Runbox

Runbox is operated by Runbox Solutions AS, a Norwegian company that has been in continuous operation as a privacy-focused email service since 1999 — making it one of the longest-running independent vendors in this category, alongside Posteo (Berlin, 2009) and Mailbox.org (Berlin, 2014 in current form). The product is straightforward: secure IMAP/POP/SMTP email under Norwegian and EEA privacy law, with PGP encryption, two-factor authentication, Perfect Forward Secrecy on SSL, and standard mail-client compatibility — no proprietary lock-in, no advertising, no tracking. The infrastructure story is genuinely strong. Runbox runs its own infrastructure inside a Norwegian high-security data centre, powered by **100% certified renewable energy from clean Norwegian hydropower**, with multiple redundancy layers for high availability. The company is recognised by the **Ethical Consumer "Best Buy"** designation and carries a **Carbon Balanced Certificate (double carbon-negative via World Land Trust)** — sustainability credentials that match Infomaniak's posture in the same Swiss-Norwegian-Nordic privacy band. As a Norwegian operator, Runbox is explicitly outside the reach of the US CLOUD Act. For an EU-sovereignty audit the only gaps are formal compliance documentation: no ISO/IEC 27001 attestation, no SOC 2, and no publicly linked DPA or sub-processors list were surfaced at audit. None of those gaps suggest poor practice — they just mean that procurement-grade buyers needing those documents will need to request them. The compliance score is held at 4/5 reflecting (a) Norway as EEA rather than EU under the directory's strict-wording rubric, and (b) the missing formal-cert documentation. Pricing is paid-only (no free tier), competitive and storage-tiered: Micro €19.95/year (€1.66/month, 2 GB); Mini €34.95/year (€2.91/month, 10 GB); Medium €49.95/year (€4.16/month, 25 GB); Max €79.95/year (€6.66/month, 50 GB). 20% discount on 3-year subscriptions. Best fit: privacy-conscious EU/EEA users who want a long-established Norwegian privacy-email service with first-class PGP support, ethical / sustainability credentials, and explicit CLOUD-Act-non-applicability — and who do not require a free tier or formal ISO 27001 attestation.