Comparison · Verified July 2026 · Every claim links to its source
ASTIS Mail vs PreVeil
The two products in this market built on the same principle — true client-side E2EE without migration. The differences: one inbox or two, and which side of the Atlantic your compliance lives on.
TL;DR. PreVeil is the closest architecture cousin to ASTIS Mail: genuine client-side end-to-end encryption alongside Gmail and Microsoft 365, no migration, vendor cannot decrypt. The differences that matter: PreVeil adds a second, separate encrypted mailbox — the most-cited friction in its own reviews — and is purpose-built for US defense contractors (CMMC 2.0, ITAR, AWS GovCloud, FIPS 140-3). ASTIS Mail keeps encrypted mail inside your existing mailbox as ciphertext, encrypts subjects and calendars, and runs on French and German infrastructure operators — no US hyperscalers. If you sell to the US DoD, pick PreVeil. If you are a regulated European firm, AWS GovCloud is the wrong sovereignty direction — that is ASTIS’s side of the map.
At a glance
The icon next to a claim opens its primary source — the vendor’s own page for their claims, our verifiable docs for ours. Security platforms shouldn’t ask to be believed.
| ASTIS Mail | PreVeil | |
|---|---|---|
| Model | E2EE overlay — ciphertext lives in your existing mailbox | |
| Vendor can decrypt | ||
| Admin key recovery | Org key in CVS — ASTIS-managed or self-hosted (HYOK) | |
| Calendar encryption | E2EE calendar built in | |
| External recipient (no product) | One-time key invite (browser client) | |
| Jurisdiction & hosting | ||
| Compliance focus | GDPR by architecture · NIS2/DORA evidence | |
| FedRAMP status | Not applicable — not a US-gov product | |
| Published pricing | ||
| Certifications |
Where is the trust boundary?
Every product on this market draws a line: everything left of it cannot read your content; everything right of it you have to trust. The only question that matters is where the line sits.
Keys generated and used client-side. No service can produce plaintext.
Content encrypted, but a vendor-run key server authorizes every decryption.
Encryption and access control live in the vendor’s server-side platform.
TLS in transit; content readable at rest by providers and gateways.
PreVeil is genuinely device-boundary E2EE — same zone as ASTIS Mail, with a cryptographically enforced admin-recovery scheme (Approval Groups). The boundaries that differ are geographic (US, AWS GovCloud) and ergonomic (a second mailbox).
Where your data lives
ASTIS Mail deliberately does not host message content: decrypted mail exists only on your devices, ciphertext rides your own mailbox. Compare where each product puts plaintext.
Who holds the keys?
ASTIS Mail’s model
Same zone, different ergonomics: encrypted messages travel through your existing provider as ciphertext and stay in your existing mailbox — one inbox, one thread history. Org-key recovery runs through CVS, with custody as a product choice: ASTIS Managed CVS, or HYOK CVS where the firm hosts the vault and ASTIS never touches key material.
Envelope is wider: subjects, attachment filenames, and calendar events are sealed; capsule metadata runs on address hashes. OpenPGP + WKD keep keys portable outside any single vendor.
PreVeil’s model
True client-side E2EE with device keys — no passwords, and a server breach exposes nothing. Admin recovery via Approval Groups: a user’s key is split cryptographically (Shamir secret sharing) across approvers; a threshold (e.g. 3 of 5) must cooperate to recover an account. Honest, well-documented engineering.
Deployment choice: encrypted mail lives in a separate mailbox beside your inbox — a clean compliance enclave for CUI, and the most-cited friction in PreVeil’s own reviews.
One inbox or two — the honest section
ASTIS keeps confidential mail in the flow
When encrypted correspondence is everyday client work — not a special channel — a second mailbox is where messages get missed. ASTIS Mail keeps ciphertext in the mailbox you already check, searchable and threaded in one place.
And for a European firm, PreVeil’s AWS GovCloud hosting is the wrong direction: it is built to satisfy US government requirements, which is precisely what EU sovereignty reviews screen out.
PreVeil’s separation is a feature for CMMC
Routing CUI into a dedicated encrypted enclave, apart from daily mail, makes the compliance boundary easy to reason about — auditors like it, and PreVeil’s Compliance Accelerator documents all 110 CMMC controls. 100+ customers through certification, some with perfect 110/110 scores, is real proof for that market.
The daily cost: a second inbox to check. Their reviews say it plainly.
Pricing
ASTIS Mail
- Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo
- Self-serve, 30-day trial, no services engagement
- 25-seat firm: ≈ $4,500–6,000/year
Two honest shortlists
Pick PreVeil if
- US defense contractors and suppliers: CMMC 2.0, ITAR, DFARS 7012 now
- A hard separation: dedicated encrypted enclave for CUI apart from daily mail
- FIPS-validated crypto and US-gov-adjacent hosting as requirements
- Generous free tier for individuals and small partners
Pick ASTIS Mail if
- EU firms under GDPR/NIS2/DORA where US hosting is the compliance problem
- Encrypted mail in the same inbox you already use — plus encrypted calendar
- Subjects and metadata inside the envelope
- Verify-don’t-trust buyers: signed builds, open specs, inspectable SDK
FAQ
Do both work without leaving Gmail or Microsoft 365?
Yes — that is the shared premise. Neither requires mailbox migration. PreVeil adds a separate encrypted mailbox alongside; ASTIS Mail keeps encrypted messages inside the existing mailbox as ciphertext.
Which one is zero-knowledge?
Both, for message content — neither vendor can decrypt your mail server-side. Jurisdiction over the vendor differs: US (PreVeil) vs EU (ASTIS).
Is PreVeil FedRAMP authorized?
No — PreVeil claims DoD “FedRAMP Moderate equivalency” per the DoD CIO memo pathway (their own blog explains this), with data hosted in AWS GovCloud. That is a meaningful bar, and it is not a FedRAMP authorization.
Can external recipients read encrypted mail without installing anything?
In both products the recipient needs a client and a key: PreVeil invites externals to a free account; ASTIS Mail invites them to register a key (browser-based PWA, no app-store install). If a recipient refuses any setup, neither product encrypts to them — Virtru’s or Zivver’s portal model handles that case at the cost of a portal step.
Sources — retrieved July 2026
- PreVeil pricing
- PreVeil technology (E2EE, GovCloud)
- PreVeil Approval Groups explained
- PreVeil’s FedRAMP story (equivalency)
- DoD CIO FedRAMP equivalency memo (PDF)
- ASTIS security whitepaper
All trademarks belong to their owners. Prices and features change — verify before deciding. Found an inaccuracy? [email protected] — we fix verified inaccuracies within one business day.
Don’t trust either vendor — verify.
Read the security documentation, then run the 30-day trial on your existing Gmail or Microsoft 365 mailbox. Keep the provider. Protect the content.