Skip to main content
Tuta (Tutanota) logo

Tuta (Tutanota)

Verified

“German-owned, German-hosted: about as sovereign as EU email gets.”

Operating HQ
πŸ‡©πŸ‡ͺ Hannover, Germany
where it's run
Legal domicile
πŸ‡©πŸ‡ͺ Hannover, Germany
where it's incorporated
Users
10M+
Ownership
100% founders
Employees
~41
Hosting
Own servers, DE
92/100
Sovereign: Yes
Control ↑
94
Data β†’
90

92 = midpoint of Control 94 & Data 90

ConfidenceHigh (88%)

Sovereignty Quadrant

Control ↑ who owns & governs the company  Β·  Data β†’ where your data lives. Every dot is a company β€” click to open it.

Where your data lives β†’ Who controls the company β†’ 7 companies Β· fully non-EU (0/0) TikTok β€” Data 32, Control 24 Google β€” Data 16, Control 14 Youtube β€” Data 14, Control 16 Ionos β€” Data 90, Control 90 Disneyplus β€” Data 16, Control 12 Telegram β€” Data 34, Control 14 Carrefour β€” Data 100, Control 32 Corriere β€” Data 100, Control 100 Microsoft β€” Data 26, Control 14 Amazon β€” Data 14, Control 10 Amazon β€” Data 66, Control 0 Reddit β€” Data 14, Control 10 Netflix β€” Data 24, Control 20 LinkedIn β€” Data 14, Control 16 Reuters β€” Data 26, Control 0 Pinterest β€” Data 12, Control 12 Discord β€” Data 16, Control 20 AliExpress β€” Data 18, Control 12 Twitch β€” Data 18, Control 16 Samsung β€” Data 62, Control 4 Canva β€” Data 24, Control 20 Spotify β€” Data 30, Control 68 Apple β€” Data 16, Control 16 GitHub β€” Data 16, Control 10 Uber β€” Data 16, Control 16 Salesforce β€” Data 20, Control 14 Deepl β€” Data 70, Control 78 Airbnb β€” Data 18, Control 18 Shopify β€” Data 18, Control 18 Mastercard β€” Data 36, Control 16 Dropbox β€” Data 14, Control 10 HubSpot β€” Data 24, Control 10 Notion β€” Data 22, Control 16 Stripe β€” Data 30, Control 30 Zalando β€” Data 52, Control 88 Figma β€” Data 18, Control 10 SAP SE β€” Data 68, Control 78 Atlassian β€” Data 18, Control 18 Proton β€” Data 72, Control 54 Miro β€” Data 100, Control 44 Klarna β€” Data 44, Control 42 Ecosia β€” Data 60, Control 92 Zoom β€” Data 20, Control 14 Adyen β€” Data 84, Control 84 GitLab β€” Data 26, Control 14 Slack β€” Data 14, Control 20 Hetzner β€” Data 84, Control 96 Deezer β€” Data 62, Control 66 Typeform β€” Data 100, Control 52 OVHcloud β€” Data 82, Control 94 Tutanota β€” Data 100, Control 100 BlaBlaCar β€” Data 54, Control 76 Qwant β€” Data 56, Control 88 Bitwarden β€” Data 28, Control 20 Contentful β€” Data 34, Control 48 Personio β€” Data 34, Control 58 Ikea β€” Data 34, Control 100 Whatsapp β€” Data 14, Control 12 Instagram β€” Data 28, Control 22 X β€” Data 14, Control 16 Avast β€” Data 60, Control 0 Paypal β€” Data 24, Control 32 Kaspersky β€” Data 56, Control 0 Dailymotion β€” Data 100, Control 74 Snapchat β€” Data 12, Control 14 mailbox.org β€” Data 92, Control 94 90 94 Tuta (Tutanota)
Tuta (Tutanota) β€” verified peers β€” automated estimate (0–50 pillars, normalized)

Every number below traces to 14 sourced facts across 12 independent sources, last verified 2026-06-12. 3 open questions hold confidence at 88% β€” they lower confidence, never the score.

