Security you can actually verify
This page describes the real, deployed stack — not aspirations. Every claim below is audited against production before it is published, and the same discipline applies to our subprocessor list, which an automated test keeps in lockstep with the codebase.
Where your data lives and moves
Encryption in transit
All application traffic is served over HTTPS with TLS terminated at Cloudflare's edge. Custom click-tracking domains receive automatically issued and renewed Let's Encrypt certificates.
EU application hosting
The application and its database run on a dedicated cloud server at Hetzner Online in Falkenstein, Germany (EU), on Ubuntu LTS. Email delivery runs on Amazon SES managed infrastructure.
Credentials encrypted at rest
Integration tokens are stored with AES-256 application-level encryption. Passwords are stored only as salted bcrypt hashes. API keys are stored only as SHA-256 digests — the plaintext is shown once at creation; rotation, not recovery.
Card data never touches us
Payments are processed by Stripe (PCI-DSS Level 1). Full card numbers are collected directly by Stripe; our servers see only the card brand, last four digits, and an authorization token.
Account and API protection
Two-factor authentication
TOTP two-factor authentication is available on every account and enforced by middleware on every authenticated route once enabled. Sign-in and embedded forms support reCAPTCHA bot protection.
Scoped API keys
API keys carry explicit permission scopes, so an integration only gets the access it needs. Every key can be rotated or revoked instantly, and per-key rate limits protect the platform.
Signed webhooks
Every webhook delivery is signed with a per-subscription HMAC secret so your systems can verify authenticity. Endpoints require HTTPS, and the signing secret is shown once at creation.
Least-privilege operations
The application runs as an unprivileged service user. Production access is limited to the operations team over SSH, through an audited, transcript-logged deploy pipeline with secrets redacted.
How changes ship safely
Tested before deploy
Every release passes a four-layer automated test suite — thousands of backend, unit, headless-browser, and end-to-end tests — plus a post-deploy validation gate of dozens of hard production checks.
Atomic releases, instant rollback
Deploys are atomic: a new release is built beside the running one and switched in a single symlink flip. Previous releases are retained, so rollback is one command and seconds, not a rebuild.
Durable storage
Media and generated assets live in Amazon S3's durable object storage. The production database can be exported off-site through a dedicated read-only pipeline with zero footprint on the running system.
Monitored continuously
Service status, queue depth, failed jobs, and host load, memory, and disk are captured in health snapshots with alerting. Bounce and complaint streams from the mail infrastructure are processed automatically.
Found a vulnerability?
We want to hear about it. Report security issues to security@emailflow.ai and we will acknowledge your report, investigate promptly, and keep you informed. Please give us a reasonable window to remediate before public disclosure.