Comparison · Verified July 2026 · Every claim links to its source

ASTIS Mail vs Virtru

Both encrypt email on top of Gmail and Microsoft 365 without migration. The difference is one question: who can produce your plaintext?

TL;DR. Virtru is the established player — $191M raised, FedRAMP Moderate, 6,000+ customers. In its default deployment, Virtru’s key infrastructure manages your decryption keys; their own ITAR page puts it plainly: “Microsoft will have encrypted content, Virtru will have the keys.” ASTIS Mail is built so that trust isn’t required: keys are generated and used on your devices, and ASTIS servers hold wrapped key capsules and a public-key directory — never your mail. Virtru counters with a smoother flow for unprepared recipients and a longer certification list. The honest version of both is below — with links to where each vendor says it themselves.

At a glance

The icon next to a claim opens its primary source — the vendor’s own page for their claims, our verifiable docs for ours. Security platforms shouldn’t ask to be believed.

ASTIS MailVirtru
Works on top of Gmail / Microsoft 365
Native desktop apps (macOS · Windows · Linux) · any browser · Thunderbird add-on · Chrome extension
Chrome extension / Outlook add-in
Vendor can decrypt your mail
No — keys wrapped on your devices
Key server manages & releases keys (default)
Zero-knowledge without add-ons
Default configuration
Requires Private Keystore (quote-only)
Encryption standard
OpenPGP (IETF) + WKD — portable keys, any compliant client
TDF/OpenTDF — open spec, but decryption needs Virtru KAS
Subject lines encrypted
Sealed client-side
TDF encrypts body + attachments; subject & recipient list stay readable
Attachment names encrypted
Filenames + MIME types sealed
Content yes, names no · 150 MB cap
Calendar encryption
E2EE calendar built in
Not native (Google CSE + add-on only)
Unprepared external recipients
One-time key invite, then frictionless
Secure Reader — per-message verification
Post-send control
TTL expiry + revoke
Revoke, expiry, watermark, no-forward
Jurisdiction & infrastructure
EU entity · French & German operators — no US hyperscalers
US company · keys hosted on AWS
Certifications issued today
SOC 2 Type II in progress · signed builds
SOC 2 · FedRAMP Moderate · FIPS 140-2
Published pricing
$15–20/seat/mo · self-serve trial
$119–499/mo per 5-user bundle · Enterprise quote

Where is the trust boundary?

Every product on this market draws a line: everything left of it cannot read your content; everything right of it you have to trust. The only question that matters is where the line sits.

Your device

Keys generated and used client-side. No service can produce plaintext.

ASTIS Mail
Vendor key service

Content encrypted, but a vendor-run key server authorizes every decryption.

Virtru
Vendor platform

Encryption and access control live in the vendor’s server-side platform.

Transport only

TLS in transit; content readable at rest by providers and gateways.

Virtru encrypts client-side, but its Key Access Server authorizes and releases the key for every read. Private Keystore (add-on) moves the boundary left — at enterprise pricing.

Where your data lives

ASTIS Mail deliberately does not host message content: decrypted mail exists only on your devices, ciphertext rides your own mailbox. Compare where each product puts plaintext.

ASTIS Mail
Virtru
Decrypted (plaintext) data
Only on your devices — decrypted locally, stored in local browser storage
Rendered on device; external recipients read via Secure Reader browser sessions on Virtru infrastructure
Encrypted message store
In your own mailbox at your provider (Gmail / M365), as ciphertext
TDF objects stay with your mail provider — same premise as ASTIS here
What vendor servers hold
Wrapped key capsules (keyed by address hashes), encrypted key blobs, and the WKD public-key directory — never message content
The decryption keys — Virtru’s AWS-hosted key infrastructure releases them per read

Who holds the keys?

ASTIS Mail’s model

The per-message key is generated on the sender’s device and encrypted to each recipient’s public key — on the device. ASTIS stores wrapped capsules keyed by address hashes, plus the public-key directory. No plaintext keys, no message content.

There is no read-time authorization service that could be compelled, compromised, or socially engineered into releasing a key — because no service holds a usable key. Zero-knowledge is the default, not the top tier. Verifiable: open SDK, GPG-signed builds, published specs.

Virtru’s model

Content is encrypted client-side into TDF objects; the data-encryption keys are managed by Virtru’s Key Access Server on AWS. When a recipient opens a message, Virtru’s infrastructure authorizes and releases the key — an authorization middleman for every message.

Their fix exists — Private Keystore, host the keys yourself — sold as an enterprise add-on with professional services attached.

