Comparisons · Verified July 2026
ASTIS Mail vs the market
Who can read your mail? Where does it live — and where do the keys? Will your team have to migrate, and can they still search their inbox? Plain answers first, the technical checklist after — and on every detailed page, each claim links to the vendor’s own documentation.
Ten questions before you buy encrypted email
CISO-grade questions, plain words. Hover any mark for the grown-up details.
| ASTIS Mail | Virtru | Proton | Tuta | Zivver | PreVeil | Paubox | |
|---|---|---|---|---|---|---|---|
| Can only you and your recipient read the mail? | Keys are generated and used on your devices; ASTIS stores wrapped capsules keyed by address hashes — no content, no usable keys how ASTIS does it | Virtru’s key server can release the keys detail & primary sources | Content yes — but subjects stay visible detail & primary sources | True E2EE inside Tuta’s own apps (TutaCrypt); both sides use Tuta or a shared-password link detail & primary sources | Their audited claim — encryption runs on their platform detail & primary sources | True E2EE between PreVeil clients — a separate encrypted mailbox detail & primary sources | Gateway and mail providers can read content detail & primary sources |
| Does your mail stay out of vendor storage? | ASTIS holds wrapped key capsules + the public-key directory — never mail content how ASTIS does it | Content stays at your provider; Virtru stores keys, not mail detail & primary sources | Your entire mailbox lives on Proton’s servers detail & primary sources | Your entire mailbox lives on Tuta’s servers detail & primary sources | Secure messages stored on Zivver’s platform detail & primary sources | Encrypted mail stored on PreVeil’s servers — a second inbox detail & primary sources | Processed through their gateway; stored if you buy archiving detail & primary sources |
| Do usable decryption keys stay only on your side? | Encrypted key blob in CVS (unlocks only with your passphrase); org keys need a 3-factor admin PIN ASTIS never stores. HYOK option: keys never touch ASTIS at all how ASTIS does it | Virtru’s Key Access Server holds and releases usable keys detail & primary sources | Encrypted copy of your private key sits at Proton; unlocked on device detail & primary sources | Encrypted keys stored server-side; unlocked on device detail & primary sources | Key handling runs inside Zivver’s platform detail & primary sources | Device keys; recovery shards are individually unusable detail & primary sources | No E2EE keys at all — the gateway can read content detail & primary sources |
| Are the letter and its key always held by different parties? | Three parties: provider carries ciphertext · ASTIS holds wrapped capsules · your devices hold keys how ASTIS does it | Mail at your provider — but usable keys concentrate at Virtru detail & primary sources | Provider + mailbox + keys = all Proton detail & primary sources | Provider + mailbox + keys = all Tuta detail & primary sources | Secure mail and key handling both live in Zivver’s platform detail & primary sources | Mail store at PreVeil, keys on devices, provider separate detail & primary sources | Providers hold readable mail; the gateway reads it in flight detail & primary sources |
| Is stored mail unreadable wherever it sits? | Ciphertext in your mailbox; plaintext exists only on your devices how ASTIS does it | Bodies and attachments encrypted; subjects and filenames readable detail & primary sources | Zero-access at rest — but subjects outside E2EE detail & primary sources | Everything encrypted at rest, subjects included detail & primary sources | Zero-access claim, verified via audits detail & primary sources | Stored encrypted on PreVeil servers; keys remain on user devices detail & primary sources | Readable in every inbox at rest detail & primary sources |
| Can you keep Gmail / Microsoft 365 — no migration? | OAuth connect on top of your Gmail / M365 — nothing moves how ASTIS does it | Extension / add-in on top of your provider detail & primary sources | Full migration — MX records move to Proton detail & primary sources | Full migration to Tuta detail & primary sources | Plugin — though secure messages route via their platform detail & primary sources | No migration, but a second inbox on their infrastructure detail & primary sources | Mail routing through their gateway; mailbox stays detail & primary sources |
| Can your team keep the mail apps they know? | Native desktop apps, Thunderbird add-on, any browser how ASTIS does it | Gmail / Outlook plugins detail & primary sources | Third-party apps only via the paid Bridge detail & primary sources | Tuta’s own apps only detail & primary sources | Outlook / M365 / Gmail plugins detail & primary sources | Outlook / Gmail integrations detail & primary sources | Nothing changes at all detail & primary sources |
