Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

Australian Email Compliance Checklist 2026: Privacy Act, IRAP, NDB & ASD

Australian email compliance requirements have expanded significantly since the Privacy Act reforms of 2022 and 2024. Between the 13 Australian Privacy Principles, the Notifiable Data Breaches scheme, ASD Essential Eight, IRAP requirements for government work, DMARC enforcement, and the CLOUD Act risk from overseas providers — most Australian businesses are non-compliant in at least three material ways. This checklist covers all of them.

How to use this checklist: Work through each section with your IT manager, privacy officer, or external compliance consultant. For each item, mark it as Complete, In Progress, or Gap. Any gaps represent compliance risk. Prioritise items marked critical — these carry the highest legal and financial exposure.

Section 1: Data Sovereignty & Australian Privacy Principles

Data sovereignty is the foundation of Australian email compliance. The Privacy Act 1988 places the accountability on your business — not your email provider. APP 8 (cross-border disclosure) is the most commonly breached of the 13 Australian Privacy Principles, and it is breached simply by using Gmail, Microsoft 365, or any offshore email provider for emails containing personal information.

✅ CRITICAL — Your email is hosted exclusively on Australian servers (not just "Australian data residency" — verify the servers are physically in Australia).
✅ CRITICAL — No personal information leaves Australia during email processing (spam filtering, virus scanning, AI features all run onshore).
✅ CRITICAL — Your email provider is not a US company subject to the CLOUD Act (which allows US authorities to compel access to data stored anywhere in the world).
✅ All sub-processors (spam filtering, archiving, support systems) are disclosed and preferably also Australian-hosted.
✅ Your Privacy Policy accurately describes where email data is stored and processed.
✅ Backup and disaster recovery systems are also located in Australia.
✅ Your email provider can issue a signed data residency attestation certificate on request.

Reference: ShieldBox's /compare/gmail, /compare/outlook, and /compare/protonmail pages detail the specific data sovereignty issues with each major provider and how they compare to Australian-hosted alternatives.

Section 2: Privacy Act 1988 — Email-specific Obligations

The Privacy Act 1988 (Cth) and its 13 Australian Privacy Principles apply to every email containing personal information sent or received by your business. This includes client names, contact details, health information, financial information, and any other information that identifies — or could identify — a living individual.

✅ CRITICAL — Your organisation has a current, accurate Privacy Policy available at your website that covers email data handling.
✅ CRITICAL — You have documented how personal information flows through your email system (data mapping).
✅ CRITICAL — You have a process for handling individual requests for access to or correction of their personal information in emails.
✅ Staff who handle emails containing personal information have received Privacy Act training within the last 12 months.
✅ You have a documented retention and destruction schedule for emails containing personal information.
✅ Email containing sensitive information (health, financial, legal) is encrypted at rest and in transit.
✅ You have reviewed whether any third-party email integrations (CRM, helpdesk, marketing tools) comply with APP requirements.
✅ Health information in email is subject to heightened protection — additional controls in place if applicable.

Section 3: Notifiable Data Breaches (NDB) Scheme

The NDB scheme under Part IIIC of the Privacy Act 1988 requires covered entities to notify the OAIC and affected individuals when a data breach is likely to cause serious harm. Healthcare, legal, and financial services consistently report the highest NDB rates. Email is the primary attack vector — phishing, BEC, and misdirected emails account for the majority of health sector notifications.

✅ CRITICAL — You have a documented Data Breach Response Plan (DBRP) specifically covering email incidents.
✅ CRITICAL — Your DBRP defines who is responsible for breach assessment (security + legal + privacy officer).
✅ CRITICAL — You have the OAIC notification form and process ready — the 30-day clock starts when you become aware of a potential breach, not when it is confirmed.
✅ Your email system has automated alerting for suspicious events — compromised accounts, bulk exports, unusual forwarding.
✅ Staff know how to report a suspected phishing compromise immediately (not just to IT, but to trigger the formal breach assessment process).
✅ You have tested your DBRP in the last 12 months with a tabletop exercise.
✅ Your DBRP covers misdirected emails — sending an email with personal information to the wrong recipient is a potential NDB notification.

Section 4: ASD Essential Eight — Email Controls

The ASD Essential Eight Maturity Model is the Australian Government's recommended framework for cyber resilience. While not legally mandatory for most private sector organisations, Essential Eight alignment is increasingly required for government contracts, APRA-regulated entities, and enterprise procurement. Three of the eight strategies have direct email implications.

✅ CRITICAL — Multi-factor authentication (MFA) is enforced on all email accounts — no exceptions for executives or admin staff.
✅ CRITICAL — Your email client and server software is patched within your target timeframe (Maturity Level 1 = one month; Level 2 = two weeks; Level 3 = 48 hours for critical patches).
✅ CRITICAL — Your email client is hardened against common attacks — JavaScript disabled in HTML emails, external image loading controlled.
✅ Administrative email accounts have stronger MFA (hardware token or phishing-resistant MFA like passkeys — not just SMS).
✅ You have documented your current Essential Eight maturity level for email systems.
✅ Email audit logs are retained for the period required by your maturity target (Maturity Level 3 requires 7 years).