“Microsoft will have encrypted content, Virtru will have the keys but no content.”virtru.com/compliance/itar

Standards, not formats: OpenPGP vs TDF

Virtru’s TDF is an open specification (OpenTDF) — credit where due. But a TDF object is unreadable without a Key Access Server’s cooperation: the format is open, the access path runs through Virtru-style infrastructure. An OpenPGP message is self-contained: ASTIS Mail encrypts to a 30-year-old IETF standard (RFC 4880/9580), keys are discovered via standard Web Key Directory, and your private key decrypts your mail in any compliant implementation — including GnuPG, without ASTIS. If ASTIS disappeared tomorrow, your keys and your ciphertext still work. That is what “no vendor lock-in” means cryptographically, not contractually.

What stays readable

For a law firm, “Re: Smith v. Jones — settlement strategy.docx” in plaintext is the leak.

Sealed in the envelope
ASTIS Mail
Virtru
Message body
Encrypted
Encrypted
Attachment content
Encrypted
Encrypted
Subject line
Encrypted
Readable
Attachment filenames
Encrypted
Readable
Calendar events
Encrypted
Readable
Addresses in vendor key service
Encrypted
Readable

Virtru: subject/recipient list and attachment names per Virtru support documentation; attachment content encrypted, 150 MB combined cap. Calendar via Google Workspace CSE + Private Keystore only.

External recipients — the honest section

Repeat correspondents: one-time setup wins

ASTIS Mail sends the external recipient a one-time key invite — a free browser client, no install. Every exchange after that is frictionless true E2EE. No per-message verification dance.

For firms whose confidential mail goes to repeat correspondents — clients, counsel, auditors — the one-time setup beats every-time verification. For one-off blasts to strangers, it doesn’t. Choose accordingly.

One-off mail to strangers: Virtru is better today

Virtru’s Secure Reader lets an unprepared recipient verify by OAuth or a one-time email link and read in the browser. No account creation. For one-off mail, that beats ASTIS Mail. Full stop.

The same flow is Virtru’s #1 complaint theme in its own G2 reviews (~55 mentions): single-use links that expire in 24 hours and must open in the same browser on the same device, notifications landing in spam, replies losing the prior thread.

Pricing

ASTIS Mail

  • Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo
  • Self-serve, 30-day trial, no services engagement
  • 25-seat firm: ≈ $4,500–6,000/year

Virtru

  • Starter $119/mo · Business $219/mo · Compliance $499/mo — each a 5-user bundle, annual billing
  • Median contract $11,219/year (Vendr, 103 purchases)
  • Professional services typically $5k–25k+

Two honest shortlists

Pick Virtru if

  • US federal orbit: FedRAMP Moderate, ITAR carve-out, CJIS, CMMC positioning
  • Daily one-off encrypted mail to unprepared external recipients
  • Granular post-send control: disable forwarding, watermarking
  • An issued SOC 2 report is a hard requirement today

Pick ASTIS Mail if

  • The requirement is that no vendor can decrypt — legal privilege, board mail, trade secrets
  • EU-regulated buyers (GDPR, NIS2, DORA) for whom a US key custodian is the problem
  • Subjects, filenames, and calendars must be inside the envelope — not just bodies
  • Teams of 5–200 that want published per-seat pricing, no services project

FAQ

Is Virtru end-to-end encrypted?

Virtru encrypts client-side, but in the default deployment its Key Access Server manages and releases decryption keys — Virtru sits in the trust path for every message. With the Private Keystore add-on, customers host keys themselves. ASTIS Mail is zero-knowledge in its default configuration.

Does Virtru encrypt subject lines?

No — subjects and recipient lists remain unencrypted; body and attachment contents are encrypted. ASTIS Mail encrypts subject lines and attachment filenames as well.

Which has better compliance certifications today?

Virtru — SOC 2 Type II, FedRAMP Moderate, FIPS 140-2 validated modules, HIPAA BAA from the entry tier. ASTIS’s SOC 2 Type II is in progress (July 2026); its architecture claims (open SDK, signed builds, no US hyperscalers in the stack) are verifiable now.

Can I try both without changing my email setup?

Yes — both are overlays. Virtru: extension/add-in, sales-assisted above entry tiers. ASTIS Mail: OAuth connect + PWA, 30-day self-serve trial.

Is ASTIS Mail a Virtru alternative for US government work?

No. If you need FedRAMP, ITAR, or CJIS, use Virtru or PreVeil. ASTIS Mail is built for European regulated business.

Sources — retrieved July 2026

All trademarks belong to their owners. Prices and features change — verify before deciding. Found an inaccuracy? [email protected] — we fix verified inaccuracies within one business day.

Don’t trust either vendor — verify.

Read the security documentation, then run the 30-day trial on your existing Gmail or Microsoft 365 mailbox. Keep the provider. Protect the content.