🆕 Software Suggestion | Runbox.com Email Provider #2210

New Issue

2021-02-13T23:48:06Z

merlinscholz commented

2021-02-13 23:48:06 +00:00

(Migrated from github.com)

Basic Information

Name: Runbox
Category: Email Providers
URL: https://runbox.com/

Description

Runbox is a privacy-focused email provider based in Norway.

Why I am making the suggestion

Runbox has been suggested for addition to privacytools.io some time back, but failed due to imperfect technical email configuration like TLS RPT or MTA STS. This seems to have been fixed since then: https://www.hardenize.com/report/runbox.com/1613259453

They also publish a transparency report: https://runbox.com/why-runbox/privacy-protection/transparency-report/

Since less privacy-oriented email providers have been included in privacytools.io, I do not see a reason to look into runbox.com once more.

My connection with the software

I have no connection yet to this provider, I stumbled upon them while researching email providers and was wondering why it hasn’t been added to privacytools.io

I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Basic Information **Name:** Runbox **Category:** Email Providers **URL:** https://runbox.com/ ## Description Runbox is a privacy-focused email provider based in Norway. ## Why I am making the suggestion Runbox has been suggested for addition to privacytools.io some time back, but failed due to imperfect technical email configuration like TLS RPT or MTA STS. This seems to have been fixed since then: https://www.hardenize.com/report/runbox.com/1613259453 They also publish a transparency report: https://runbox.com/why-runbox/privacy-protection/transparency-report/ Since less privacy-oriented email providers have been included in privacytools.io, I do not see a reason to look into runbox.com once more. ## My connection with the software I have no connection yet to this provider, I stumbled upon them while researching email providers and was wondering why it hasn’t been added to privacytools.io  - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

TrashPandaCodingGarbage commented

2021-03-01 22:25:13 +00:00

(Migrated from github.com)

Going through their privacy policy:

Your Account Information is stored on servers located in Norway for as long as your account is active and:
up to 1 month after closure of trial accounts; or
up to 5 years after closure of subscribed accounts, as financial records must be kept for 5 years according to the Norwegian Bookkeeping

So, you delete your account, and your data is not deleted for another 5 years. Not good, compared to, for example Posteo.

Backup of Account Content is stored on secure servers separate from the Runbox system for up to 6 months, even after the content has been deleted from the main storage, except for accounts that have activated the “No backup” feature more than 6 months prior to this. Backup of email metadata (sender, recipient, subject, date/time) is stored on secure servers separate from the Runbox system for up to 6 months, even after the information has been deleted from the main database.

Another no-go. When you click "delete", your email is still there (with all the data tied to it) for another six months.

Nothing is said about IP logging.

I vote no, as we have more private alternatives already listed.

Going through their privacy policy: > Your Account Information is stored on servers located in Norway for as long as your account is active and: up to 1 month after closure of trial accounts; or **up to 5 years after closure of subscribed accounts,** as financial records must be kept for 5 years according to the Norwegian Bookkeeping So, you delete your account, and your data is not deleted for another 5 years. Not good, compared to, for example Posteo. > Backup of Account Content is stored on secure servers separate from the Runbox system for **up to 6 months**, even after the content has been deleted from the main storage, except for accounts that have activated the “No backup” feature more than 6 months prior to this. Backup of email metadata (sender, recipient, subject, date/time) is stored on secure servers separate from the Runbox system for **up to 6 months,** even after the information has been deleted from the main database. Another no-go. When you click "delete", your email is still there (with all the data tied to it) for another six months. Nothing is said about IP logging. I vote no, as we have more private alternatives already listed.

👍 1

lazyoldbear commented

2021-03-18 23:35:38 +00:00

(Migrated from github.com)

Almost decided to go with them and contacted support for clarifications.
Their response was unspecific and not very professional, and the following things are worth mentioning for those who might revive this case:

Backups are kept "in a separate location". No response where yet. This is strange, since their "Resilience" page basically reproduces Digiplex marketing materials for Ulven datacentre. Important to note that having multiple datacentres does not guarantee true resilience.
I will just quote it: "we have full disk encryption, but not encryption at rest, but this is in out future plans".
They said that they had no security incidents in history. I guess this is either worrying miscommunication, or they are truly unique.

But one remark about six months retention. They have an option to opt out of backups completely, so that you can have supposedly single copy of data in Ulven, Oslo.
Besides, personal data regulations demand that you can require deleting data without any retention, so I presume this is just "default routine" that allows special cases.

Almost decided to go with them and contacted support for clarifications. Their response was unspecific and not very professional, and the following things are worth mentioning for those who might revive this case: - Backups are kept "in a separate location". No response where yet. This is strange, since their "Resilience" page basically reproduces Digiplex marketing materials for Ulven datacentre. Important to note that having multiple datacentres does not guarantee true resilience. - I will just quote it: "we have full disk encryption, but not encryption at rest, but this is in out future plans". - They said that they had no security incidents in history. I guess this is either worrying miscommunication, or they are truly unique. But one remark about six months retention. They have an option to opt out of backups completely, so that you can have supposedly single copy of data in Ulven, Oslo. Besides, personal data regulations demand that you can require deleting data without any retention, so I presume this is just "default routine" that allows special cases.

👍 1

This repo is archived. You cannot comment on issues.