MailFlow

Security

Your credentials, your data — protected at every layer.

We're entrusted with App Passwords for thousands of inboxes. Here's exactly how we keep them safe.

AES-256-GCM at rest

Every SMTP and IMAP credential is encrypted with AES-256-GCM. The encryption key is provisioned at deploy time, never stored alongside the data.

TLS 1.2+ in transit

All API and dashboard traffic is HTTPS-only with HSTS preload. SMTP/IMAP connections enforce TLS 1.2+; STARTTLS is required where SSL is not used.

Bcrypt password hashing

User passwords are hashed with bcrypt (cost 12). API keys are bcrypt-hashed too — only an 8-character prefix is stored in plaintext for lookup.

JWT session tokens

Sessions are signed JWTs in httpOnly cookies + Bearer header. Tokens rotate on password change.

CSRF + CSP

State-changing endpoints require CSRF tokens. A strict Content Security Policy ships on every dashboard response.

Rate limiting

Per-IP and per-user rate limiting via Throttler. Auth endpoints throttle aggressively to prevent brute-force.

Audit log

Every credential read, account connect, campaign launch and admin action is logged with actor, IP and metadata — workspace-wide.

Webhook signatures

Outbound webhook payloads are HMAC-SHA256 signed with a per-webhook secret. The X-MailFlow-Signature header lets you verify authenticity.

Least-privilege OAuth

Optional Google OAuth uses ONLY openid + email + profile scopes — non-sensitive, no CASA assessment required.

No restricted scopes

We deliberately do not request gmail.modify, gmail.readonly or any other restricted Google API scope. Inbox manipulation goes through standard IMAP.

Data residency

Production data lives in EU and US regions. Pin your workspace to either on Scale plan.

Backups + recovery

Automated daily Postgres backups with 30-day point-in-time recovery and encrypted off-site storage.

Compliance

  • SOC 2 Type II in progress (target Q2 2026)
  • GDPR + CCPA compliant — data export and deletion endpoints, regional residency on Scale plan
  • CAN-SPAM + CASL enforced at product level: List-Unsubscribe, suppression list, sender identity
  • Subprocessor list published and updated within 30 days of any change
  • DPA available on the Scale plan for enterprise procurement

Responsible disclosure

Found a security issue? Email security@mailflow.dev. We respond within 24 hours and will work with you on a coordinated disclosure timeline. We do not have a paid bounty yet but we credit researchers in our security advisory feed.

PGP key available on request.

Have a procurement question?

Talk to security