Security and Privacy Policy

Security and Privacy Policy relating to the use of CloudMailin

Last Altered 2023-09-20


At CloudMailin, safeguarding your security is our utmost priority. While this section outlines several of our key practices, we welcome you to reach out for a more comprehensive understanding or to obtain a copy of our detailed security whitepaper.

We maintain a rigorous approach to securing our applications, employing both automated and manual scans to identify and mitigate potential vulnerabilities and threats swiftly. While we are a small team, we are actively engaged in incorporating best practices inspired by globally recognized standards, such as ISO 27001 or SOC II, to fortify our security infrastructure.

Data Centre Security

  • CloudMailin uses AWS to host our server infrastructure.

  • AWS has a robust and dedicated team constantly monitoring their data centers and security.

  • AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. AWS’s data center operations have been accredited under the following among others:

    • ISO 27001
    • SOC 1 and SOC 2
    • PCI DSS Level 1
    • FISMA Moderate
    • Sarbanes-Oxley (SOX)

    Plus a number of other local standards.

More details of the AWS Compliance Programs can be found here.


At CloudMailin, we prioritize securing communications by implementing encryption throughout our platform.

  • We ensure secure communication with our customer-facing website through the robust HTTPS and TLS protocols.
  • Our email servers support encrypted communication with client servers wherever possible.
  • Sending email is only possible over a TLS encrypted connection.
  • When receiving email we'll let you know what version of TLS was used to encrypt the session. This allows you to make an informed decision about whether to accept the email or not without sacrificing compatibility or security. For further details, please refer to our documentation.
  • All interactions between CloudMailin email servers and associated components are conducted over encrypted channels. This includes transmitting data to S3, or other Cloud Storage providers and updating our front-end website about a delivery.
  • We strive to store all data in an encrypted state at rest, adhering to the highest standards of security.


  • Passwords are securely stored using modern hashing algorithms such as bcrypt, ensuring they are not stored in plain text.
  • We offer two-factor authentication (2FA) to further secure your account.
  • Customers have the option to use Google or Github authentication via OAuth, facilitating a password-less login experience and enabling federated and multi-factor authentication and management.

Data Storage and Retention Policies

Customer Data

  • Customer data is stored in our databases for a period necessary to help prevent fraud and to provide the best service we can for our customers. The exact duration may vary, but we adhere to legal and technical industry-standard practices. However, upon request:
    • We're happy to provide customers with any data we hold about them.
    • We're happy to remove any customer data as requested.

Payment and Billing Information

  • We maintain PCI compliance to securely process your billing data.
  • We do not hold card details ourselves, instead we used a third-party provider dedicated to this purpose to ensure the highest level of security.
  • Our third-party provider is PCI DSS Level 1 compliant, employing to the highest industry standards and with a dedicated security team.
  • Payments are also processed through another reputable and well-known∑ third-party provider, who are also PCI DSS Level 1 compliant.

Email Servers

The following sections relate to CloudMailin's own servers:

Inbound Servers

Inbound data handling policies are as follows:

  • Inbound data is processed within the region it is received; by default, this can be the EU, US, or Asia Pacific.
  • It is possible to force inbound data to be processed in a specific region, the simplest method to achieve this is through DNS records on your domain.
  • Metadata is retained for 60 days to support the customer-facing dashboard and for debugging purposes. This may require transferring the data to a different region.
  • On request, we can accommodate not storing portions of metadata.

We retain the following metadata:

Field Description
Sender IP The IP address of the sending server.
Message ID The message ID taken from the message headers.
Sender The SMTP transaction sender.
Recipient The Recipient passed during the SMTP transaction.
Subject The message subject taken from the message headers.
Date The date the CloudMailin server’s received this message.
Server Response The status code and HTTP body received in response to the message post from the recipient server.
Processing Time The processing time of the server.

Outbound Servers

For outbound emails, the following policies are applied:

  • The content of outbound emails is securely stored in AWS. This is necessary to facilitate debugging, support, and address abuse concerns, helping us maintain a high standard of service integrity and security.
  • Outbound metadata is stored in our database, facilitating additional functionality, such as the customer-facing dashboard, email interaction handling, bounce and complaint processing.
  • Outbound metadata is retained for 60 days by default. This may require transferring the data to a different region to perform these services.
  • Link tracking, open tracking and other forms of analytics are enabled by default and may be disabled on request but may inhibit our ability to provide the highest level of service and reputation handling.

Please contact us for any requests or further clarifications regarding data handling policies.

Upon request some of these fields can be redacted (please contact us to make this request). This data can be deleted upon customer request (please contact us to make this request).

Data Protection and Privacy Regulations (GDPR, CCPA)

CloudMailin is committed to adhering to regulatory standards to ensure the utmost safety of user data. Our operations are guided by the following frameworks:

  • UK Data Protection Laws: Being a UK-based company, we comply with the local data protection regulations to secure the personal data of our users.
  • GDPR: We adhere to the General Data Protection Regulation (GDPR) provisions to protect the data of our customers within the European Economic Area (EEA).
  • California Consumer Privacy Act (CCPA): We abide by the CCPA to safeguard the privacy rights of our customers residing in California, USA.

Our infrastructure predominantly operates within the US and EU, ensuring stringent data protection standards. We may facilitate global operations by transferring and accessing data worldwide, always conforming to the highest legal and technical industry standards.

As mentioned above our Servers are located in the US, EU and Asia Pacific. We also have the ability to provision dedicated servers in other regions. Please contact us to discuss any requirements that you might have.

We remain transparent and cooperative in legal scenarios where personal information is required by law enforcement or other authorities pursuant to a lawful request. By utilizing CloudMailin services, users consent to the transfer and storage of personal and customer information in the specified locations. To date this has not been required, this section will be updated if such a request is received.

For any inquiries or specific requirements about data regions and compliance, feel free to contact us.

Data Protection Amendment

CloudMailin has a standard DPA available for customers that require it. Please contact us for a signed copy of our DPA.

Sub Processors

For the purposes of our Data Protection Amendment, we currently make use of the following sub-processors:

Name Purpose Server Location
Amazon Web Services Various services including servers, databases, and storage USA / EU / AP
Heroku (Salesforce) Management Website USA / EU
Crunchy Data Database USA / EU (data hosted in AWS)

Cookies and Tracking

The customer acknowledges that during the provision of services, CloudMailin employs the use of cookies, unique identifiers, web beacons, and similar tracking technologies (“Tracking Technologies”). The customer will maintain appropriate notice, consent, opt-in, and opt-out mechanisms as are required by Data Protection Laws to enable us to deploy Tracking Technologies lawfully on, and collect data from, the devices of recipients in accordance with and as described in the Privacy Policy found at CloudMailin Privacy Policy.

Google Site Stats

You may have clicked on an ad for this website that was delivered by Google.

Relevant Ads, Quality Advertisers

Google measures the performance of the advertising it delivers. By providing a tool to more accurately measure the performance of the ads we deliver, Google (and advertisers) will be able to improve the quality and relevance of the ads that you see.

Your Privacy

To measure performance, Google uses small strings of text (known as cookies) that are placed on your computer when you click on ads. Cookies typically remain active on your computer for about 30 days. If you visit certain pages of the advertiser's website during that period, Google and the advertiser will be able to tell that you saw the ad delivered by Google.

If you'd like to know more about how Google handles information gathered from the use of cookies, please read our privacy policy. If you want to disable the use of cookies, you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. Be aware, however, that some websites may not function properly if you refuse to accept cookies.

Legal Policies