Security and Encryption

Data Security

  • All data in S3 buckets is using server-side encryption with AWS Key Management Service (SSE-KMS).
  • Separate buckets for mail storage, mail search index, temporary data, smtp incoming and smtp outgoing.
  • 24h expiration for temporary data.
  • Shared encryption keys for Starter plan, per organisation encryption keys for Pro plan and per user keys for the Ultimate plan.
  • All data coming from external sources is validated against predefined regexes.

Data transfer encryption

  • Client connection to outgoing SMTP server is using SSL encrypted connection.
  • Client connection to POP3 server is using SSL encrypted connection.
  • Incoming (email receiving) SMTP server starts as unenecrypted (for compatibility) and can negotiate TLS connection for clients that support STARTTLS.
  • Webmail is enforcing redirect to HTTPS and uses Let's Encrypt SSL Certificates

Application implementation.

  • All platform related operations happen within isolated AWS Lambda functions ( fully serverless ).
  • Different environments run in different AWS accounts ( dev environment separated from production ).
  • No engineering access on production, limited readonly operational access which does not include data buckets.
  • Limited 1 hour access sessions for production can be approved for exceptional reasons and all session operations are recorded.
  • All lambda functions run in VPC with internet access disabled *1.
  • Permissions assigned to each lambda function follow the least priviledge principle.
  • Dynamic access policies are used (assume role) to further restrict user access to its own data only ( even when bucket is shared)*2.
  • Security Tokens stored in SecretsManager with Security Policy limited to exact Lambda Functions and Key Rotation enabled.
  • Lambdas have write only permission to Cloudwatch Logs and production logs are streamed to a different AWS account
  • Log retention is set to 400 days.
  • No credentials logged.
  • Failing operations have metrics filter and alarms enabled.
  • Unit tests and e2e testing are part of the CI/CD pipeline.
  • Code quality and security scan reports.
  • Minimum depdendant external library (eg. Stripe)
*1. few exceptions apply, eg. loading email remote resources like images.
*2. except background tasks as these operations are not linked to a user session.

Webmail Security

  • Own domain SSL certificate via Let's Encrypt.
  • Each mail domain webmail has its own Cloudfront distribution.
  • Web Application Firewall ( AWS WAF ) is enabled for the Ultimate plan.
  • All remote email contents are proxied via our servers and do not expose client IP address.
  • Common Browser security headers used (CSP, STS, etc.).
  • Multi Factor Authentication available for the Pro plan and can be enforced for the Ultimate plan.
  • Connection review and session length control (Pro+Ultimate)
  • Geolocation access restriction ( WAF only )
  • No 3rd party tracking.
  • No 3rd party vendors access to data.
  • No sensitive data stored in localStorage.
  • No sensitive data sent via GET method.
  • Disabled CORS and iframe.