Back to Documentation

Security at InflowMail

Enterprise-grade security for your email. Built with zero-trust architecture.

SOC 2 Type II Ready AES-256 Encryption GDPR Compliant

Encryption Architecture

AES

AES-256-GCM Authenticated Encryption

All sensitive data is encrypted with AES-256 in GCM mode, providing both confidentiality and integrity verification. This is the same standard used by governments and financial institutions.

Per-Organization Encryption Keys

Each organization has its own unique Data Encryption Key (DEK). Keys are encrypted with AWS KMS master keys using envelope encryption. Key rotation is automatic with version tracking.

TLS 1.3 In Transit

All data in transit is protected by TLS 1.3 with modern cipher suites. HSTS is enforced with a 1-year max-age to prevent downgrade attacks.

Authentication & Access Control

Password Security

  • Minimum 8 characters with complexity requirements
  • PBKDF2-SHA256 hashing with unique salts
  • Account lockout after 5 failed attempts
  • Breach password detection

Two-Factor Authentication

  • TOTP-based (Google Authenticator, Authy)
  • Backup codes for recovery
  • Trusted device management
  • Mandatory for admin accounts

Session Management

  • Secure session cookies (HttpOnly, SameSite)
  • Device fingerprinting for anomaly detection
  • View and revoke active sessions
  • Automatic logout on inactivity

API Security

  • SHA-256 hashed API keys
  • Scoped permissions per key
  • Rate limiting (100 req/min default)
  • Constant-time comparison (timing attack prevention)

Infrastructure Security

AWS

AWS Infrastructure

Hosted on AWS with VPC isolation, security groups, and network ACLs. Data stored in SOC 2 Type II certified data centers.

Multi-Tenant Isolation

Logical data isolation with global query filters. Organizations cannot access each other's data. Tenant context validated on every request.

Comprehensive Audit Logging

All security-relevant actions are logged: logins, password changes, data access, admin actions. Logs include IP address, user agent, and session ID.

Security Headers

Header Value
Strict-Transport-Security max-age=31536000; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
Referrer-Policy strict-origin-when-cross-origin
Content-Security-Policy Strict CSP with nonce-based scripts

OAuth Token Security

We never see your email password. OAuth tokens are used to access your email with your explicit permission. You can revoke access at any time.

  • OAuth tokens encrypted with organization-specific keys
  • Minimal required scopes (read email, send email)
  • Automatic token refresh with secure storage
  • Immediate token revocation when you disconnect

Security Vulnerability Disclosure

We take security seriously. If you discover a vulnerability, please report it responsibly.

Report vulnerabilities to:

[email protected]

Please include steps to reproduce and impact assessment. We'll acknowledge within 48 hours.

Learn more about how we protect your data:

Data Protection Privacy Policy