Skip to main content
mailbox.org logo

mailbox.org

Verified

“German to the metal. Own servers, own jurisdiction, founder-owned.”

Operating HQ
πŸ‡©πŸ‡ͺ Berlin, Germany
where it's run
Legal domicile
πŸ‡©πŸ‡ͺ Germany
where it's incorporated
Founded
2014
Ownership
Founder-owned
Infrastructure
Own servers
Certifications
BSI C5 + ISO 27001
92/100
Sovereign: Yes
Control ↑
93
Data β†’
91

92 = midpoint of Control 93 & Data 91

ConfidenceHigh (88%)

Sovereignty Quadrant

Control ↑ who owns & governs the company  Β·  Data β†’ where your data lives. Every dot is a company β€” click to open it.

Where your data lives β†’ Who controls the company β†’ 7 companies Β· fully non-EU (0/0) TikTok β€” Data 32, Control 24 Google β€” Data 16, Control 14 Youtube β€” Data 14, Control 16 Ionos β€” Data 90, Control 90 Disneyplus β€” Data 16, Control 12 Telegram β€” Data 34, Control 14 Carrefour β€” Data 100, Control 32 Corriere β€” Data 100, Control 100 Microsoft β€” Data 26, Control 14 Amazon β€” Data 14, Control 10 Amazon β€” Data 66, Control 0 Reddit β€” Data 14, Control 10 Netflix β€” Data 24, Control 20 LinkedIn β€” Data 14, Control 16 Reuters β€” Data 26, Control 0 Pinterest β€” Data 12, Control 12 Discord β€” Data 16, Control 20 AliExpress β€” Data 18, Control 12 Twitch β€” Data 18, Control 16 Samsung β€” Data 62, Control 4 Canva β€” Data 24, Control 20 Spotify β€” Data 30, Control 68 Apple β€” Data 16, Control 16 GitHub β€” Data 16, Control 10 Uber β€” Data 16, Control 16 Salesforce β€” Data 20, Control 14 Deepl β€” Data 70, Control 78 Airbnb β€” Data 18, Control 18 Shopify β€” Data 18, Control 18 Mastercard β€” Data 36, Control 16 Dropbox β€” Data 14, Control 10 HubSpot β€” Data 24, Control 10 Notion β€” Data 22, Control 16 Stripe β€” Data 30, Control 30 Zalando β€” Data 52, Control 88 Figma β€” Data 18, Control 10 SAP SE β€” Data 68, Control 78 Atlassian β€” Data 18, Control 18 Proton β€” Data 72, Control 54 Miro β€” Data 100, Control 44 Klarna β€” Data 44, Control 42 Ecosia β€” Data 60, Control 92 Zoom β€” Data 20, Control 14 Adyen β€” Data 84, Control 84 GitLab β€” Data 26, Control 14 Slack β€” Data 14, Control 20 Hetzner β€” Data 84, Control 96 Deezer β€” Data 62, Control 66 Typeform β€” Data 100, Control 52 OVHcloud β€” Data 82, Control 94 Tutanota β€” Data 100, Control 100 BlaBlaCar β€” Data 54, Control 76 Qwant β€” Data 56, Control 88 Bitwarden β€” Data 28, Control 20 Contentful β€” Data 34, Control 48 Personio β€” Data 34, Control 58 Ikea β€” Data 34, Control 100 Whatsapp β€” Data 14, Control 12 Instagram β€” Data 28, Control 22 X β€” Data 14, Control 16 Avast β€” Data 60, Control 0 Paypal β€” Data 24, Control 32 Kaspersky β€” Data 56, Control 0 Dailymotion β€” Data 100, Control 74 Snapchat β€” Data 12, Control 14 Tuta (Tutanota) β€” Data 90, Control 94 Posteo β€” Data 92, Control 94 91 93 mailbox.org
mailbox.org β€” verified peers β€” automated estimate (0–50 pillars, normalized)

Every number below traces to 13 sourced facts across 10 independent sources, last verified 2026-06-12. 3 open questions hold confidence at 88% β€” they lower confidence, never the score.