| Does inbox search keep working as before? | Mailbox search via your provider as usual — the inbox stays where it is how ASTIS does it | Encrypted mail is not searchable normally detail & primary sources | Body search needs a fragile per-device index detail & primary sources | Slow, limited search detail & primary sources | Regular mail stays searchable in your inbox; Zivver secure messages live on their platform detail & primary sources | Separate inbox, separate search detail & primary sources | Mail arrives as regular readable email in the inbox — search unchanged detail & primary sources |
| Can external recipients read mail without installing anything? | One-time key invite — then frictionless how ASTIS does it | Browser Secure Reader, per-message verification detail & primary sources | Password-protected link detail & primary sources | Shared password to a web inbox detail & primary sources | Portal + SMS / access code — no account detail & primary sources | Free account required detail & primary sources | It is a normal email detail & primary sources |
| Can the organization open a departed employee’s mail? | Org key in CVS — ASTIS-managed or self-hosted (HYOK) how ASTIS does it | Admin controls detail & primary sources | Admin reset flows detail & primary sources | Account recovery codes detail & primary sources | Organization account retains access to secure messages on Zivver’s platform detail & primary sources | Approval Groups (threshold of approvers) detail & primary sources | It was never unreadable to begin with detail & primary sources |
Simplified on purpose — the nuance behind every answer is on the per-vendor pages, with primary sources.
The mechanism behind the checkmarks
Every product above encrypts something. ASTIS Mail is built on one mechanism none of them have: the letter and its key are split — permanently, by architecture.
Your provider
Gmail / Microsoft 365 carries and stores the sealed envelope — ciphertext only: bodies, subjects, attachments, filenames. It can deliver the letter. It cannot read it.
ASTIS capsule service
Every message gets a session-key capsule, wrapped separately to each recipient’s key. Capsule metadata is keyed by address hashes; the public-key directory maps addresses to keys. No envelope, no content — ever.
Your devices
The only place where envelope and key ever meet. Plaintext exists here — and nowhere else in the world.
One mechanism — five consequences no table row captures:
- Mail that dies on schedule. A capsule expires — and the message becomes undecryptable everywhere: every copy, every mailbox, every backup. No reader cooperation required.
- Revoke after send. Delete the capsule and the ciphertext sitting in the recipient’s mailbox turns into permanent noise.
- Recovery with custody on your terms. The org key can rewrap capsules for a departed employee — held in ASTIS Managed CVS, or in your own self-hosted HYOK vault where ASTIS never touches key material.
- Who-mails-whom isn’t written down. The capsule service sees SHA-256 hashes, not addresses — metadata minimized by design, not by policy.
- Everything leaves a verifiable trace. Capsule operations land in a hash-chained audit log; release builds are GPG-signed; signatures verify without an ASTIS account. Check, don’t trust.
That is the trust layer: not a feature list — one architecture the features fall out of. Read how it works
The technical checklist
| ASTIS Mail | Virtru | Proton | Tuta | Zivver | PreVeil | Paubox | |
|---|---|---|---|---|---|---|---|
| Trust boundary | |||||||
| Vendor cannot decrypt your mail (default setup) | Key Access Server releases keys per read; Private Keystore add-on moves custody to you detail & primary sources | Content E2EE product-to-product; subjects outside E2EE detail & primary sources | “Zero-access” server-side claim, verified via audits detail & primary sources | Gateway processes content — that is how filtering works detail & primary sources | |||
| Subject lines encrypted | Documented PGP interoperability limit detail & primary sources | Portal-delivered; depends on flow detail & primary sources | Encrypted mail lives in a separate flow detail & primary sources | ||||
| Zero-knowledge without paid add-ons | Requires Private Keystore (quote-only) detail & primary sources | ||||||
| Deployment | |||||||
| Open standard (OpenPGP) — portable keys | IETF RFC 4880/9580 + WKD; decryptable by any compliant client how ASTIS does it | OpenTDF spec is open, but decryption needs a Key Access Server detail & primary sources | Own protocol, deliberately not PGP detail & primary sources | n/a — transport encryption detail & primary sources | |||
