Home/Security
๐Ÿ›ก๏ธ

Security

Your emails contain some of your most sensitive information. Here's everything we do to keep them safe.

๐Ÿ“… Last updated: 10 March 2025โฑ 6 min read๐ŸŒ Applies to emaily.uk

Security summary โ€” AES-256 at rest ยท TLS 1.3 in transit ยท Zero-knowledge credential storage ยท Regular third-party audits ยท Bug bounty programme ยท GDPR compliant

1. Encryption

Data at rest

All data stored on Emaily's servers is encrypted using AES-256, the same standard used by banks and governments worldwide. This includes your email account credentials, Voice DNA profiles, and any cached email content.

Data in transit

All communication between your device and Emaily's servers is encrypted using TLS 1.3. We enforce HTTPS across all endpoints and use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.

Email credential storage

IMAP/SMTP passwords and Gmail OAuth tokens are stored using envelope encryption โ€” each credential is encrypted with a unique key, which is itself encrypted with a master key stored in a hardware security module (HSM). This means our staff cannot access your email passwords, even in the unlikely event of a database breach.

2. Authentication and Access Control

  • Passwords are hashed using bcrypt with a cost factor of 12 โ€” never stored in plaintext
  • Two-factor authentication (2FA) is available and strongly recommended
  • Session tokens expire after 30 days of inactivity
  • Failed login attempts trigger progressive lockout to prevent brute-force attacks
  • All API endpoints require authentication โ€” no public-facing data endpoints
  • Role-based access control (RBAC) limits internal staff access to the minimum necessary

3. Infrastructure Security

Cloud provider

Emaily runs on Amazon Web Services (AWS) in the EU-WEST-2 (London) region. AWS holds ISO 27001, SOC 1/2/3, and PCI DSS certifications. Your data never leaves the UK.

Network security

  • All services run inside private VPCs with no direct public internet exposure
  • Web Application Firewall (WAF) protects against SQL injection, XSS, and common attack vectors
  • DDoS protection via AWS Shield
  • Intrusion detection and prevention systems (IDS/IPS) monitor for suspicious activity
  • Regular vulnerability scanning of all public-facing endpoints

Secrets management

API keys, database credentials, and other secrets are managed via AWS Secrets Manager with automatic rotation. No secrets are stored in code repositories or environment files.

4. AI and Data Processing

What gets sent to AI models

When you use AI features, email content may be sent to our AI inference providers (currently OpenAI and/or Anthropic). We have Data Processing Agreements (DPAs) in place with all AI providers that prohibit them from training on your data.

Voice DNA isolation

Your Voice DNA profile is stored in an isolated, encrypted datastore. It is never shared between users and never used for any purpose other than generating your personalised email drafts.

5. Audits and Compliance

  • Penetration testing โ€” we engage independent security firms for annual penetration tests
  • GDPR compliance โ€” we are fully compliant with UK GDPR and maintain a Data Processing Register
  • SOC 2 Type II โ€” currently in progress, expected Q3 2025
  • ISO 27001 โ€” currently in progress
  • Code review โ€” all code changes undergo peer review before deployment
  • Dependency scanning โ€” automated scanning for known vulnerabilities in third-party packages

6. Incident Response

In the event of a security incident that affects your data:

  • We will notify affected users within 72 hours of becoming aware of a breach, as required by UK GDPR
  • We will report notifiable breaches to the ICO within 72 hours
  • We maintain a documented incident response plan, reviewed quarterly
  • Our security team is on-call 24/7 to respond to critical incidents

7. Employee Security

  • All employees undergo background checks before accessing production systems
  • Access to customer data is strictly limited and audited
  • All staff complete annual security awareness training
  • Employees use hardware security keys (FIDO2) for internal system authentication
  • Departing employees have all access revoked within one hour

8. Bug Bounty Programme

We believe responsible disclosure makes everyone safer. If you discover a security vulnerability in Emaily, please report it to us before making it public.

Report a vulnerability: Email contact@emaily.uk with details. We aim to acknowledge all reports within 24 hours and resolve critical issues within 7 days.

Rewards of up to ยฃ5,000 are available for critical vulnerabilities, depending on severity and impact. We follow responsible disclosure guidelines and will not pursue legal action against researchers acting in good faith.

In scope: app.emaily.uk, emaily.uk, and our public APIs. Out of scope: social engineering, physical attacks, and denial-of-service.

9. Your Security Responsibilities

Security is a shared responsibility. We ask that you:

  • Use a strong, unique password for your Emaily account
  • Enable two-factor authentication
  • Keep your device and browser up to date
  • Do not share your account credentials
  • Log out of shared or public devices
  • Report suspicious activity to contact@emaily.uk

10. Contact Our Security Team

For security enquiries, vulnerability reports, or to request our latest penetration test summary:
๐Ÿ“ง contact@emaily.uk
๐Ÿ”‘ PGP key available on request