Trying to move away from MS365, but struggling to decide on replacement

Mailbox.org just confirmed that they encrypt at rest. Perhaps that’s always the case and I just didn’t know…

In my opinion, the benefits Proton or Mailbox.org offers outweigh the negatives. But if you’re really unsure, it might be worth making a dedicated post on S/MIME signature compatibility vs Proton. I suspect most if not all members of this community would agree with me, but also email security is not my expertise so I can’t say for sure.

I’ve now ruled out Infomaniak. Their support is hopelessly slow (a week or more per response and the same for follow-up responses) though I liked their service and it’s all open source. I asked them whether email was encrypted at rest and they avoided a straight answer to the question, which I assume means that it isn’t. Here’s the exchange with them :

"Hello,

Thank you for your message.

Encryption is not natively integrated at Infomaniak. This function blocks certain essential professional functions such as email indexing (and thus searches). It is nevertheless possible to encrypt your messages via an email client (such as Thunderbird) and the Mail Service using OpenPGP.

You can find information on how we handle customer data on this page: 🚀 Privacy Policy - Infomaniak

Your e-mail data is secure on our servers at rest. On the other hand, if you don’t use an additional service like HIN (which encrypts e-mails as they are being sent), your messages will circulate unencrypted. Here’s an article about HIN, a service offered to healthcare professionals in Switzerland: https://news.infomaniak.com/en/encrypted-email-address-hin/

Thank you for your trust, we remain at your service."

I replied:

"Thanks for the reply and information. I do understand that you don’t offer encryption for sending email. My question was about whether email is encrypted while on your servers at rest. I found information about kdrive’s encryption at rest, but nothing about email, hence my question.

Many thanks,"

and their final response:

"Hello,

Thank you for your feedback.

Unfortunately, I don’t have any more details on the technologies used for encryption at rest. In any case, if you’re worried about your data, I can assure you that we respect our customers’ privacy and we protect our customers’ data as much as possible.

We have our own data center and manage everything from end to end.

Thank you for your trust, we remain at your service."

These kinds of vague responses are so disappointing, though maybe not unexpected. At least it takes one option off my shortlist.