security
Trust is a list of specifics.
No marketing language. Just what we do, how we do it, and where to report issues.
Compliance posture
Compliance
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In audit | Expected Q3 2026 |
| GDPR | Compliant | DPA available for all operators |
| Data Processing Agreement | Included | See /legal/dpa |
| EU Data Residency | Available | eu-west-1, eu-central-1 |
Architecture
Infrastructure & Data
| Control | Implementation |
|---|---|
| Transit encryption | TLS 1.3 minimum on all connections |
| Data at rest | AES-256 encryption on all volumes |
| Tenant isolation | Infrastructure-level, not application-level |
| Network segmentation | VPC per region, private subnets for relay nodes |
| Secrets management | AWS Secrets Manager, no secrets in environment variables |
| Dependency scanning | Automated on every commit |
Operational security
Operations
| Area | Policy |
|---|---|
| Backups | Daily snapshots, 30-day retention, cross-region copy |
| Recovery | RTO < 4h, RPO < 1h for relay tier |
| Incident response | Written IR plan, tested annually |
| Status page | https://status.mailmatehq.com |
| Penetration testing | Annual third-party pentest |
| Access reviews | Quarterly review of all privileged access |
Application security
Access Controls
| Feature | Details |
|---|---|
| SSO | SAML 2.0 on enterprise plans |
| MFA | Required for all operator accounts |
| RBAC | Owner / Admin / Viewer roles per tenant |
| Audit log | 90-day retention, immutable, exportable |
| API authentication | API keys with per-tenant scope |
| Session management | Idle timeout 1h, absolute timeout 24h |
Vulnerability reporting
Report a Vulnerability
If you believe you have found a security vulnerability in mailmate, please report it to us privately before public disclosure.
- Email: security@mailmatehq.com
- PGP key available on request
- We target acknowledgement within 1 business day
- We ask for 90 days to remediate before public disclosure
- We do not pursue legal action against good-faith reporters
Out of scope: social engineering, physical attacks, denial of service, and issues in third-party services we don't control.