Section 5: Email Authentication — DMARC, DKIM & SPF

Email authentication is not optional. Without DMARC at enforcement level, your domain can be spoofed to send phishing emails to your clients, suppliers, and staff. DKIM and SPF provide the underlying authentication that DMARC enforces. The Australian Signals Directorate considers DMARC enforcement to be a baseline security control, and the ACSC has issued specific guidance requiring it.

✅ CRITICAL — SPF record published for every domain that sends email on your behalf (including subdomains and marketing platforms).
✅ CRITICAL — DKIM signing configured for all outbound email on all your sending domains.
✅ CRITICAL — DMARC policy at p=quarantine (minimum) or ideally p=reject enforcement.
✅ DMARC p=none (monitoring mode) is NOT acceptable — this provides no protection. Move to enforcement.
✅ You have a DMARC aggregate report receiver configured (rua=) and someone reviews weekly reports.
✅ All third-party services that send email on your behalf (marketing platforms, CRM, helpdesk) are authorised in SPF and signing with DKIM.
✅ MTA-STS (Mail Transfer Agent Strict Transport Security) configured to enforce TLS for inbound email.
✅ You have tested your DMARC configuration using a tool like MXToolbox or DMARC Analyser in the last 6 months.

Section 6: Email Encryption

✅ CRITICAL — All email at rest is encrypted using AES-256 or equivalent.
✅ CRITICAL — All email in transit uses TLS 1.2 or later (TLS 1.3 preferred).
✅ TLS 1.0 and TLS 1.1 are disabled on all email servers and gateways.
✅ For highly sensitive communications (legal, health, financial), end-to-end encryption is available and used.
✅ Your email provider holds encryption keys in Australia (not with a US parent company subject to CLOUD Act).
✅ You have a policy on what types of information require end-to-end encryption vs standard TLS-in-transit.

Section 7: IRAP & Government Procurement

If your organisation works with Australian government agencies or handles government information, IRAP assessment of your email provider is increasingly a contractual requirement. The Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) set specific requirements for email systems handling government data.

✅ You have confirmed whether any of your email contains government-classified information (OFFICIAL, OFFICIAL: Sensitive, PROTECTED).
✅ If you handle OFFICIAL: Sensitive information, your email provider has a current IRAP assessment covering at least that classification level.
✅ You have a copy of your provider's IRAP assessment scope document and have verified it covers email.
✅ All ISM controls applicable to email (access control, encryption, audit logging, MFA) are implemented.
✅ Your email provider can supply IRAP documentation to government procurement teams on request.

Important: An IRAP assessment is not the same as ISO 27001 certification. Both are typically required for Australian government procurement. ShieldBox holds ISO 27001:2022 certification and an IRAP assessment at OFFICIAL: Sensitive level. Full documentation available on request at compliance@shieldbox.com.au.

Section 8: Staff Training & Governance

✅ All staff have completed email security awareness training in the last 12 months.
✅ Your organisation conducts simulated phishing exercises at least annually.
✅ There is a clear policy on acceptable use of email for personal information.
✅ Email security is included in your new staff induction process.
✅ There is a designated Privacy Officer (or equivalent) responsible for email compliance.
✅ Your email security policies are reviewed and updated at least annually.
✅ Executives and board members are included in training — they are the highest-value BEC targets.

Compliance Gaps: What to Do Next

If you have identified compliance gaps, prioritise them by risk level. The highest-priority actions are those marked CRITICAL — particularly data sovereignty (your email provider's server location), DMARC enforcement (which prevents your domain being spoofed), MFA on all accounts, and having a tested Data Breach Response Plan. These four areas account for the majority of serious Privacy Act enforcement actions and NDB notifications.

Step 1 — Data sovereignty: If your email is hosted offshore, migrate to ShieldBox or another Australian-hosted provider. The migration guide at /migrate covers Gmail, Outlook, and ProtonMail in detail, including free assisted migration.
Step 2 — DMARC enforcement: Move your DMARC policy to p=reject immediately. This single action eliminates email domain spoofing.
Step 3 — MFA: Enable MFA on every email account. No exceptions. Use an authenticator app, not SMS where possible.
Step 4 — DBRP: Draft and test your Data Breach Response Plan before you need it.
Step 5 — Privacy Policy: Update your Privacy Policy to accurately reflect your current email data handling.
Step 6 — Staff training: Schedule annual simulated phishing exercises and Privacy Act training.

For healthcare organisations, see the dedicated secure email guide for medical practices at /industries/healthcare. For government and defence, see the IRAP compliance section at /compliance#irap. For detailed provider comparisons, visit /compare for side-by-side analysis of Google Workspace, Microsoft 365, ProtonMail, and Fastmail.

The Complete Australian Email Compliance Checklist for 2026