Skip to content
EmailMate
Log inGet Started

Security

Last updated: 2026-04-14

Encryption

  • In transit — TLS 1.3 everywhere. HSTS enforced on emailmate.dev.
  • At rest — AES-256 for all stored data. AWS SES encrypts queued messages, Convex encrypts application data, Vercel encrypts build artifacts.
  • Secrets — API keys, OAuth tokens, and webhook signing secrets are stored hashed or encrypted with per-tenant keys.

Tenant isolation

Every customer gets a dedicated AWS SES configuration set. Sending reputation is isolated — one tenant’s bounces don’t affect another’s delivery. Application-layer row-level scoping ensures a compromised request can only see its own tenant’s data.

API key handling

  • Keys are generated with cryptographically secure randomness (256 bits of entropy).
  • Only a SHA-256 hash is stored at rest. We cannot recover a lost key.
  • The last 4 characters are shown in the dashboard for identification.
  • Keys can be scoped per-agent and revoked instantly.

Audit logging

Every administrative action (member invites, key creation/revocation, domain changes, billing updates, data exports) is logged with actor, timestamp, IP, and user-agent. Logs are retained for 1 year and exportable for customers on paid plans.

Incident response

We follow a documented incident response process: detect → contain → eradicate → recover → notify → post-mortem. Customers affected by a security incident are notified within 72 hours per GDPR Article 33.

Vendors

  • AWS (SES, KMS, CloudWatch)
  • Vercel (hosting, edge, WAF)
  • Convex (database, realtime)
  • Stripe (payments)
  • PostHog (analytics)
  • Sentry (errors)

Compliance roadmap

  • GDPR — current. DPA on request. Subprocessor list published above.
  • CCPA — current. California residents have access/delete rights.
  • SOC 2 Type I — target Q3 2026.
  • SOC 2 Type II — target Q1 2027.
  • HIPAA — not supported. Do not send PHI through EmailMate.
  • ISO 27001 — evaluating based on demand.

Report a vulnerability

Found a security issue? Email security@emailmate.dev. PGP key available on request. We acknowledge within 24 hours and aim to triage within 72. We don’t run a paid bug bounty yet but we publicly credit responsible disclosures and send swag.

Please do

  • Give us reasonable time to fix before public disclosure.
  • Avoid privacy violations and service disruption.
  • Test against your own account.