Comparison · Verified July 2026 · Every claim links to its source

ASTIS Mail vs PreVeil

The two products in this market built on the same principle — true client-side E2EE without migration. The differences: one inbox or two, and which side of the Atlantic your compliance lives on.

TL;DR. PreVeil is the closest architecture cousin to ASTIS Mail: genuine client-side end-to-end encryption alongside Gmail and Microsoft 365, no migration, vendor cannot decrypt. The differences that matter: PreVeil adds a second, separate encrypted mailbox — the most-cited friction in its own reviews — and is purpose-built for US defense contractors (CMMC 2.0, ITAR, AWS GovCloud, FIPS 140-3). ASTIS Mail keeps encrypted mail inside your existing mailbox as ciphertext, encrypts subjects and calendars, and runs on French and German infrastructure operators — no US hyperscalers. If you sell to the US DoD, pick PreVeil. If you are a regulated European firm, AWS GovCloud is the wrong sovereignty direction — that is ASTIS’s side of the map.

At a glance

The icon next to a claim opens its primary source — the vendor’s own page for their claims, our verifiable docs for ours. Security platforms shouldn’t ask to be believed.

ASTIS MailPreVeil
Model
E2EE overlay — ciphertext lives in your existing mailbox
E2EE overlay — separate encrypted mailbox alongside inbox
Vendor can decrypt
No — device keys, per-recipient wrapping
No — device keys, true E2EE
Admin key recovery
Org key in CVS — ASTIS-managed or self-hosted (HYOK)
Approval Groups — Shamir secret sharing, threshold of approvers
Calendar encryption
E2EE calendar built in
Email + encrypted drive; no calendar in the product line
External recipient (no product)
One-time key invite (browser client)
Free PreVeil account required
Jurisdiction & hosting
EU entity · French & German operators — no US hyperscalers
US company · AWS GovCloud
Compliance focus
GDPR by architecture · NIS2/DORA evidence
CMMC 2.0 · NIST 800-171 · ITAR · DFARS
FedRAMP status
Not applicable — not a US-gov product
“FedRAMP Moderate equivalency” — not an authorization
Published pricing
$15–20/seat/mo · 30-day trial
Free 5 GB tier · $30/user/mo business (min terms)
Certifications
SOC 2 Type II in progress · signed builds
FIPS 140-3 validated crypto

Where is the trust boundary?

Every product on this market draws a line: everything left of it cannot read your content; everything right of it you have to trust. The only question that matters is where the line sits.

Your device

Keys generated and used client-side. No service can produce plaintext.

ASTIS MailPreVeil
Vendor key service

Content encrypted, but a vendor-run key server authorizes every decryption.

Vendor platform

Encryption and access control live in the vendor’s server-side platform.

Transport only

TLS in transit; content readable at rest by providers and gateways.

PreVeil is genuinely device-boundary E2EE — same zone as ASTIS Mail, with a cryptographically enforced admin-recovery scheme (Approval Groups). The boundaries that differ are geographic (US, AWS GovCloud) and ergonomic (a second mailbox).

Where your data lives

ASTIS Mail deliberately does not host message content: decrypted mail exists only on your devices, ciphertext rides your own mailbox. Compare where each product puts plaintext.

ASTIS Mail
PreVeil
Decrypted (plaintext) data
Only on your devices — decrypted locally, stored in local browser storage
Decrypted client-side on user devices
Encrypted message store
In your own mailbox at your provider (Gmail / M365), as ciphertext
Encrypted mail lives on PreVeil servers (AWS GovCloud) — a second mailbox outside your own
What vendor servers hold
Wrapped key capsules (keyed by address hashes), encrypted key blobs, and the WKD public-key directory — never message content
Encrypted messages + shard-split recovery material (Approval Groups)

Who holds the keys?

ASTIS Mail’s model

Same zone, different ergonomics: encrypted messages travel through your existing provider as ciphertext and stay in your existing mailbox — one inbox, one thread history. Org-key recovery runs through CVS, with custody as a product choice: ASTIS Managed CVS, or HYOK CVS where the firm hosts the vault and ASTIS never touches key material.

