Europe Alternatives
Tuta Mail logo

Tuta Mail

Hanover-headquartered end-to-end encrypted mail and calendar, founder-owned, hosting on its own RIPE-registered IP space in Germany.

🇩🇪 Germany
Email
Calendar

Profile last updated: · View sources

Try Tuta Mail. It's freeVisit website

About Tuta Mail

Tuta is the consumer and business end-to-end encrypted mail, calendar and (closed-beta) Drive service operated by Tutao GmbH (Deisterstr. 17a, 30449 Hannover, HRB 208014 Amtsgericht Hannover, VAT DE280903265). The company was founded in 2011 by Arne Möhle and Matthias Pfau (with Hanna Bozakov, the three are the managing directors) and rebranded from Tutanota to Tuta on 2023-11-07; the service had more than ten million users by March 2025.

Tutao GmbH operates its own RIPE-allocated /24 (185.205.69.0/24, AS210909) from data centres in Germany. Mail bodies, subject lines, attachments, calendars, contacts and the full search index are end-to-end encrypted using AES-256 + HMAC-SHA-256 with a post-quantum hybrid TutaCrypt key exchange (Kyber-1024 + x25519) shipped on 2024-03-11. Apps are open source under GPL-3.0 at github.com/tutao/tutanota.

Features

  • Free 1 GB tier; Personal Revolutionary EUR 3/month (20 GB) and Legend EUR 8/month (500 GB); Business plans from EUR 6/user/month
  • Apps and backend infrastructure open source under GPL-3.0 at github.com/tutao/tutanota; Android also distributed on F-Droid
  • End-to-end encrypted mail bodies, subject lines, attachments, calendars, contacts and the client-side search index
  • Post-quantum TutaCrypt (Kyber-1024 + x25519) shipped 2024-03-11; new accounts default to TutaCrypt; calendar PQ in same window
  • Custom open-source push-notification and CAPTCHA services replace Google Firebase / reCAPTCHA
  • Self-hosted on Tutao's own RIPE-allocated /24 (AS210909) in German data centres; no Cloudflare or third-party CDN on customer paths
  • Six-monthly transparency report with warrant canary; H2 2025 inventory-data requests ~88% rejection; content data is unreadable
  • Founder-owned with no outside VC; only external capital is a ~EUR 1.5M BMBF post-quantum storage grant (May 2023)
  • Tuta Drive: end-to-end encrypted cloud storage in closed beta; public launch expected 2026 with PQ from day one

Sovereignty Scorecard

Procurement-grade signals on data sovereignty, ownership, and EU residency.

The SHIELD framework

We score every European vendor against six sovereignty dimensions captured in the SHIELD acronym. Each card below maps to one letter — read them as a checklist when comparing providers.

S
Subprocessors

The third parties that touch customer data — payment processors, KYC vendors, support chatbots, analytics.

H
Headquarters & ownership

Where the legal entity sits, who controls it, and which subsidiaries operate under the same group.

I
Infrastructure & residency

Where customer data is physically stored, who runs the hosting stack, which CDN sits in front.

E
Exposure

Whether the vendor or its subprocessors fall under the US CLOUD Act or other extraterritorial reach.

L
Legal documents

Public terms, privacy policy, DPA, subprocessor list, impressum, and security or trust pages.

D
Diligence

Independent audits and certifications (ISO 27001, BSI C5, TISAX, SOC 2) plus open-source transparency.

Ownership

Privately held

Full European control

Tutao GmbH (HRB 208014 Amtsgericht Hannover) is wholly owned by co-founders Arne Möhle and Matthias Pfau, both German nationals based in Hanover; Hanna Bozakov is the third Geschäftsführerin and has been with the company since launch. Tuta stated verbatim on its company blog: 'the company is wholly owned by Matthias and Arne, and is not liable to anyone else.' No outside venture capital has been raised. The only external capital is a roughly EUR 1.5 million BMBF KMU-innovativ grant awarded May 2023 (Northdata records EUR 1,528,635) for the PQDrive post-quantum storage research project, plus a state-aid bracket of EUR 100,000-500,000 recorded October 2024.

