## Security

At CloudMailin, safeguarding your security is our utmost priority. While this
section outlines several of our key practices, we welcome you to reach out for a
more comprehensive understanding or to obtain a copy of our detailed security
whitepaper.

We maintain a rigorous approach to securing our applications, employing both
automated and manual scans to identify and mitigate potential vulnerabilities
and threats swiftly. While we are a small team, we are actively engaged in
incorporating best practices inspired by globally recognized standards,
such as ISO 27001 or SOC II, to fortify our security infrastructure.

### Data Centre Security

* CloudMailin uses AWS to host our server infrastructure.
* AWS has a robust and dedicated team constantly monitoring their data centers
  and security.
* AWS continually manages risk and undergoes recurring assessments to ensure
  compliance with industry standards. AWS’s data center operations have been
  accredited under the following among others:
  * ISO 27001
  * SOC 1 and SOC 2
  * PCI DSS Level 1
  * FISMA Moderate
  * Sarbanes-Oxley (SOX)

  Plus a number of other local standards.

More details of the AWS Compliance Programs can be found
[here](https://aws.amazon.com/compliance/programs/).

### Encryption

At CloudMailin, we prioritize securing communications by implementing encryption throughout our platform.

* We ensure secure communication with our customer-facing website through the
  robust HTTPS and TLS protocols.
* Our email servers support encrypted communication with client servers wherever
  possible.
* Sending email is only possible over a TLS encrypted connection.
* When receiving email we'll let you know what version of TLS was used to
  encrypt the session. This allows you to make an informed decision about
  whether to accept the email or not without sacrificing compatibility or
  security. For further details, please refer to our
  [documentation](https://docs.cloudmailin.com/http_post_formats/).
* All interactions between CloudMailin email servers and associated components
  are conducted over encrypted channels. This includes transmitting data to S3,
  or other Cloud Storage providers and updating our front-end website about a
  delivery.
* We strive to store all data in an encrypted state at rest, adhering to the
  highest standards of security.

### Passwords

* Passwords are securely stored using modern hashing algorithms such as bcrypt,
  ensuring they are not stored in plain text.
* We offer two-factor authentication (2FA) to further secure your account.
* Customers have the option to use Google or Github authentication via OAuth,
  facilitating a password-less login experience and enabling federated and
  multi-factor authentication and management.

## Data Storage and Retention Policies

### Customer Data

* Customer data is stored in our databases for a period necessary to help
  prevent fraud and to provide the best service we can for our customers. The
  exact duration may vary, but we adhere to legal and technical
  industry-standard practices. However, upon request:
  * We're happy to provide customers with any data we hold about them.
  * We're happy to remove any customer data as requested.

### Payment and Billing Information

* We maintain PCI compliance to securely process your billing data.
* We do not hold card details ourselves, instead we used a third-party provider
  dedicated to this purpose to ensure the highest level of security.
* Our third-party provider is PCI DSS Level 1 compliant, employing to the
  highest industry standards and with a dedicated security team.
* Payments are also processed through another reputable and well-known
  third-party provider, who are also PCI DSS Level 1 compliant.

### Email Servers

The following sections relate to CloudMailin's own servers:

#### Inbound Servers

Inbound data handling policies are as follows:

* Inbound data is processed within the region it is received; by default, this
  can be the EU, US, or Asia Pacific.
* It is possible to force inbound data to be processed in a specific region, the
  simplest method to achieve this is through DNS records on your domain.
* Metadata is retained for 60 days to support the customer-facing dashboard and
  for debugging purposes. This may require transferring the data to a different
  region.
* On request, we can accommodate not storing portions of metadata.

We retain the following metadata:

| Field           | Description                                               |
|-----------------|-----------------------------------------------------------|
| Sender IP       | The IP address of the sending server.                     |
| Message ID      | The message ID taken from the message headers.            |
| Sender          | The SMTP transaction sender.                              |
| Recipient       | The Recipient passed during the SMTP transaction.         |
| Subject         | The message subject taken from the message headers.       |
| Date            | The date the CloudMailin server’s received this message.  |
| Server Response | The status code and HTTP body received in response to the message post from the recipient server. |
| Processing Time | The processing time of the server.                        |

#### Outbound Servers

For outbound emails, the following policies are applied:

* The content of outbound emails is securely stored in AWS. This is necessary to
  facilitate debugging, support, and address abuse concerns, helping us maintain
  a high standard of service integrity and security.
* Outbound metadata is stored in our database, facilitating additional
  functionality, such as the customer-facing dashboard, email interaction
  handling, bounce and complaint processing.
* Outbound metadata is retained for 60 days by default. This may require
  transferring the data to a different region to perform these services.
* Link tracking, open tracking and other forms of analytics are enabled by
  default and may be disabled on request but may inhibit our ability to provide
  the highest level of service and reputation handling.