Control ↑

Who legally and economically controls the company

94/100
7 facts Β· 5 sources Β· mixed confidence
Legal & Jurisdiction
93

Incorporated and operated as a German GmbH in Hannover with no foreign parent; EU/German law reaches it directly and GDPR applies natively.

Why 93? 4 sourced facts · click to expand
Tutao GmbH, HRB 208014 Hannover

The operating company Tutao GmbH is registered at the Hannover commercial register under HRB 208014, address Deisterstrasse 17a, 30449 Hannover.

Online-Handelsregister (German commercial register listing) Β· as of 2026-06-12

Germany-only; German court warrants only

Tuta states it has offices located only within Germany and no other countries, and responds only to valid warrants from German courts.

Tuta blog (independence statement) Β· as of 2026-06-12

No backdoor/gag-order law in Germany

Tuta argues German law gives no power to compel a gag order or an encryption backdoor, and German companies cannot share customer data with foreign law enforcement.

Tuta blog (Why Tuta is based in Germany) Β· as of 2026-06-12

Subject to German court orders

A 2020 Cologne court order required monitoring of a single account's future unencrypted incoming mail, demonstrating Tuta operates under German court jurisdiction.

Wikipedia (Tuta email) Β· as of 2026-06-12

Control & Ownership
95

Wholly and privately owned by its two German founders with no outside investors, no foreign parent and no public listing; both voting control and economics sit in the EU.

Why 95? 3 sourced facts · click to expand
100% founder-owned (Mohle & Pfau)

Tutao GmbH was founded in 2011 by Arne Mohle and Matthias Pfau and is to this day wholly owned by them, not liable to anyone else.

Tuta blog (independence statement) Β· as of 2026-06-12

Private, no VC rounds, unlisted

Tuta is a private company with no venture funding rounds listed; it is not publicly traded on any exchange.

Crunchbase (Tutanota profile) Β· as of 2026-06-12

EUR 25,500 share capital

The registered share capital of Tutao GmbH is EUR 25,500, consistent with a small founder-held GmbH rather than an investor cap table.

Online-Handelsregister (German commercial register listing) Β· as of 2026-06-12

Data β†’

Where your data lives and who can reach it

90/100
7 facts Β· 7 sources Β· mixed confidence
Data & Infrastructure
88

Runs its own servers in ISO 27001-certified German data centers rather than on a US hyperscaler, with end-to-end encryption; only caveat is the specific colocation provider is not publicly named.

Why 88? 4 sourced facts · click to expand
Own servers, ISO 27001, Germany

All data is stored on Tuta's own servers in ISO 27001-certified data centers based in Germany, fully compliant with the GDPR.

Tuta (business / security pages) Β· as of 2026-06-12

No US hyperscaler dependence

Tuta builds its clients itself and operates its own server infrastructure rather than relying on third-party cloud providers like Amazon, Google or Microsoft.

Tuta security page Β· as of 2026-06-12

E2E encrypted; provider cannot read

User data is automatically end-to-end encrypted so that not even Tuta can read it, with private keys encrypted under the user's password before reaching the servers.

Tuta encryption page Β· as of 2026-06-12

100% renewable-powered servers

Tuta says its own servers are powered with 100% renewable energy.

Tuta Drive page Β· as of 2026-06-12

Operations & People
92

Headquartered in Hannover with a second German office in Munich, German founders and workforce, and German/EU funding; operations are fully EU-centered.

Why 92? 3 sourced facts · click to expand
HQ Hannover; office Munich

Tuta is headquartered in Hannover, Germany, and opened a second office in Munich in 2024.

Tuta blog (2024 year in review) Β· as of 2026-06-12

~41 employees, growing

Tuta's team continued growing in 2025 with new hires across its Hannover and Munich offices; third-party profiles put headcount around 41.

