Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

How does ShieldBox help with the 72-hour APRA incident notification requirement?

ShieldBox includes automated breach detection and an in-platform APRA notification workflow. When a potential material security incident is detected, the platform triggers the assessment process and generates APRA notification documentation — all within the 72-hour window.

Can ShieldBox satisfy ASIC's 7-year email record-keeping requirement?

Yes. ShieldBox's enterprise archiving includes WORM tamper-proof storage with 7-year retention, full-text search for ASIC eDiscovery requests, legal hold capability, and chain-of-custody export documentation.

Secure Email for Finance

Secure email for
Australian financial services — APRA, ASIC and AML compliant

The email platform built for AFSL holders, APRA-regulated entities, and financial advisers — APRA CPS 234 ready, Australian data sovereign, with 7-year audit archiving on every plan.

Start free trial — 30 days Free migration

900+

Financial services clients

CPS 234

APRA standard fully met

Board-level assurance

72-hr

APRA incident notification

Managed in-platform

7-yr

ASIC record retention

APRA CPS 234 alert: APRA-regulated entities must assess the security capability of all third-party providers including email. Gmail and Microsoft 365 cannot provide the IRAP-assessed, Australian-sovereign documentation most APRA-regulated boards now require.

Regulatory Landscape

Finance email compliance in Australia

Every compliance obligation that applies to finance email — and how ShieldBox satisfies each one.

APRA Prudential

APRA CPS 234

CPS 234 requires APRA-regulated entities (banks, super funds, insurers) to maintain information security capability and assess third-party providers including email. Board-level accountability applies to all covered entities.

ASIC / AFSL

ASIC Regulatory Guide 7

AFSL holders must retain all client communications including email for 7 years in a form accessible to ASIC. Records must be tamper-proof and produceable on regulatory demand.

Cth Legislation

Privacy Act 1988 — APP 8

Financial services firms handling client financial information via offshore email create ongoing APP 8 cross-border disclosure exposure. Client account numbers, TFNs, and superannuation data all trigger heightened obligations.

AUSTRAC

AML/CTF Act 2006

Reporting entities under the AML/CTF Act must retain client identification and transaction records for 7 years. Email communications containing KYC data and transaction confirmations must be archived accordingly.

Platform Features

Everything finance needs

Built from the ground up for Australian compliance requirements specific to finance.

APRA-aligned data sovereignty

All data in Sydney data centres. Satisfies CPS 234 third-party provider assessment with documented IRAP assessment scope ready for APRA audits.

7-year ASIC-compliant archiving

Tamper-proof WORM archiving for every email. Accessible on ASIC demand within hours. Legal hold for ASIC investigations and civil proceedings.

72-hour APRA notification workflow

Automated breach detection with in-platform APRA notification workflow. Never miss the 72-hour APRA incident reporting window.

AES-256 encryption

Client financial data, investment advice, and superannuation communications encrypted to AES-256 standard meeting APRA security expectations.

Role-based access controls

Advisers, paraplanning, compliance, and operations each see only the email they need. Segregation of duties built into every mailbox configuration.

DMARC domain protection

p=reject enforcement prevents your financial domain being spoofed for BEC attacks targeting wire transfers and client account changes.

Finance Verticals

Every finance setting, covered

Banks & ADIs

85+ institutions

Authorised deposit-taking institutions meeting APRA CPS 234 third-party assessment requirements and board-level security reporting obligations.

Get started

Superannuation Funds

120+ funds

APRA-regulated super funds with member communications, benefit payment confirmations, and trustee board correspondence requiring CPS 234 compliance.

Get started

AFSL Holders & Financial Advisers

480+ licensees

Financial planning practices with ASIC 7-year record-keeping obligations and client suitability documentation requirements.

Get started

Mortgage Brokers & Lenders

215+ brokers

ASIC-regulated mortgage brokers with client credit information, responsible lending correspondence, and NCCP Act record-keeping requirements.

Get started

Customer Stories

Trusted by Australian finance professionals

“Our APRA-appointed auditor flagged that Microsoft 365 couldn't provide CPS 234 assurance documentation. We moved to ShieldBox within 30 days and our next audit passed without a single finding.”

Catherine Webb

Chief Risk Officer

Pacific Mutual Super, Brisbane QLD

“ShieldBox solved the ASIC record-keeping requirement, the APP 8 issue, and DMARC in one migration. Our PI insurer gave us a rate reduction the same month.”

Daniel Moss

Managing Director

Moss Financial Planning, Adelaide SA

“AUSTRAC compliance requires 7 years of client communication records. ShieldBox's WORM archiving means we can produce complete AML/CTF documentation on demand — something our previous provider simply couldn't do.”

Sarah Okonkwo

Head of Compliance

Meridian Exchange, Sydney NSW

Free migration — we do everything

Our team migrates your complete email history from Gmail, Outlook, or any provider. Overnight, zero downtime.

View migration guide

Common Questions

Finance email FAQ

Yes. ShieldBox provides IRAP assessment documentation, ISO 27001 certification, contractual information security commitments, and audit rights — satisfying CPS 234 third-party provider assessment requirements. Many APRA-regulated entities have had their ShieldBox usage cleared by their APRA-appointed auditors.

Ready to protect your finance practice?

Join thousands of Australian finance professionals on the only email platform purpose-built for Australian compliance. Free 30-day trial, no credit card required.

Start free trial Talk to our team

APRA CPS 234 Guide →Compliance Centre →Email Archiving Requirements →Migration Guide →

Secure email forAustralian financial services — APRA, ASIC and AML compliant

Finance email compliance in Australia

Everything finance needs

Every finance setting, covered

Trusted by Australian finance professionals

Finance email FAQ

Ready to protect your finance practice?

Secure email for
Australian financial services — APRA, ASIC and AML compliant