Security & Compliance
Security and privacy are built into Mailbeam from the ground up. Here is exactly what we do to protect the data you entrust to us.
Compliance status
GDPR
Compliant
EU data residency
Active
SOC 2 Type II
In progress
EU data residency
All Mailbeam infrastructure — API servers, databases, and processing — runs exclusively within the European Union. We use Hetzner Online GmbH data centers located in Germany.
Email addresses submitted for verification are processed in the EU and are not transferred to any third country. GDPR Chapter V transfer restrictions are fully satisfied.
Primary region
Hetzner Online GmbH — Falkenstein, Germany (EU)
Data retention
| Data type | Retention period | Notes |
|---|---|---|
| Email addresses (verification requests) | 0 days | Discarded immediately after verification completes |
| API request logs (metadata only) | 30 days | Contains timestamp, response code, and latency — no email content |
| Account data (name, email, password hash) | Duration of account | Deleted within 30 days of account closure request |
| Billing records | 7 years | Required by EU accounting law |
| Audit logs (security events) | 90 days | IP addresses hashed after 30 days |
Encryption
In transit
TLS 1.3 for all API traffic. TLS 1.2 minimum enforced. No unencrypted HTTP endpoints in production.
At rest
Databases encrypted with AES-256. Encryption keys managed by Hetzner HSMs with annual rotation.
API keys
API keys are hashed with bcrypt before storage. The raw key is shown once at creation and cannot be recovered.
Passwords
User passwords are hashed with Argon2id. They are never stored in plaintext or recoverable form.
SOC 2 Type II
In progressWe are actively working toward SOC 2 Type II certification. We are honest about where we are: the audit process has begun, and we expect to share results once the audit is complete.
In the meantime, enterprise customers can request our security questionnaire responses, infrastructure architecture documentation, and penetration test summaries via security@mailbeam.dev.
Sub-processors
We use the following sub-processors. All are EU-based entities or operate under appropriate transfer mechanisms.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany (EU) |
| Stripe, Inc. (EU entity) | Payment processing | Ireland (EU) |
| Vercel Inc. | Frontend CDN | USA (SCCs in place) |
Sub-processor changes are communicated with at least 14 days' notice.
Incident response
In the event of a security incident involving personal data, Mailbeam will:
- Notify affected customers within 72 hours of becoming aware of the incident (GDPR Article 33 requirement)
- Provide a written incident report detailing the nature, scope, and likely consequences
- Include information needed for customers to notify their supervisory authority where required
- Implement corrective measures and provide a post-incident review within 30 days
Responsible disclosure
If you discover a security vulnerability in Mailbeam, please report it privately. We commit to:
- Acknowledge your report within 48 hours
- Investigate and provide a status update within 7 business days
- Credit you in our public disclosure (with your permission)
- Not take legal action against researchers acting in good faith
Need a Data Processing Agreement?
A countersigned DPA under GDPR Article 28 is available for all customers. View the standard terms online or email us to request a countersigned copy.