Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

IRAP Email Compliance Guide 2026: ISM Controls, PSPF & Assessment Prep

For Australian government agencies and organisations that handle government data, IRAP (Information Security Registered Assessors Program) has become the gold standard for security assurance. As agencies expand contractor supply chains and enforce upstream security requirements, IRAP assessment is increasingly a non-negotiable prerequisite for winning and retaining government contracts.

What Is IRAP?

The Information Security Registered Assessors Program is administered by the Australian Signals Directorate (ASD). IRAP assessors are security professionals endorsed by ASD to independently assess ICT systems against the Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM). When an email provider holds an IRAP assessment, an independent ASD-endorsed assessor has specifically reviewed their security controls against ISM requirements — this is not self-certification.

Note: IRAP is not a certification — it's a point-in-time assessment. Always ask for the assessment date and scope. An assessment older than 18-24 months without a reassessment is a significant red flag.

Key ISM Controls That Apply to Email Systems

ISM-0270: Email gateways must filter inbound and outbound email for malicious content.
ISM-0272: DMARC, DKIM, and SPF must be implemented for all email domains — at enforcement level.
ISM-0273: TLS 1.2 or later required for all email in transit.
ISM-0559: Email must be encrypted at rest using AES-256 or equivalent.
ISM-1026: Multi-factor authentication must be enforced for all email access.
ISM-1217: Email logs must be retained for audit purposes (typically 7 years for government use).
ISM-1553: Email systems must implement content filtering to detect sensitive data exfiltration.

Understanding Classification Levels for Email

UNOFFICIAL: No special controls required, but standard security good practices still apply.
OFFICIAL: Standard business information — ISM baseline controls including encryption in transit.
OFFICIAL: Sensitive — Stronger access controls, encryption at rest, audit logging, and user awareness training.
PROTECTED: Highly sensitive government information — IRAP-assessed infrastructure, enhanced MFA, strict access controls, and Australian data residency mandatory.
SECRET and above: Must use classified networks — standard cloud email is not appropriate.

Preparing Your Email Environment for IRAP Assessment

Document your email architecture completely — data flows, access controls, and all integration points.
Implement MFA on all email accounts — all exceptions must be formally risk-accepted by your security team.
Deploy DMARC at p=reject enforcement for all email domains, not just p=quarantine.
Enable and retain email audit logs for the required retention period.
Identify what classification levels are handled in your email environment.
Include all third-party integrations in scope — each must be assessed.
Conduct a gap assessment against ISM controls before the formal IRAP assessment.

What to Look for in an IRAP-Assessed Email Provider

Current IRAP assessment — ask for the scope document and date. Request the IRAP assessment summary.
Australian data residency — all email data, backups, DR systems, and audit logs within Australia.
PROTECTED-level capability — if you handle Protected information, the provider's assessment must explicitly cover that classification.
ISM control mapping — reputable IRAP-assessed providers will share their control mapping on request.
Third-party transparency — all sub-processors disclosed; ideally also IRAP-assessed.
ACSC incident notification capability — mandatory reporting for significant cyber incidents.

IRAP vs ISO 27001: You Need Both

Some organisations ask whether ISO 27001 certification is sufficient for government procurement. The short answer is no. ISO 27001 is an internationally recognised standard demonstrating sound security management — it does not specifically map to Australian government ISM/PSPF requirements. IRAP assessment fills this gap. The strongest assurance comes from providers holding both ISO 27001 certification (systematic management) and a current IRAP assessment (Australian government compliance). Most government procurement teams now require both documents before approving a supplier.

IRAP Compliance for Email: A Complete Guide for Australian Government and Enterprise