Security

Last updated: 2026-05-06

Encryption

• In transit: all customer-facing endpoints (API, dashboard, inbox UI, Mercure SSE) are served over HTTPS with TLS provisioned automatically by Caddy.
• At rest: the database stores message bodies and credentials on disk-encrypted volumes provided by the underlying cloud provider.
• Passwords are stored hashed with Argon2id. We never log or store plaintext passwords.

Authentication

• Email + password (Argon2id), or OAuth via Google or GitHub.
• Per-IP rate limiting on every authentication and registration endpoint.
• Email verification gates resource creation (domains, accounts, webhooks).
• JWT tokens are scoped by audience: SaaS users, mailbox accounts, and admins are isolated.

Webhook security

• Outgoing webhooks include an HMAC-SHA256 signature signed with a per-webhook secret.
• Headers include a unique event ID for receiver-side idempotency and a Unix timestamp for replay protection.
• Webhook URLs are checked against private IP ranges (RFC 1918 + IPv6 link-local + loopback) at save and delivery time to prevent SSRF.

Data retention

• Email messages auto-delete based on the retention window of your plan (7d / 30d / 90d).
• Account metadata is deleted within 30 days of account deletion.
• Webhook delivery logs are kept for 30 days then auto-purged.

Incident handling

If you discover a security issue, please email [email protected] with steps to reproduce. We will acknowledge within two business days and keep you informed of remediation. Please do not publicly disclose the issue until we have had a reasonable opportunity to fix it.

Operational practices

• Backups of the primary datastore are taken on a regular schedule by the operator.
• Software updates are applied promptly when security patches are released for the underlying components (Node.js, MongoDB, Redis, Caddy, Haraka).
• Audit logs of administrative actions are retained for review.