Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

Australian Email Security Laws 2026: Privacy Act, NDB & ASD Compliance

Australia has one of the most developed legal frameworks for data protection in the Asia-Pacific region. Yet surveys consistently show a significant proportion of Australian SMEs are not fully aware of their email compliance obligations. In 2026, non-compliance is no longer a minor risk — penalties for serious breaches now reach $50 million, and the OAIC is actively enforcing them.

The Privacy Act 1988: The Foundation of Email Compliance

The Privacy Act 1988 (Cth) is the primary federal legislation governing personal information. It applies to Australian Government agencies, private organisations with annual turnover above $3 million, and all health service providers regardless of turnover. The 13 Australian Privacy Principles (APPs) explicitly cover email — any email containing personal information about an individual is subject to their requirements.

Important: The 2024 Privacy Act reforms are expanding obligations. The $3M turnover threshold is under active review and may be removed entirely, bringing every Australian business under the Act.

The Notifiable Data Breaches (NDB) Scheme

In force since February 2018, the NDB scheme requires all entities covered by the Privacy Act to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. For email specifically, a notifiable breach can include: a business email account compromised via phishing, an email containing personal information sent to the wrong recipient, or your email service provider suffering a breach.

Timeline: You must notify within 30 days of becoming aware of a potential eligible data breach.
Content: Notifications must describe the breach, what information was involved, and recommended steps for affected individuals.
Penalty: Failure to notify can result in civil penalties up to $50,340,000 for organisations.
Obligation: You must maintain processes to detect, assess, and respond to breaches — not just react when one is reported.

The Spam Act 2003: Email Marketing Compliance

The Spam Act 2003 regulates commercial electronic messages sent to Australian accounts. Every commercial email must have clear consent from the recipient, a working unsubscribe mechanism, and accurate sender identification. The ACMA enforces the Spam Act, with penalties reaching $2.78 million per day for serious violations. In 2024, ACMA fined several Australian businesses for spam violations that included invalid unsubscribe links.

ASD Essential Eight: Email Security Controls

The Australian Signals Directorate's Essential Eight Maturity Model includes security controls specifically relevant to email systems:

Patch applications: Email clients and servers must be patched within defined timeframes (Maturity Level 1: within one month; Level 2: within two weeks; Level 3: within 48 hours for critical patches).
Multi-factor authentication: Required for all remote email access from Maturity Level 1 and above.
User application hardening: Email client security configuration is explicitly included in this control.
Restrict administrative privileges: Applies to email server and gateway administrative access.

Practical Compliance Checklist for Australian Businesses

Use Australian-hosted email to ensure APP 8 cross-border disclosure compliance.
Enable end-to-end encryption for emails containing personal information.
Implement MFA on all email accounts — no exceptions.
Maintain an incident response plan that covers email data breaches specifically.
Ensure all commercial email marketing complies with the Spam Act 2003.
Keep all email software patched per the ASD Essential Eight schedule.
Train staff annually on phishing recognition and secure email handling.
Review your privacy policy to accurately describe how email data is handled and stored.

The Penalty Landscape Has Fundamentally Changed

The Optus breach (September 2022, 9.8 million customers) and the Medibank breach (October 2022, 9.7 million customers) were watershed moments for Australian data regulation. Both breaches involved email communications being exposed. Both resulted in major OAIC investigations and significant reputational damage. The message from regulators is now unambiguous: email security is a legal obligation, not an IT choice.

Australia's Email Security Laws: What Every Business Owner Must Know in 2026