Security you can check. Not just trust.
Our clients are open source, our cryptography is published, and our independent audit reports go up in full - the awkward findings included. Your mailbox is encrypted with keys we never hold, so "trust us" isn't part of the deal. Check us instead.
What zero-access actually means
We do not have the technical means to read your email. That's not a promise written in a policy document - it's a property of the system. When you create your account, your encryption keys are derived from your password using Argon2id, in your browser. Your password never reaches us, so the keys never exist on our side. What sits on our servers is ciphertext: locked boxes we store and back up without ever holding a key.
Plenty of providers say "encrypted" and mean encrypted with keys they keep - which protects you from a stolen hard drive, but not from the provider, its staff, or anyone who can compel it. Zero-access means the lock is yours. If a Scroogle Mail engineer went rogue tomorrow, the worst they could exfiltrate is a pile of encrypted blobs and the routing metadata described on the right.
However - and here's the honest bit - email is a federated system, and running one leaves traces. We can't route a message without knowing where it's going, and we can't fight abuse with our eyes completely shut. So rather than pretend we see nothing, we've written down exactly what we can see, kept it as small as we can, and put it in the table beside this. Judge us on that list.
What we CANNOT see
Encrypted with your keys. Unreadable to us, permanently.
- Message bodies
- Attachments
- Contacts
- Calendar entries
- Drafts
What we CAN see
The minimum needed to bill you, route mail and fight abuse.
- Your account email address and billing state
- The sizes of your encrypted blobs
- Delivery metadata needed to route mail
- Short-lived access logs - kept 3 days by default
The encryption, layer by layer
No single lock protects everything, so we don't use a single lock. Here's every layer between your email and anyone who'd like a look.
In your browser
Your keys are generated client-side, on your own device, the moment you sign up. They're locked with a key derived from your password via Argon2id - a memory-hard function built to make brute-force attacks slow and expensive. Your password, and the keys it unlocks, never travel to our servers.
Between users
Mail between Scroogle Mail addresses is end-to-end encrypted automatically, using OpenPGP - the most scrutinised message encryption standard there is. Encrypted on your device, decrypted on theirs, and never readable in between. No toggle to remember, no setup, no exceptions.
To the outside world
Writing to a Gmail or Outlook address? Send it password-protected with an expiry date, and the recipient opens it in a secure viewer - their provider never sees the content. Ordinary external mail travels over TLS 1.3, with MTA-STS and DANE stopping downgrade tricks along the way.
At rest
Your whole mailbox sits under zero-access encryption in two Swiss datacentres - Zurich and Lausanne - that we operate on hardware we own, with no third-party cloud involved. Your mail never leaves Switzerland. Beneath that, full-disk encryption protects the hardware itself, so even a stolen drive tells its thief nothing.
Your account's armour
The strongest encryption in the world is pointless if someone can simply sign in as you. So we've made that the hard part.
Two-factor authentication
Add a second lock with any authenticator app, or go further with a hardware security key over WebAuthn - the strongest consumer 2FA there is, and immune to phishing pages that fool one-time codes. We'll nudge you to turn it on; we'd rather nag than mop up.
Session management
See every device and browser signed in to your account, when it last connected and roughly where from. Left yourself logged in on a hotel computer? One click signs it out remotely - no need to change your password unless you want to.
Login alerting
A sign-in from a new device or an unfamiliar location triggers an alert straight away, so you find out about anything odd within minutes rather than months. If it wasn't you, one tap locks the session out and walks you through securing the account.
Rate-limited sign-in
Failed attempts slow down sharply and then stop, which turns password-guessing from an automated flood into a geological process. Combined with Argon2id password hashing, brute force against a Scroogle Mail account is a very boring way to waste electricity.
Your recovery phrase - the honest small print
At signup we issue you a one-time recovery phrase. Write it down and keep it somewhere safe, because here's the deal with real encryption: if you lose your password and your recovery phrase, your mail is gone. Not "gone until support resets it" - gone. We can't read your mailbox, which also means we can't rescue it. Any provider that can always recover your mail can always read it too. We think the trade is worth it; we'd rather you made that choice knowingly.
Honesty about Swiss law
Swiss privacy law is a genuine advantage, and we'll happily say so: Scroogle Mail AG is a Swiss company governed by the revised Swiss Federal Act on Data Protection (FADP), and because Switzerland holds adequacy decisions from both the UK and the EU, your mail can lawfully stay in Switzerland. But we won't wave the words "beyond government reach" around, because they aren't true - of us or of anyone. Swiss authorities can compel disclosure through Swiss legal process, and we comply with valid Swiss legal orders. What we did instead was design the service so that compliance hands over almost nothing.
If we're legally required to produce your mailbox, what we can produce is encrypted blobs and minimal metadata. We can't be compelled to hand over keys we don't have.
Encrypted by design
Message content, attachments, contacts and calendars are encrypted with keys derived from your password. A legal order can't change mathematics: we cannot decrypt what we cannot decrypt.
3-day access logs
Access logs exist to fight abuse - password-guessing, spam runs, account takeovers - and are kept for 3 days by default, then deleted. Data we no longer hold is data nobody can demand.
Counted in public
Every request we receive is counted and published in our annual transparency report, alongside what - if anything - was produced. If that number ever moves in a way that worries you, you'll see it.
One more honest note: if your threat model includes a determined state adversary, no email provider should be your whole plan - including us. Layer Tor over your connection, manage your own PGP keys, and treat Scroogle Mail as one part of your setup rather than all of it. We'd rather tell you that plainly than sell you a false sense of security.
Verified, not trusted
Every claim on this page is checkable. That's deliberate: security you can't verify is just marketing with a padlock icon.
Open-source clients
Our web, iOS and Android apps are open source on GitHub. The code that generates your keys and encrypts your mail is public, so any cryptographer - or any sufficiently suspicious teenager - can confirm it does exactly what we say and nothing else.
Audited every year
An independent security firm audits our infrastructure and cryptography annually, and we publish the report in full - findings, severities and our fixes included. No executive summaries with the embarrassing bits sanded off.
Bug bounty
Found a hole? We pay for responsibly disclosed vulnerabilities and we credit researchers who want it. Report to security@scrooglemail.com - encrypted reports welcome, details and rewards on our security contact page.
OpenPGP fingerprint for security@scrooglemail.com:
4F2A 9C81 D7E3 55B0 6A1D 8F42 C3B9 07E6 2D14 AA58
Asked a lot, answered honestly
Can you read my email?
What if I lose my password?
Why should I trust your encryption claims?
What do you log?
Is Swiss jurisdiction actually an advantage?
Encryption this good shouldn't need a manual.
Every plan gets the full security model - zero-access storage, end-to-end encryption and tracker blocking - from £2.99 a month, VAT included. Set up takes about three minutes.
Get Scroogle Mail