| Encrypted calendar | Only via Google CSE + Private Keystore detail & primary sources | E2EE sharing Proton-to-Proton only detail & primary sources | Inside Tuta apps detail & primary sources | ||||
| White-label / embed in your own product | White-label Mail under your brand + embeddable engine via the API platform how ASTIS does it | Custom branding included in the Business package detail & primary sources | Whitelabel branding on the Unlimited tier detail & primary sources | No public white-label offering found (July 2026) detail & primary sources | No public white-label offering found (July 2026) detail & primary sources | No public white-label offering found (July 2026) detail & primary sources | |
| Quantum-safe encryption today | AES-256 content layer is quantum-resistant; the per-recipient key wrap is classical Cv25519 (X25519) — so no quantum-safe claim. We announce crypto when it ships, not as roadmap how ASTIS does it | TutaCrypt (Kyber-1024 + X25519 hybrid) in production since 2024 detail & primary sources | |||||
| Control | |||||||
| Message expiry / revoke after send | TTL + capsule revoke how ASTIS does it | Revoke, expiry, watermark, no-forward detail & primary sources | Expiring password-protected mails detail & primary sources | See detail page detail & primary sources | No recall on base tier detail & primary sources | ||
| Jurisdiction & proof | |||||||
| EU/EEA vendor entity | EU entity; French & German operators (OVH, Contabo) in DE + UK (adequacy); no AWS/Azure/GCP anywhere how ASTIS does it | US (Washington, DC) detail & primary sources | Switzerland — strong privacy law, not EU/EEA detail & primary sources | Germany detail & primary sources | NL entity, US parent (Kiteworks, 2025) detail & primary sources | US, AWS GovCloud detail & primary sources | US (San Francisco) detail & primary sources |
| Issued SOC 2 / ISO 27001 today | SOC 2 Type II in progress; GPG-signed builds + open SDK now how ASTIS does it | SOC 2 · FedRAMP Moderate · FIPS 140-2 detail & primary sources | SOC 2 (2025) · ISO 27001 (2024) detail & primary sources | ISO-certified data centers only detail & primary sources | ISO 27001 · SOC 2 detail & primary sources | FIPS 140-3; FedRAMP equivalency (not authorization) detail & primary sources | HITRUST CSF certified detail & primary sources |
| Published pricing | $15–20/seat/mo, self-serve how ASTIS does it | 5-user bundles published; Enterprise quote-only detail & primary sources | Quote-driven at 50+ users detail & primary sources | Free tier · $30/user/mo detail & primary sources | Per-sender calculator detail & primary sources | ||
Icons simplify — hover a mark for the nuance, and open the per-vendor pages below for the full picture with primary sources. Verified July 2026; corrections: [email protected].
The detailed comparisons
ASTIS Mail vs Virtru
Both encrypt email on top of Gmail and Microsoft 365 without migration. The difference is one question: who can produce your plaintext?
Read the comparison →ASTIS Mail vs Proton Mail for Business
Proton is a superb email provider. ASTIS Mail is not a provider at all — it encrypts on top of the one you already have. That single difference decides most evaluations.
Read the comparison →ASTIS Mail vs Tuta
Tuta shares our convictions — subjects encrypted, metadata minimized, German servers. It implements them as a closed replacement ecosystem; ASTIS Mail implements them on top of the provider you already run.
Read the comparison →ASTIS Mail vs Zivver
Zivver secures delivery through its platform and portal. ASTIS Mail seals content on your device. And since June 2025, Zivver’s owner is a California company — their own press release below.
Read the comparison →ASTIS Mail vs PreVeil
The two products in this market built on the same principle — true client-side E2EE without migration. The differences: one inbox or two, and which side of the Atlantic your compliance lives on.
Read the comparison →ASTIS Mail vs Paubox
These two products solve different problems, and pretending otherwise would be dishonest. Paubox secures delivery. ASTIS Mail secures content. This page explains which one you actually need.
Read the comparison →Also comparing: Workload Secrets vs the Kubernetes secrets stack
Vault, OpenBao, ESO, Sealed Secrets, SOPS, cloud secret managers — they distribute secrets; none of them gate who can open one. Who actually sees plaintext: etcd, backups, kubectl, debug containers, CI, AI agents. Read the layer map →
All trademarks belong to their owners. Found an inaccuracy? [email protected] — verified corrections within one business day.