Security and Privacy Policy

Last Altered 20th May 2018

Security

CloudMailin takes security incredibly seriously. Although this article describes a number of our practices please feel free to contact us for more details or to request a copy of our security whitepaper.

CloudMailin employs both automated and manual scans of our applications for vulnerabilities and security issues, if an issue should arise we attempt to promptly deal with it as appropriate.

Data Centre Security

• CloudMailin uses AWS to host our server infrastructure.
• AWS has a robust and dedicated team constantly monitoring their data centers and security.
• AWS continually manages risk and undergoes recurring assessments to ensure compliance with
industry standards. AWS’s data center operations have been accredited under:
• ISO 27001
• SOC 1/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

Encryption

CloudMailin uses encryption throughout our platform for communication.

• Communication with our customer facing website takes place over HTTPS and TLS.
• Communication between email servers will be encrypted where supported by client servers. When receiving email from CloudMailin we'll let you know if we weren't able to encrypt a session (see the documentation for details).
• All connections between CloudMailin email servers and their associated components, such as sending data to S3 or informing our front-end website of a delivery, take place over encrypted channels.
• Where possible all data is stored encrypted at rest.

Passwords

• Passwords are not stored in plain text.
• Customers may also use Google or Github over OAuth in order to remove the need for password based login or provide federated and multi-factor authentication and management.

Data and Privacy

Data Storage and retention Policies

Customer Data

• Customer data is stored in our databases and is retained for up to 2 years to help prevent fraud and help provide the best service we can for our customers. However, upon request:
  • We're happy to provide customers with any data we hold about them.
  • We're happy to remove any customer data as requested.

Payment and billing information

• We are PCI compliant to enable us to process billing data.
• We use a third party provider to hold all billing data and do not store any credit card details ourselves.
• Our third party provider is PCI DSS Level 1 compliant.

Inbound Servers

Our inbound servers store the following data within our database:

Field	Description
Sender IP	The IP address of the sending server.
Message ID	The message ID taken from the message headers.
Sender	The SMTP transaction sender.
Recipient	The Recipient passed during the SMTP transaction.
Subject	The message subject taken from the message headers.
Date	The date the CloudMailin server’s received this message.
Server Response	The status code and HTTP body received in response to the message post from the recipient server.
Processing Time	The processing time of the server.

The following also applies to this data:

• Inbound data is stored for 60 days.
• Upon address deletion all status information will be deleted after 60 days.
• Upon request some of these fields can be redacted (please contact us to make this request).
• This data can be deleted upon customer request (please contact us to make this request).

GDPR & Privacy Shield

CloudMailin stores information predominantly within the United States and EU.

In order to facilitate global operation we may need to transfer and access information from around the world.

If legally required Personal Information may be accessible to law enforcement or other authorities pursuant to a lawful request. By providing information to CloudMailin, you consent to the transfer and storage of Personal and customer Information in these locations.

• Dynamic Edge Software is a UK based limited company. As such we will be GDPR compliant from 25th May 2018 onwards.
• Being based in the UK we're also subject to EU data privacy laws. Privacy shield therefore not required. We are compliant by law.
• Our servers operate in both the EU and US by default. However, we can provision servers in any region. Please contact us to discuss any requirements that you might have.

Data Protection Amendment

CloudMailin has a standard DPA available for customers that require it. Please contact us for a signed copy of our DPA.

Sub Processors

For the purposes of our Data Protection Amendment we currently make use of the following sub-processors:

Name	Purpose	Server Location
Amazon Web Services	Various servers including servers, databases and storage	USA / EU / AP
Heroku (Salesforce)	Management Website	USA / EU
Crunchy Data	Database	USA / EU (data hosted in AWS)

Cookies and Tracking

The customer acknowledges that during the provision of services, the CloudMailin employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies”). The customer will maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable the processor to deploy Tracking Technologies lawfully on, and collect data from, the devices of Recipients in accordance with and as described in the Privacy Policy found at http://www.cloudmailin.com/privacy.

Google Site Stats

You may have clicked on an ad for this website that was delivered by Google.

Relevant Ads, Quality Advertisers

Google measures the performance of the advertising it delivers. By providing a tool to more accurately measure the performance of the ads we deliver, Google (and advertisers) will be able to improve the quality and relevance of the ads that you see.

Your Privacy

To measure performance, Google uses small strings of text (known as cookies) that are placed on your computer when you click on ads. Cookies typically remain active on your computer for about 30 days. If you visit certain pages of the advertiser's website during that period, Google and the advertiser will be able to tell that you saw the ad delivered by Google.

If you'd like to know more about how Google handles information gathered from the use of cookies, please read our privacy policy. If you want to disable the use of cookies, you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. Be aware, however, that some websites may not function properly if you refuse to accept cookies.

Legal Policies