Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

What happens if the OAIC investigates my business? Can ShieldBox help?

Yes. ShieldBox maintains a full 7-year audit log of all email events, which is exportable in court-admissible format. In an OAIC investigation, you can produce a complete record of: who had access to email, what emails were sent/received involving personal information, and your data breach response history. Our compliance team can also assist with documentation requests from the OAIC.

Can I use ShieldBox to demonstrate APRA CPS 234 compliance?

Yes. ShieldBox provides an ISM control mapping document and APRA CPS 234 alignment statement available to enterprise and government customers on request. Our security architecture has been specifically designed to satisfy APRA's information security requirements for email infrastructure. Contact our compliance team at compliance@shieldbox.com.au.

What is the CLOUD Act and why does it matter for Australian businesses?

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is US federal legislation that allows US authorities to compel US companies — including Google, Microsoft, and Dropbox — to produce data stored anywhere in the world, even in Australia. Because ShieldBox is an Australian company with no US parent, it is not subject to the CLOUD Act. Your email cannot be accessed by US authorities through this mechanism.

How does automated compliance reporting work?

From your admin dashboard, you can generate compliance reports covering: data residency status, APP compliance summary, user access audit, encryption status, breach detection log, and DMARC/DKIM/SPF alignment. Reports are generated in PDF format suitable for board reporting, procurement documentation, or regulatory evidence. Scheduled monthly reports can be emailed to nominated recipients automatically.

Is an IRAP assessment the same as ISO 27001 certification?

No — they cover different things and you ideally need both. ISO 27001 demonstrates systematic information security management and is internationally recognised. IRAP is specifically an Australian government assessment against the ISM, required for handling government-classified information. ShieldBox holds both — ISO 27001:2022 certification and an IRAP assessment at OFFICIAL: Sensitive level. For government procurement, you will typically be asked for both documents.

Privacy Act 1988 email compliance reporting platform for Australian organisations

Privacy Act 1988 Compliance

Email compliance
built for Australian law

Automated Privacy Act 1988 compliance reports, NDB breach detection, 7-year audit trails, and IRAP attestation — everything regulated Australian organisations need in one platform.

Start free trial Request compliance docs

100% Australian servers

IRAP Assessed

ISO 27001:2022

ASD E8 Maturity Level 3

Compliance Dashboard

Last updated: March 2026

All compliant

Privacy Act 1988 — APP 8

Compliant

Notifiable Data Breaches

No incidents

IRAP — OFFICIAL: Sensitive

Assessed

ASD Essential Eight ML3

ML3 Verified

Audit log retention

7 years

DMARC/DKIM/SPF

p=reject

Next report due: April 1, 2026

Regulatory Coverage

Every Australian compliance framework covered

From the Privacy Act 1988 to IRAP and APRA CPS 234 — ShieldBox documents and verifies compliance with every framework that matters to regulated Australian organisations.

APP 8

Australian Privacy Principles

Privacy Act 1988 (Cth)

All 13 APPs documented with automated cross-border disclosure prevention. Zero offshore data transfers — your APP 8 obligation eliminated by design.

Full

NDB

Notifiable Data Breaches

Privacy Act Part IIIC

Real-time breach detection with automatic OAIC notification workflow. 30-day reporting clock managed in-platform with legal escalation triggers.

Full

IRAP

IRAP Assessment

ASD ISM — OFFICIAL: Sensitive

Independent IRAP assessment at OFFICIAL: Sensitive level. Full ISM control mapping available on request for government procurement.

Assessed

CPS 234

APRA Prudential Standard

APRA CPS 234

ShieldBox architecture aligns with APRA CPS 234 information security requirements. Documented control mapping for APRA-regulated entities available.

Aligned

E8 ML3

ASD Essential Eight

ASD Maturity Level 3

All eight mitigation strategies implemented at Maturity Level 3 — the highest standard. Independent verification report available to enterprise customers.

ML3

ISO 27001

ISO/IEC 27001:2022

Information Security Management

Current ISO 27001:2022 certification. Annual surveillance audits by accredited certification body. Certificate available on request.