Envelope is wider: subjects, attachment filenames, and calendar events are sealed; capsule metadata runs on address hashes. OpenPGP + WKD keep keys portable outside any single vendor.

PreVeil’s model

True client-side E2EE with device keys — no passwords, and a server breach exposes nothing. Admin recovery via Approval Groups: a user’s key is split cryptographically (Shamir secret sharing) across approvers; a threshold (e.g. 3 of 5) must cooperate to recover an account. Honest, well-documented engineering.

Deployment choice: encrypted mail lives in a separate mailbox beside your inbox — a clean compliance enclave for CUI, and the most-cited friction in PreVeil’s own reviews.

One inbox or two — the honest section

ASTIS keeps confidential mail in the flow

When encrypted correspondence is everyday client work — not a special channel — a second mailbox is where messages get missed. ASTIS Mail keeps ciphertext in the mailbox you already check, searchable and threaded in one place.

And for a European firm, PreVeil’s AWS GovCloud hosting is the wrong direction: it is built to satisfy US government requirements, which is precisely what EU sovereignty reviews screen out.

PreVeil’s separation is a feature for CMMC

Routing CUI into a dedicated encrypted enclave, apart from daily mail, makes the compliance boundary easy to reason about — auditors like it, and PreVeil’s Compliance Accelerator documents all 110 CMMC controls. 100+ customers through certification, some with perfect 110/110 scores, is real proof for that market.

The daily cost: a second inbox to check. Their reviews say it plainly.

Pricing

ASTIS Mail

  • Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo
  • Self-serve, 30-day trial, no services engagement
  • 25-seat firm: ≈ $4,500–6,000/year

PreVeil

  • Free tier (5 GB, full E2EE) · Individual $25/mo · Business $30/user/mo
  • Minimum terms: 24 months for 3–9 users, 12 months for 10+
  • 25-seat firm: ≈ $9,000/year vs ASTIS ≈ $4,500–6,000/year

Two honest shortlists

Pick PreVeil if

  • US defense contractors and suppliers: CMMC 2.0, ITAR, DFARS 7012 now
  • A hard separation: dedicated encrypted enclave for CUI apart from daily mail
  • FIPS-validated crypto and US-gov-adjacent hosting as requirements
  • Generous free tier for individuals and small partners

Pick ASTIS Mail if

  • EU firms under GDPR/NIS2/DORA where US hosting is the compliance problem
  • Encrypted mail in the same inbox you already use — plus encrypted calendar
  • Subjects and metadata inside the envelope
  • Verify-don’t-trust buyers: signed builds, open specs, inspectable SDK

FAQ

Do both work without leaving Gmail or Microsoft 365?

Yes — that is the shared premise. Neither requires mailbox migration. PreVeil adds a separate encrypted mailbox alongside; ASTIS Mail keeps encrypted messages inside the existing mailbox as ciphertext.

Which one is zero-knowledge?

Both, for message content — neither vendor can decrypt your mail server-side. Jurisdiction over the vendor differs: US (PreVeil) vs EU (ASTIS).

Is PreVeil FedRAMP authorized?

No — PreVeil claims DoD “FedRAMP Moderate equivalency” per the DoD CIO memo pathway (their own blog explains this), with data hosted in AWS GovCloud. That is a meaningful bar, and it is not a FedRAMP authorization.

Can external recipients read encrypted mail without installing anything?

In both products the recipient needs a client and a key: PreVeil invites externals to a free account; ASTIS Mail invites them to register a key (browser-based PWA, no app-store install). If a recipient refuses any setup, neither product encrypts to them — Virtru’s or Zivver’s portal model handles that case at the cost of a portal step.

Sources — retrieved July 2026

All trademarks belong to their owners. Prices and features change — verify before deciding. Found an inaccuracy? [email protected] — we fix verified inaccuracies within one business day.

Don’t trust either vendor — verify.

Read the security documentation, then run the 30-day trial on your existing Gmail or Microsoft 365 mailbox. Keep the provider. Protect the content.