Headquarters

🇩🇪 Hanover, Germany

Tutao GmbH

Subsidiaries
  • Tutao GmbH - Munich office 🇩🇪 GermanySecond German office named on the careers page tuta.com/jobs; supports the same Tutao GmbH legal entity. Not a separate company.
Data residency
DE

Fixed region

Tuta's privacy policy states verbatim: 'All data is stored in ISO 27001 certified data centers in Germany.' The certification covers the data-centre operators, not Tutao GmbH as an entity. The secure-email page reinforces this with: 'All your data in Tuta is stored on our own servers in ISO 27001-certified data centers in Germany and in full compliance with the GDPR.' Personal data is deleted no later than 30 days after termination of the contract; IP addresses are not logged on login or send, and the mail server strips originating IP from outbound email headers.

Hosting infrastructure

Website: Self-hosted on Tutao's own IPv4 /24 (185.205.69.0/24) and IPv6 /48 (2a10:e000:1::/48), RIPE-registered to Tutao GmbH (ORG-TG206-RIPE); no Cloudflare, no third-party CDN in the production path for tuta.com or app.tuta.com (both A-record into Tutao IP space)

Application: Tutao GmbH AS210909 (RIPE-Originated-Valid RPKI) inside ISO 27001-certified data centres in Germany. Webmail at app.tuta.com → 185.205.69.10; mail.tutanota.de → 185.205.69.211 / .213 / .214; tuta.com landing page → 185.205.69.12. Specific data-centre operator(s) are not named publicly.

Email: Self-hosted MX on mail.tutanota.de (Tutao IP space); SPF v=spf1 include:spf.tutanota.de -all on both tuta.com and tutanota.com (strict -all reject)

CDN: None on customer-data subdomains; AWS Route 53 used as authoritative DNS only (NS records ns-*.awsdns-*.{com,net,org,co.uk}); INWX GmbH is the registrar; DNSSEC signedDelegation with algorithm 13 (ECDSAP256SHA256)

Subprocessors
NameCountryPurpose
Amazon Web Services, Inc. (Route 53)🇺🇸 United StatesAuthoritative DNS only for tuta.com and tutanota.com (ns-*.awsdns-*.com / .net / .org / .co.uk observed). Does not touch encrypted mailbox content; resolves only the public DNS zone for Tutao IP space.
INWX GmbH🇩🇪 GermanyDomain registrar for tuta.com and tutanota.com (Berlin-based German registrar).
PayPal (Europe) S.à r.l. et Cie, S.C.A.🇱🇺 LuxembourgSubscription-payment processor for PayPal-funded subscriptions; named in the Tuta privacy policy and the transparency report (PayPal usernames listed among the inventory data that can be subpoenaed).
Apple Inc. (App Store)🇺🇸 United StatesiOS in-app subscription billing since 2024-07-12 (Tuta blog post 'ios-payment') -- enables Revolutionary and Legend upgrades inside the iOS app, including non-EUR currency support (USD, GBP). Apple does not handle email content.
Google LLC (Google Play)🇺🇸 United StatesAndroid subscription billing for users who install Tuta Mail from Google Play; the F-Droid build is the Google-Play-Services-free alternative. Google does not handle email content.
Arelion Sweden AB🇸🇪 SwedenBGP transit upstream provider (AS1299) carrying AS210909 traffic. Telia Carrier predecessor; EEA-based.
kyberio GmbH🇩🇪 GermanyBGP transit upstream provider (AS24679) carrying AS210909 traffic. Frankfurt-region German transit.
Legal documents
Terms of ServicePrivacy PolicyData Processing AgreementImpressumSecurity
US CLOUD Act exposure
Partial, via US subprocessors
Open source
Has open components
View source

Pricing

Personal Free

EUR 0

free, no trial expiry
  • 1 GB storage, 1 calendar, 3 labels
  • No extra email addresses, no custom domains
  • No subscriber support; iOS / Android / desktop / web clients all included
Personal Revolutionary

EUR 3/month

monthly or annual (EUR 36/year)
  • 20 GB storage, unlimited calendars, unlimited labels
  • 15 extra email addresses across 3 custom domains
  • Email support, calendar sharing, autoresponder, inbox rules, schedule send, offline support
Personal Legend

EUR 8/month

monthly or annual (EUR 96/year)
  • 500 GB storage, unlimited calendars, unlimited labels
  • 30 extra email addresses across 10 custom domains
  • Priority email support and all Revolutionary features
Business Essential

