shield_lock Security

Security you can actually verify

This page describes the real, deployed stack — not aspirations. Every claim below is audited against production before it is published, and the same discipline applies to our subprocessor list, which an automated test keeps in lockstep with the codebase.

dns Infrastructure

Where your data lives and moves

https

Encryption in transit

All application traffic is served over HTTPS with TLS terminated at Cloudflare's edge. Custom click-tracking domains receive automatically issued and renewed Let's Encrypt certificates.

location_on

EU application hosting

The application and its database run on a dedicated cloud server at Hetzner Online in Falkenstein, Germany (EU), on Ubuntu LTS. Email delivery runs on Amazon SES managed infrastructure.

encrypted

Credentials encrypted at rest

Integration tokens are stored with AES-256 application-level encryption. Passwords are stored only as salted bcrypt hashes. API keys are stored only as SHA-256 digests — the plaintext is shown once at creation; rotation, not recovery.

credit_card_off

Card data never touches us

Payments are processed by Stripe (PCI-DSS Level 1). Full card numbers are collected directly by Stripe; our servers see only the card brand, last four digits, and an authorization token.

key Access

Account and API protection

phonelink_lock

Two-factor authentication

TOTP two-factor authentication is available on every account and enforced by middleware on every authenticated route once enabled. Sign-in and embedded forms support reCAPTCHA bot protection.

vpn_key

Scoped API keys

API keys carry explicit permission scopes, so an integration only gets the access it needs. Every key can be rotated or revoked instantly, and per-key rate limits protect the platform.

webhook

Signed webhooks

Every webhook delivery is signed with a per-subscription HMAC secret so your systems can verify authenticity. Endpoints require HTTPS, and the signing secret is shown once at creation.

group

Least-privilege operations

The application runs as an unprivileged service user. Production access is limited to the operations team over SSH, through an audited, transcript-logged deploy pipeline with secrets redacted.

deployed_code Engineering practice

How changes ship safely

rule

Tested before deploy

Every release passes a four-layer automated test suite — thousands of backend, unit, headless-browser, and end-to-end tests — plus a post-deploy validation gate of dozens of hard production checks.

history

Atomic releases, instant rollback

Deploys are atomic: a new release is built beside the running one and switched in a single symlink flip. Previous releases are retained, so rollback is one command and seconds, not a rebuild.

database

Durable storage

Media and generated assets live in Amazon S3's durable object storage. The production database can be exported off-site through a dedicated read-only pipeline with zero footprint on the running system.

visibility

Monitored continuously

Service status, queue depth, failed jobs, and host load, memory, and disk are captured in health snapshots with alerting. Bounce and complaint streams from the mail infrastructure are processed automatically.

bug_report Responsible disclosure

Found a vulnerability?

We want to hear about it. Report security issues to security@emailflow.ai and we will acknowledge your report, investigate promptly, and keep you informed. Please give us a reasonable window to remediate before public disclosure.