Hi @ph00lt0, I think that this should not be a requirement (at least for now), and here is why:
- Having an audit is not listed as required in the email provider listed criteria at https://www.privacyguides.org/en/email/#criteria.
- Tuta is not listed with an audit on the PG email provider page. They state at https://www.reddit.com/r/tutanota/comments/101lf4a/independent_security_audit/ however the link doesn’t even provide a PDF nor write-up https://tuta.com/support/#certification.
- All of the existing audits did not share transparency nor insight with what is actually running on the servers. There are no claims such as “we checked the code and we didn’t see any bad behavior”.
- We are the only 100% open source provider. Literally the only one. We are the only service that lets you independently audit the source code of what’s actually happening with your email, where it is stored, etc. Others claim to be open source, but in reality the most sensitive part (the backend) is closed source. Many of them have said they would open source, but they still haven’t. We’ve been completely transparent since 2017 and everything has been published on GitHub.