Certified

Compliance Reporting Features

Audit-ready from day one

Automated reports, tamper-proof audit logs, and breach detection — built for Australian regulators, procurement teams, and in-house counsel.

Automated compliance reports

One-click Privacy Act 1988 compliance reports with APP-by-APP status, data flow documentation, and audit evidence. Board-ready format included.

Complete email audit trail

7-year tamper-proof audit log of every email event — sent, received, opened, forwarded, deleted. OAIC investigation-ready from day one.

Data residency attestation

On-demand certificates confirming 100% Australian data residency. Accepted by government procurement teams and enterprise auditors.

NDB breach detection

Automated detection of potential notifiable data breaches — compromised credentials, unusual access patterns, bulk exports — with 30-day OAIC clock management.

Access & permission audit

Track every admin action, permission change, and account modification. Role-based access controls with full delegation audit trail.

Real-time threat reporting

Live dashboard showing blocked phishing, malware, BEC attempts, and suspicious login events — per user, per domain, across the organisation.

Encryption compliance status

Continuous monitoring of TLS enforcement, at-rest encryption status, and DMARC/DKIM/SPF alignment across all domains. Instant alerts on degradation.

Regulatory evidence packages

Export court-admissible email evidence packages for OAIC investigations, litigation hold, ASIC record production, or internal HR matters.

Industry-specific Compliance

Regulated sectors served

Privacy Act 1988 obligations are not uniform — your sector imposes additional requirements. ShieldBox compliance reporting covers them all.

Medical Practices & Healthcare

Privacy Act 1988 (health records)
My Health Records Act 2012
ADHA security requirements
State health information legislation

Healthcare guide

Legal Practices

Privacy Act 1988 — client data
Legal Professional Privilege
Law Society obligations
AUSTRAC AML/CTF reporting

View compliance

Financial Services & APRA

APRA CPS 234
ASIC RG 255
Privacy Act APPs
AML/CTF record-keeping

View compliance

Government & Defence

ISM / PSPF
PROTECTED-level data
DISP requirements
APS Values Act

IRAP statement

Property & Conveyancing

Privacy Act 1988
AUSTRAC AML obligations
State real estate legislation
NDB scheme

View compliance

Accounting & Professional Services

Privacy Act 1988
ASIC record-keeping
TPB Code of Professional Conduct
NDB scheme

View compliance

Platform Comparison

ShieldBox vs Google Workspace vs Microsoft 365

For Australian Privacy Act 1988 compliance, the differences are significant — not just about price.

Compliance capability	Google Workspace	Microsoft 365
Privacy Act 1988 APP 8 compliance (zero overseas transfer)
IRAP-assessed infrastructure
Data physically stored in Australia	optional	optional
Automated compliance report generation
7-year tamper-proof audit log	paid add-on	paid add-on
NDB breach detection with OAIC workflow
ISO 27001:2022 certified
ASD Essential Eight ML3 verified
Data residency attestation certificates	limited	limited
CLOUD Act exempt (not a US company)

* Google and Microsoft offer Australian data residency options but remain US companies subject to the CLOUD Act.

Common Questions

Privacy Act compliance FAQ

ShieldBox eliminates the most significant and common source of Privacy Act non-compliance for Australian businesses — the offshore storage and processing of personal information. By hosting exclusively in Australia with zero offshore data transfers, you satisfy APP 8 requirements by design. ShieldBox also provides audit tools, breach detection, and reporting that support your broader Privacy Act compliance program. We recommend pairing ShieldBox with a privacy impact assessment for your specific business.

Ready to make Privacy Act compliance automatic?

Start your free 30-day trial. Australian-hosted from the first email. Compliance documentation available from day one. No credit card required.

Start free trial Request compliance documentation

Full Compliance Centre →Compliance Checklist →Migration Guide →

Email compliancebuilt for Australian law

Every Australian compliance framework covered

Audit-ready from day one

Regulated sectors served

ShieldBox vs Google Workspace vs Microsoft 365

Privacy Act compliance FAQ

Ready to make Privacy Act compliance automatic?

Email compliance
built for Australian law