CloudMailin takes security incredibly seriously. Although this article describes a number of our practices please feel free to contact us for more details or to request a copy of our security whitepaper.
CloudMailin employs both automated and manual scans of our applications for vulnerabilities and security issues, if an issue should arise we attempt to promptly deal with it as appropriate.
Data Centre Security
- CloudMailin uses AWS to host our server infrastructure.
- AWS has a robust and dedicated team constantly monitoring their data centers and security.
- AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. AWS’s data center operations have been accredited under:
- ISO 27001
- SOC 1/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
CloudMailin uses encryption throughout our platform for communication.
- Communication with our customer facing website takes place over HTTPS and TLS.
- Communication between email servers will be encrypted where supported by client servers. When receiving email from CloudMailin we'll let you know if we weren't able to encrypt a session (see the documentation for details).
- All connections between CloudMailin email servers and their associated components, such as sending data to S3 or informing our front-end website of a delivery, take place over encrypted channels.
- Where possible all data is stored encrypted at rest.
- Passwords are not stored in plain text.
- Customers may also use Google or Github over OAuth in order to remove the need for password based login or provide federated and multi-factor authentication and management.
Data and Privacy
Data Storage and retention Policies
Customer data is stored in our databases and is retained for up to 2 years to help prevent
fraud and help provide the best service we can for our customers. However, upon request:
- We're happy to provide customers with any data we hold about them.
- We're happy to remove any customer data as requested.
Payment and billing information
- We are PCI compliant to enable us to process billing data.
- We use a third party provider to hold all billing data and do not store any credit card details ourselves.
- Our third party provider is PCI DSS Level 1 compliant.
Our inbound servers store the following data within our database:
|Sender IP||The IP address of the sending server.|
|Message ID||The message ID taken from the message headers.|
|Sender||The SMTP transaction sender.|
|Recipient||The Recipient passed during the SMTP transaction.|
|Subject||The message subject taken from the message headers.|
|Date||The date the CloudMailin server’s received this message.|
|Server Response||The status code and HTTP body received in response to the message post from the recipient server.|
|Processing Time||The processing time of the server.|
The following also applies to this data:
- Inbound data is stored for 60 days.
- Upon address deletion all status information will be deleted after 60 days.
- Upon request some of these fields can be redacted (please contact us to make this request).
- This data can be deleted upon customer request (please contact us to make this request).
GDPR & Privacy Shield
CloudMailin stores information predominantly within the United States and EU.
In order to facilitate global operation we may need to transfer and access information from around the world.
If legally required Personal Information may be accessible to law enforcement or other authorities pursuant to a lawful request. By providing information to CloudMailin, you consent to the transfer and storage of Personal and customer Information in these locations.
- Dynamic Edge Software is a UK based limited company. As such we will be GDPR compliant from 25th May 2018 onwards.
- Being based in the UK we're also subject to EU data privacy laws. Privacy shield therefore not required. We are compliant by law.
- Our servers operate in both the EU and US by default. However, we can provision servers in any region. Please contact us to discuss any requirements that you might have.
Data Protection Amendment
CloudMailin has a standard DPA available for customers that require it. Please contact us for a signed copy of our DPA.
For the purposes of our Data Protection Amendment we currently make use of the following sub-processors:
|Name||Corporate Location||Privacy Shield|
|Amazon Web Services||United States||Yes|
|Heroku (Salesforce)||United States||Yes|
Cookies and Tracking
Google Site Stats
You may have clicked on an ad for this website that was delivered by Google.
Relevant Ads, Quality Advertisers
Google measures the performance of the advertising it delivers. By providing a tool to more accurately measure the performance of the ads we deliver, Google (and advertisers) will be able to improve the quality and relevance of the ads that you see.
To measure performance, Google uses small strings of text (known as cookies) that are placed on your computer when you click on ads. Cookies typically remain active on your computer for about 30 days. If you visit certain pages of the advertiser's website during that period, Google and the advertiser will be able to tell that you saw the ad delivered by Google.