Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

Is ShieldBox available through government procurement frameworks?

Yes. ShieldBox is available through AusTender-registered procurement arrangements. Our government sales team can assist with panel arrangement inclusion and state government procurement framework registration.

Does ShieldBox support APS classification labels in email subjects?

Yes. ShieldBox Business and Enterprise plans support configurable email classification prefixes ([OFFICIAL], [OFFICIAL: Sensitive]) that can be enforced by domain policy, satisfying PSPF email handling requirements.

Secure Email for Government

IRAP-assessed secure email for
Australian Government agencies and contractors

The only commercial email platform with an IRAP assessment at OFFICIAL: Sensitive level — purpose-built for Australian Government agencies, contractors, and organisations handling classified information.

Start free trial — 30 days Free migration

IRAP

Assessed OFFICIAL:Sensitive

ASD endorsed

ML2

ASD Essential Eight

Verified

100%

Australian data sovereignty

PSPF

Policy Framework aligned

IRAP requirement: Commonwealth and state government procurement increasingly mandates IRAP assessment of all cloud services handling government information. Non-IRAP-assessed email providers cannot be used for OFFICIAL: Sensitive information regardless of brand recognition.

Regulatory Landscape

Government email compliance in Australia

Every compliance obligation that applies to government email — and how ShieldBox satisfies each one.

ASD / IRAP

IRAP Assessment

ASD-administered IRAP assessment is the primary mechanism for assuring government ICT security. ShieldBox holds a current IRAP assessment covering OFFICIAL and OFFICIAL: Sensitive classification levels for all email infrastructure.

AGD / PSPF

Protective Security Policy Framework

The PSPF mandates how Commonwealth entities protect official and sensitive information including email. Australian data residency is a PSPF requirement for all OFFICIAL: Sensitive and above communications.

ASD / ISM

Information Security Manual (ISM)

The ASD ISM specifies technical controls for Australian Government email — DMARC enforcement, AES-256 encryption, TLS 1.2+, MFA for all access, 7-year audit log retention, and IRAP-assessed infrastructure.

ASD Essential Eight

ASD Essential Eight ML2

Essential Eight Maturity Level 2 is the standard baseline for most government agencies and contractors. ShieldBox is verified at ML2 with a pathway to ML3 for agencies requiring the highest assurance level.

Platform Features

Everything government needs

Built from the ground up for Australian compliance requirements specific to government.

IRAP assessed OFFICIAL:Sensitive

Current ASD-administered IRAP assessment covering email at OFFICIAL and OFFICIAL: Sensitive levels. Assessment documentation available same-day for procurement.

100% Australian data sovereignty

All data stored in Sydney primary and Melbourne DR data centres. Zero offshore processing or storage — satisfying PSPF data sovereignty requirements.

Phishing-resistant MFA

FIDO2/passkey hardware security key support for ML3. Authenticator app MFA standard for all accounts. SMS MFA blocked by policy.

7-year tamper-proof audit logs

Complete email audit trail retained for 7 years. Tamper-proof WORM storage. Accessible for ANAO reviews, Senate estimates, and FOI responses.

DMARC p=reject enforcement

Full ISM-0272 compliance — DMARC at p=reject, DKIM signing, and SPF enforcement for all domains. Eliminates domain spoofing for government communications.

PSPF classification labels

Configurable email classification labels (OFFICIAL, OFFICIAL: Sensitive) that appear in email subjects and are enforced by data loss prevention rules.

Government Verticals

Every government setting, covered

Commonwealth Departments

45+ agencies

Non-corporate Commonwealth entities migrating from legacy on-premises email to PSPF and ISM compliant cloud infrastructure.

Get started

State Government Agencies

120+ agencies

NSW, VIC, QLD, WA, SA, TAS, ACT, and NT government agencies with state-specific information security policy requirements.

Get started

Government Contractors

380+ contractors

Consultancies, IT service providers, and professional services firms on government panels requiring IRAP-assessed email infrastructure.

Get started

Defence-Adjacent Organisations

95+ organisations

Organisations supporting the ADF, ASIO, ASIS, and defence agencies with requirements beyond OFFICIAL: Sensitive.

Get started

Customer Stories

Trusted by Australian government professionals

“Procurement required demonstrated IRAP assessment before we could be approved as a panel supplier. ShieldBox was on the approved list and provided assessment documentation same day. We won the contract.”

Annette Weston

ICT Manager

Weston Advisory Group, Canberra ACT

“We migrated three state agency email systems to ShieldBox in 90 days. The PSPF-aligned classification labels and IRAP documentation satisfied the state government's ICT security review without a single finding.”

Thomas Ngata

Chief Information Officer

State Infrastructure NSW

Free migration — we do everything

Our team migrates your complete email history from Gmail, Outlook, or any provider. Overnight, zero downtime.

View migration guide

Common Questions

Government email FAQ

ShieldBox holds a current IRAP assessment at OFFICIAL and OFFICIAL: Sensitive levels. For agencies requiring PROTECTED-level email, ShieldBox operates a separately assessed PROTECTED platform — contact our government team at gov@shieldbox.com.au.

Ready to protect your government practice?

Join thousands of Australian government professionals on the only email platform purpose-built for Australian compliance. Free 30-day trial, no credit card required.

Start free trial Talk to our team

IRAP & Government Compliance →IRAP Compliance Guide →AUKUS Defence Requirements →Compliance Reporting →

IRAP-assessed secure email forAustralian Government agencies and contractors

Government email compliance in Australia

Everything government needs

Every government setting, covered

Trusted by Australian government professionals

Government email FAQ

Ready to protect your government practice?

IRAP-assessed secure email for
Australian Government agencies and contractors