ephemail handles transient and persistent email for engineering teams. this page documents the controls in production today, what we're still building, and how to report a vulnerability.
encryption
- tls 1.2+ on all inbound and outbound smtp; opportunistic dane / mta-sts where the remote supports it.
- https only on the api and dashboard; hsts preload; tls 1.3 preferred.
- at rest: aes-256 on managed postgres and object storage; per-tenant keys for raw mime blobs.
- api keys stored as bcrypt hashes; only the prefix is reversible for display.
- scim and sso bearer tokens are sha-256 hashed; rotation supported at any time.
infrastructure
- primary region us-east; eu region (frankfurt) available on enterprise.
- edge runtime on cloudflare workers; database on managed postgres with point-in-time recovery (7d standard, 30d enterprise).
- backups encrypted, restored quarterly as part of dr exercise.
- least-privilege iam; production access via short-lived sso sessions, audited.
application controls
- row-level security on every tenant-scoped table.
- rate limits per workspace, per address, per api key, per ip — see /docs/rate-limits.
- dmarc enforcement on custom domains; spf and dkim auto-provisioned.
- html sanitization (strict / standard / minimal) on inbound rendering.
- attachment scanning with size + extension policy per workspace.
identity
- password + email confirmation by default.
- oauth (google) on all plans; saml + oidc + scim on enterprise.
- 2fa enforced for admins (toggle in /app/settings/security).
- ip allowlist on the dashboard and per api key.
compliance roadmap
| framework | status | target |
|---|---|---|
| soc 2 type i | in audit | q3 2026 |
| soc 2 type ii | scoped | q1 2027 |
| gdpr / dpa | available | now — /dpa |
| hipaa baa | evaluating | tbd |
| iso 27001 | planned | 2027 |
sub-processor list is published at /dpa. customers are notified 30 days before any addition.
vulnerability disclosure
we welcome reports from researchers. email security@ephemail.io, encrypted with the pgp key below. our coordinated disclosure process and slas:
| stage | sla | notes |
|---|---|---|
| acknowledgement | 24 hours | human reply confirming receipt + tracking id. |
| triage + severity | 72 hours | cvss 3.1 score, scope confirmed, reporter notified. |
| status updates | every 7 days | until resolution or report closed. |
| fix — critical (cvss 9.0+) | 7 days | patched in production; reporter re-tests. |
| fix — high (7.0–8.9) | 30 days | |
| fix — medium (4.0–6.9) | 90 days | |
| fix — low (< 4.0) | best effort | tracked publicly in changelog when shipped. |
| public disclosure | 90 days after fix | coordinated; earlier with reporter consent. |
- in scope: api, dashboard, smtp endpoints, sdks, docs site.
- out of scope: rate-limit dos, third-party services, social engineering of staff, reports generated solely by automated scanners.
- safe harbor: good-faith testing within scope will not result in legal action or account termination.
- bounty: discretionary; baseline $250 (low) → $5,000 (critical), paid after fix is verified.
- hall of fame: researchers are credited at /security/researchers unless they opt out.
pgp public key
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGZ0AAABEAC8sample0keyBlockForEphemailSecurityContactDoNotTrust ThisFingerprintInProductionRotateBeforePublishingFromTheRealVault== =AbCd -----END PGP PUBLIC KEY BLOCK----- fingerprint: 8B4F 19A2 7CC1 3E45 9D02 6F8A 1B33 7E22 4D90 0AF1
contact
security@ephemail.io · for non-security questions see /privacy or /abuse.