Please [contact us] for any requests or further clarifications regarding data handling policies.

> Upon request some of these fields can be redacted (please contact us to make
> this request). This data can be deleted upon customer request (please contact
> us to make this request).

### Data Protection and Privacy Regulations (GDPR, CCPA)

CloudMailin is committed to adhering to regulatory standards to ensure the
utmost safety of user data. Our operations are guided by the following
frameworks:

* **UK Data Protection Laws**: Being a UK-based company, we comply with the
  local data protection regulations to secure the personal data of our users.
* **GDPR**: We adhere to the General Data Protection Regulation (GDPR)
  provisions to protect the data of our customers within the European Economic
  Area (EEA).
* **California Consumer Privacy Act (CCPA)**: We abide by the CCPA to safeguard
  the privacy rights of our customers residing in California, USA.

Our infrastructure predominantly operates within the US and EU, ensuring
stringent data protection standards. We may facilitate global operations by
transferring and accessing data worldwide, always conforming to the highest
legal and technical industry standards.

As mentioned above our Servers are located in the US, EU and Asia Pacific. We
also have the ability to provision dedicated servers in other regions. Please
[contact us] to discuss any requirements that you might have.

> We remain transparent and cooperative in legal scenarios where personal
> information is required by law enforcement or other authorities pursuant to a
> lawful request. By utilizing CloudMailin services, users consent to the
> transfer and storage of personal and customer information in the specified
> locations. To date this has not been required, this section will be updated if
> such a request is received.

For any inquiries or specific requirements about data regions and compliance, feel free to [contact us].

#### Data Protection Amendment

CloudMailin has a standard DPA available for customers that require it. Please [contact us] for a signed copy of our DPA.

### Sub Processors

For the purposes of our Data Protection Amendment, we currently make use of the following sub-processors:

| Name                 | Purpose                                      | Server Location       |
|----------------------|----------------------------------------------|-----------------------|
| Amazon Web Services  | Various services including servers, databases, and storage | USA / EU / AP  |
| Heroku (Salesforce)  | Management Website                           | USA / EU              |
| Crunchy Data         | Database                                     | USA / EU (data hosted in AWS) |
| OpenAI               | Analysis and content detection               | USA |

For more information on our sub-processors, please feel free to [contact us].

### Cookies and Tracking

The customer acknowledges that during the provision of services, CloudMailin employs the use of cookies, unique identifiers, web beacons, and similar tracking technologies (“Tracking Technologies”). The customer will maintain appropriate notice, consent, opt-in, and opt-out mechanisms as are required by Data Protection Laws to enable us to deploy Tracking Technologies lawfully on, and collect data from, the devices of recipients in accordance with and as described in the Privacy Policy found at [CloudMailin Privacy Policy](http://www.cloudmailin.com/privacy).

### Google Site Stats

You may have clicked on an ad for this website that was delivered by Google.

#### Relevant Ads, Quality Advertisers

Google measures the performance of the advertising it delivers. By providing a tool to more accurately measure the performance of the ads we deliver, Google (and advertisers) will be able to improve the quality and relevance of the ads that you see.

#### Your Privacy

To measure performance, Google uses small strings of text (known as cookies) that are placed on your computer when you click on ads. Cookies typically remain active on your computer for about 30 days. If you visit certain pages of the advertiser's website during that period, Google and the advertiser will be able to tell that you saw the ad delivered by Google.

If you'd like to know more about how Google handles information gathered from the use of cookies, please read our privacy policy. If you want to disable the use of cookies, you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. Be aware, however, that some websites may not function properly if you refuse to accept cookies.

[Legal Policies]



[Legal Policies]: /legal
[contact us]: /contact_us