Tuta blog (team grows) / PitchBook Β· as of 2026-06-12

German federal (BMBF) R&D grant

Tuta runs the PQDrive post-quantum project with a ~EUR 1.5M KMU-innovativ grant from Germany's Federal Ministry of Education and Research, partnering with the University of Wuppertal.

Tuta blog (PQDrive project) Β· as of 2026-06-12

Aligned to the EU Commission’s official Cloud Sovereignty Framework (SEAL, Jun 2026) β†’

What we don’t know 3 open questions β€” they lower confidence, never the score
  • ?

    Which specific colocation provider(s) and city host Tuta's servers?

    Tuta confirms own servers in ISO 27001 German data centers but does not publicly name the facility operator, so independent CLOUD Act / jurisdictional verification of the hosting partner is not possible.

  • ?

    What is Tuta's revenue and current exact user/paid-subscriber count?

    As a private GmbH it discloses no audited financials; the 10M+ users figure dates to 2023, so scale and financial sustainability cannot be precisely verified.

  • ?

    Does any part of the stack (e.g. CDN, captcha, app-store delivery, payment processing) touch non-EU providers?

    Core storage is EU-owned and EU-hosted, but ancillary edge/payment services are not detailed publicly, a common gap that adversarial reviewers probe.

EU Cloud Sovereignty Framework lens

The EU Cloud Sovereignty Framework (SEAL) is a procurement scheme for cloud service providers; Tuta is an email/storage application, so the rows below are an analogous sovereignty mapping, not a certification or formal SEAL assessment.

Strategic

Founder-owned German SME with an explicit EU-sovereignty and privacy mission; no foreign strategic dependence.

strong

Legal & jurisdictional

Incorporated and operated solely in Germany (Tutao GmbH, HRB 208014); fully within EU/German jurisdiction and GDPR.

strong

Data & AI

Data stored end-to-end encrypted on own servers in Germany; provider cannot read content; no reliance on US hyperscalers.

strong

Operational

HQ Hannover plus Munich office; German leadership and workforce; reporting and operations EU-centered.

strong

Supply chain

Owns its servers and builds clients in-house, but the colocation provider is unnamed and ancillary services (payments, app stores) are undisclosed.

moderate

Technological

Open-source clients, self-built apps, and post-quantum encryption developed with a German federal (BMBF) grant and University of Wuppertal.

strong

Security & compliance

ISO 27001-certified data centers and GDPR compliance asserted; default E2E encryption; subject to German court oversight.

strong

Environmental sustainability

Tuta states servers run on 100% renewable energy, but no published PUE or independent environmental audit was found.

moderate
EU alternatives
πŸ‡©πŸ‡ͺ Tuta (this company) tuta.com EU-controlled

Tuta is itself a strong EU-sovereign choice: German-owned, German-hosted, E2E-encrypted email/calendar/storage.

πŸ‡¨πŸ‡­ Proton Mail proton.me with caveats

Privacy-first peer with own infrastructure, but based in Switzerland (EEA-adjacent, not an EU member state).

πŸ‡©πŸ‡ͺ Mailbox.org mailbox.org EU-controlled

German-owned (Heinlein Group) encrypted email and groupware hosted in Germany; a comparable EU-sovereign peer.

How the method works

Methodology v2 (provisional): the score is the midpoint of two axes β€” Control (who owns and governs the company) and Data (where your data lives and who can reach it). Each axis is scored only on verified evidence; unknowns reduce confidence, never the score. Every input below is sourced; the weights and judgments are open to challenge.

Spotted an error? Every claim is sourced β€” challenge it and we correct the record.
  • 2026-06-12 β€” Initial golden profile, authored from primary sources (human + AI review).

Report Incorrect Data

Found an error in this company's profile? Help us improve our data by submitting a correction.

Required so we can follow up if needed. We won't share your email.

Verified 2026-06-12 Β· Human + AI joint review (sources independently checked) Β· Methodology