Control ↑

Who legally and economically controls the company

93/100
6 facts Β· 5 sources Β· mixed confidence
Legal & Jurisdiction
95

Operated by Heinlein Hosting GmbH, incorporated and registered in Berlin (District Court Berlin-Charlottenburg, HRB 220010 B), CEO Peer Heinlein. No foreign parent in the control chain. The full operating, contracting, and data-processing entity sits inside the EU under German and EU law, so GDPR and EU enforcement reach it directly with nothing to pierce. Textbook EU-incorporated and EU-operating.

Why 95? 3 sourced facts · click to expand
Heinlein Hosting GmbH, Berlin; HRB 220010 B (AG Berlin-Charlottenburg)

Operating entity, registry and address

mailbox.org Legal Notice / Impressum Β· as of 2026-06-12

Heinlein Hosting GmbH, since 2021-01-01

mailbox.org was spun off into its own GmbH on 1 Jan 2021

mailbox.org news: spin-off into separate GmbH Β· as of 2026-06-12

German jurisdiction, data stays in Germany

Service runs under German jurisdiction; no data transmitted abroad

Wikipedia: Mailbox (company) Β· as of 2026-06-12

Control & Ownership
90

Heinlein Hosting GmbH is a 100% subsidiary of Heinlein Support GmbH (Berlin, HRB 93818 B), the parent of the privately held, founder-led Heinlein Group. Founder Peer Heinlein controls the group (Jutta Horstmann joined as Co-CEO in 2024). No public listing, no identified foreign capital β€” voting control and economic ownership both sit in Germany. Slight deduction only because the exact private shareholder split is paywalled in the commercial register, so 100% domestic ownership is strongly indicated but not line-itemized publicly.

Why 90? 3 sourced facts · click to expand
100% subsidiary of Heinlein Support GmbH

Heinlein Hosting GmbH is wholly owned by Heinlein Support GmbH

mailbox.org news: spin-off into separate GmbH Β· as of 2026-06-12

Peer Heinlein, founder/CEO of Heinlein Group

Parent is a founder-led, privately held German group

Heinlein Group (about / press) Β· as of 2026-06-12

Heinlein Support GmbH, HRB 93818 B, capital EUR 25,000

Parent company registry entry (Berlin)

NorthData: Heinlein Support GmbH Β· as of 2026-06-12

Data β†’

Where your data lives and who can reach it

91/100
7 facts Β· 6 sources Β· mixed confidence
Data & Infrastructure
92

This is the maximal infrastructure case for the index. mailbox.org explicitly does NOT rent root servers from commercial providers β€” it operates its own dedicated hardware across two geographically separate Berlin data centers (IPB / Internet Provider Berlin and Lumen), with its own data lines, under German jurisdiction, on green energy, and states no data is transmitted abroad. No US hyperscaler in the path means no CLOUD Act / FISA 702 exposure on user data. Deduction is minimal and reflects reliance on third-party colocation facilities (Lumen is US-parented at the building/transit layer) rather than fully self-owned buildings, and the absence of an independent audit of physical data flows.

Why 92? 4 sourced facts · click to expand
Own infra; 2 Berlin data centers (IPB, Lumen)

Operates own dedicated hardware, does not rent root servers

mailbox.org news: why we operate two data centres Β· as of 2026-06-12

Berlin, Germany; German jurisdiction

Servers located in Berlin, Germany under German jurisdiction

mailbox.org Knowledge Base: where are the servers Β· as of 2026-06-12

German DCs only, green power, no data abroad

Servers run exclusively in German data centers on green energy, no data abroad

Wikipedia: Mailbox (company) Β· as of 2026-06-12

BSI C5 Type 1 (07.01.2026); ISO 27001:2022

Certified BSI C5 (Type 1) and ISO/IEC 27001:2022

mailbox.org news: BSI C5 + ISO 27001 certification Β· as of 2026-06-12

Operations & People
90

Berlin-headquartered, German-led, German-staffed operation reporting in euros. Founder Peer Heinlein and Co-CEO Jutta Horstmann lead from Berlin; the parent Heinlein Support employs 150+ permanent staff. Workforce, management, support and operations are all EU-centered. Deduction reflects only that detailed headcount specific to the mailbox.org entity (vs. the broader group) isn't separately published.