EUR 6/user/month

annual per user
  • 50 GB storage per user, 15 aliases, 3 custom domains
  • Freelancer-tier business product
  • Tutao GmbH offers an Order Processing Agreement (Auftragsverarbeitungsvertrag) on request
Business Advanced

EUR 8/user/month

annual per user
  • 500 GB storage per user, 30 aliases, 10 custom domains
  • Team-tier business product
Business Unlimited

EUR 12/user/month

annual per user
  • 1 TB storage per user, 30 aliases, unlimited custom domains
  • Larger-organisation tier; price unchanged since the June 2023 announcement

Questions & Answers

6 questions

Where is Tuta headquartered, who controls Tutao GmbH, and where is my mailbox stored?

Tutao GmbH is registered at Deisterstr. 17a, 30449 Hannover, under HRB 208014 at Amtsgericht Hannover. The three Geschäftsführer (managing directors) are co-founder Arne Möhle, co-founder Matthias Pfau and Hanna Bozakov. Möhle and Pfau are the sole shareholders -- Tuta stated verbatim on its company blog: 'the company is wholly owned by Matthias and Arne, and is not liable to anyone else.' Mailboxes are stored on Tutao's own infrastructure in Germany: Tutao GmbH is a RIPE Local Internet Registry that operates AS210909 and announces 185.205.69.0/24 and 2a10:e000:1::/48 directly. Tuta states the data centres are 'ISO 27001 certified data centers in Germany'; the certification covers the data-centre operators, not Tutao GmbH as an entity. The Tuta Terms of Service make German law and Hanover the place of jurisdiction.

Is Tuta subject to US legal process?

No, not directly. Tutao GmbH has no US-incorporated parent, no US subsidiary and no offices outside Germany; the founders, the headquarters and the production infrastructure are German. Tuta stated verbatim that 'Tutao GmbH only responds to valid warrants issued by German courts' and 'German companies are not allowed to share customer's information with foreign law enforcement.' Indirect exposure exists through a small set of subprocessors that are US-domiciled: authoritative DNS for tuta.com and tutanota.com is hosted on AWS Route 53; iOS subscription billing flows through Apple (in-app purchase since 2024-07-12); Android subscription billing flows through Google Play; PayPal and an unnamed credit-card processor handle subscription payments. None of those processors can decrypt encrypted mailbox content.

What does end-to-end encryption actually cover in Tuta?

Mail bodies, subject lines and attachments; entire calendars including event metadata such as titles, notifications and reminders; contacts (birthday, comment, company, first name, last name, nickname, role, title, addresses, mail addresses, phone numbers, social IDs); inbox rules and filters; and the full search index, which is built and stored on the client device. The only data that remains unencrypted is sender / recipient mail addresses and timestamps, because email protocol standards require routing metadata to remain in clear text. Push notifications are delivered through Tuta's own open-source notification service hidden from Apple and Google. The cryptographic primitives are AES-256 / HMAC-SHA-256 symmetric, Argon2 / HKDF-SHA-256 key derivation, and from 2024-03-11 the post-quantum TutaCrypt hybrid Kyber-1024 + x25519 exchange for new accounts (RSA-2048 retained for backward compatibility with legacy accounts).

Is Tuta open source? Can I run it myself?

The Tuta web, iOS, Android, desktop (Windows / macOS / Linux) clients and the backend infrastructure code are open source under GPL-3.0 at github.com/tutao/tutanota (7,580 stars, 619 forks, 938 tagged releases). The Android app is published on Google Play and as a Google-Play-Services-free build on F-Droid (Tuta is, per Wikipedia, the first email provider to publish on F-Droid). Tuta is a member of the Open Invention Network (joined 2017). The Tutao trademark is held by the company. There is no documented self-hosting flow for the server side -- running your own Tuta mailbox cluster is technically possible from the public source tree but is not a productised path. Most procurement-grade buyers will use the hosted Business plans (Essential, Advanced or Unlimited) under an Auftragsverarbeitungsvertrag.

What does Tuta publish about law-enforcement requests?

