Weighted Score:
81
High sovereignty because German provider under EU law; encrypted email; EU strategic and operational control.
Company name: Tutao GmbH
URL: https://tuta.com
eurotechguide review(s): Not reviewed
Digital services offered: e-mail
| Criterion | Score | Short Assessment | Long Rationale |
|---|---|---|---|
| SOV-1 (strategic) | 4 | German-owned; EU strategic control. | Tutao GmbH operates Tuta from Germany, with EU-based strategic control. → SEAL-4. |
| SOV-2 (legal) | 4 | EU jurisdiction only. | German/EU law governs the company → SEAL-3. |
| SOV-3 (data & AI) | 4 | End-to-end encrypted, EU-hosted mailbox; no provider access to decrypted data. | Tuta operates EU-based infrastructure and enforces end-to-end encryption with zero-access design, meaning decrypted mailbox content is not accessible to the provider. Storage and processing of user data are confined to EU jurisdictions without fallback to third countries. Customer cryptographic control and absence of non-EU AI stack dependencies align with strict SOV-3 confinement requirements. → SEAL-4 |
| SOV-4 (operational) | 4 | Operations in Europe. | Operations and support are run from Europe, enabling EU-aligned operational control. → SEAL-3. |
| SOV-5 (supply chain) | 2 | Some global infrastructure reliance. | Like most SaaS, it relies on global internet and software supply chains. → SEAL-2. |
| SOV-6 (technological) | 3 | EU-developed stack; partial openness, ecosystem dependencies remain. | Tuta’s cryptographic architecture is EU-developed and largely open, reducing lock-in. However, backend components are not fully open-source and the service depends on global mobile and browser ecosystems. Strong technology sovereignty, but not fully sovereign under SOV-6. → SEAL-3 |
| SOV-7 (security) | 3 | EU-hosted encrypted service; strong controls, not fully certified. | Tuta operates under German jurisdiction with strong encryption architecture and EU-hosted infrastructure. While security posture is robust and EU-governed, public evidence of enterprise-grade certifications and full-stack sovereign control is limited, preventing SEAL-4 under SOV-7.–> SEAL-3 |
| SOV-8 (environmental) | 2 | Limited public footprint data. | Sustainability claims exist, but detailed footprint transparency is limited vs hyperscalers. → SEAL-2. |