Why 90? 3 sourced facts · click to expand
Berlin, Germany

Headquarters and operations in Berlin, Germany

mailbox.org about us Β· as of 2026-06-12

150+ permanent staff (group)

Parent Heinlein Support has 150+ permanent employees

mailbox.org about us Β· as of 2026-06-12

Peer Heinlein (CEO), Jutta Horstmann (Co-CEO since 2024)

German leadership: founder/CEO Peer Heinlein, Co-CEO Jutta Horstmann

Heinlein Group press: Co-CEO appointment Β· as of 2026-06-12

Aligned to the EU Commission’s official Cloud Sovereignty Framework (SEAL, Jun 2026) β†’

What we don’t know 3 open questions β€” they lower confidence, never the score
  • ?

    Exact private shareholder split of Heinlein Support GmbH (the parent)

    Public German register lists 2 active shareholders but the precise percentages are behind a paywall; 100% domestic founder ownership is strongly indicated but not line-itemized publicly.

  • ?

    Headcount and revenue specific to the mailbox.org / Heinlein Hosting entity

    Only group-level figures (150+ staff) are published, so the standalone scale of the mailbox.org business is not precisely known.

  • ?

    Whether any transit/colocation layer touches non-EU-controlled infrastructure

    One data-center partner (Lumen) is US-parented at the facility/transit level; mailbox.org owns the servers but the building operator's jurisdiction adds a thin layer of theoretical exposure.

EU Cloud Sovereignty Framework lens

SEAL was designed to score cloud/hosting providers; this is an analogous mapping for an email provider, not a formal SEAL certification.

Strategic

Independent, founder-owned German group explicitly built around European digital sovereignty; no foreign strategic control.

strong

Legal & jurisdictional

German GmbH, Berlin register, fully under German/EU law; GDPR enforcement reaches the operating entity directly.

strong

Data & AI

User data stored only in German data centers; PGP/S-MIME encryption; provider states no data transmitted abroad.

strong

Operational

Berlin HQ, German leadership and workforce, euro reporting; operations entirely EU-centered.

strong

Supply chain

Owns its servers and data lines but relies on third-party colocation (IPB, Lumen); Lumen is US-parented at the facility/transit layer.

moderate

Technological

Self-operated dedicated hardware, open-source stack, sibling products OpenTalk/OpenCloud; no hyperscaler dependency.

strong

Security & compliance

BSI C5 Type 1, ISO/IEC 27001:2022, BSI email-security gold status (2025).

strong

Environmental sustainability

Provider states servers run on green energy, but no independent emissions/PUE disclosure verified.

moderate
EU alternatives
πŸ‡©πŸ‡ͺ Tuta (Tutanota) tuta.com EU-controlled

German end-to-end-encrypted email, own servers in Germany; a strong domestic peer with deeper E2EE.

πŸ‡¨πŸ‡­ Proton Mail proton.me with caveats

Swiss-based, strong privacy and self-run infra, but Switzerland is not in the EU (adequacy-recognized).

πŸ‡©πŸ‡ͺ Posteo posteo.de EU-controlled

Berlin-based, green, privacy-focused German email on its own infrastructure; a close sovereign peer.

How the method works

Methodology v2 (provisional): the score is the midpoint of two axes β€” Control (who owns and governs the company) and Data (where your data lives and who can reach it). Each axis is scored only on verified evidence; unknowns reduce confidence, never the score. Every input below is sourced; the weights and judgments are open to challenge.

Spotted an error? Every claim is sourced β€” challenge it and we correct the record.
  • 2026-06-12 β€” Initial golden profile, authored from primary sources (human + AI review).

Report Incorrect Data

Found an error in this company's profile? Help us improve our data by submitting a correction.

Required so we can follow up if needed. We won't share your email.

Verified 2026-06-12 Β· Human + AI joint review (sources independently checked) Β· Methodology