems also located within Australia.
Processing location: Spam filtering, virus scanning, and AI features all processed onshore.
IRAP assessment: The provider has undergone an Information Security Registered Assessors Program assessment.
ISO 27001 certification: Current certification for information security management.
Third-party disclosure: All sub-processors disclosed and ideally also located in Australia.

The True Cost of Non-Compliance

Many businesses still assume Privacy Act penalties are modest. Following the 2022 and 2024 reforms, civil penalties for serious breaches now reach $50 million or three times the benefit obtained from the breach — whichever is greater. A single OAIC investigation can cost hundreds of thousands in legal fees alone, before any penalty is assessed. By comparison, ShieldBox Business starts at $29 AUD/month. The ROI on data sovereignty is among the highest of any business investment.

Australian Data Sovereignty: Why Your Business Emails Should Never Leave Australia