The transparency report is updated every six months and includes a warrant canary. The H2 2025 (1 July - 31 December 2025) report shows 165 inventory-data requests with 19 disclosed (~88% rejection), 25 real-time-traffic-data requests with 19 disclosed, 16 stored-content-data requests with 8 disclosed and 14 real-time-content-data requests with 12 disclosed. Tuta stated that across calendar year 2025 it 'rejected 75% of all requests from authorities.' Even with a valid German court order, Tuta cannot decrypt mailbox content -- only inventory data (banking / PayPal / card metadata) and routing metadata (sender / recipient / timestamps) can be turned over. The canary states verbatim: 'Tuta (formerly Tutanota) has never received any National Security Letters or FISA court orders, and we have not been subject to any gag order by a FISA court.'

Why doesn't Tuta publish a dedicated subprocessor list page?

Tuta does not publish a single subprocessor URL the way most B2B SaaS vendors do. The vendors that touch customer data are enumerated inline across the privacy policy, the iOS-payment blog post and the imprint. The list is small by design: AWS Route 53 for authoritative DNS, PayPal Europe S.à r.l. et Cie S.C.A. for PayPal payments, an unnamed credit-card processor for card payments, German credit institutions for SEPA direct debit, Apple Inc. for iOS in-app subscriptions (since 2024-07-12), Google LLC for Android billing via Google Play, INWX GmbH as the domain registrar and BGP transit via Arelion (AS1299, Sweden) and kyberio GmbH (AS24679, Germany). The Business plans include an Order Processing Agreement on request through the sales channel.

Alternatives

Other European companies in the same category as Tuta Mail.

Calendar.online

🇩🇪 Germany

EU Based
EU Hosting
Combell

🇧🇪 Belgium

EU Based
EU Hosting
eclipso

🇩🇪 Germany

EU Based
EU Hosting
fruux

🇩🇪 Germany

EU Based
EU Hosting
GMX

🇩🇪 Germany

EU Based
EU Hosting
Hostpoint

🇨🇭 Switzerland

EU Hosting
inbox.eu

🇱🇻 Latvia

EU Based
EU Hosting
Infomaniak

🇨🇭 Switzerland

EU Hosting

Quick facts

Languages supported
Čeština
Deutsch
English
Español
Suomi
Français
Magyar
Italiano
日本語
Nederlands
Polski
Português
RU
Svenska
Українська
中文
Categories
Email
Calendar
Alternative to
Fastmail
Google Workspace

Sources & verification

Every fact on this page is backed by a primary or independent source. Most recent verification: May 15, 2026.

Found an error? Report it

Citations

Profile content

Tagline
Description
Pricing
Features
Q&A

Sovereignty (SHIELD)

SSubprocessors
  • primary · privacy-policytuta.com/privacy-policyPayPal, card processors, credit institutions for SEPA
  • primary · blogtuta.com/blog/ios-paymentApple in-app subscription 2024-07-12
  • primary · dns-recordswww.ripe.netAWS Route 53 NS records on tuta.com and tutanota.com via dig NS / whois; INWX as registrar
  • primary · dns-recordsbgp.he.net/AS210909BGP upstreams AS1299 Arelion (Sweden) and AS24679 kyberio (Germany)
HHeadquarters
HOwnership
HSubsidiaries
  • primary · about-pagetuta.com/jobsHanover HQ and Munich office
IData residency
IHosting infrastructure
  • primary · dns-recordsbgp.he.net/AS210909AS210909 and prefix announcements; BGP upstream providers
  • primary · dns-recordsbgp.he.net/net/185.205.69.0/24Hurricane Electric BGP toolkit deep link to 185.205.69.0/24: netname DE-TUTA-20201009, org Tutao GmbH (ORG-TG206-RIPE)
  • primary · privacy-policytuta.com/privacy-policyData-centre operator certification claim
  • primary · dns-recordsdnsviz.net/d/tutanota.de/dnssecDNSSEC chain (algorithm 13 ECDSAP256SHA256) and SPF -all reject on tutanota.de + tuta.com via dnsviz; A-record values mail.tutanota.de 185.205.69.211 / .213 / .214 and app.tuta.com 185.205.69.10 confirmed via dig
EUS CLOUD Act exposure
LLegal documents
DCertifications
  • primary · privacy-policytuta.com/privacy-policyISO 27001 attribution is to the data-centre operators, not to Tutao GmbH as an entity; no Tutao corporate certifications publicly recorded
DOpen source