Your data is safe with us
Security isn't a feature — it's the foundation. Here's how we protect your email infrastructure and data.
Encryption in transit
All data between your browser and DevMail is encrypted using TLS 1.3. All email sent through our infrastructure uses STARTTLS and SMTP over TLS to encrypt messages in transit.
Encryption at rest
All stored data — including email content, attachments, and account information — is encrypted at rest using AES-256. Database backups are also encrypted.
Infrastructure
DevMail runs on AWS in multiple availability zones for high availability. We use AWS SES for email delivery, S3 for storage, and follow AWS security best practices including least-privilege IAM policies.
Authentication & access control
User authentication is managed by Clerk, a SOC 2 Type II certified identity provider. We support multi-factor authentication (MFA). Staff access to customer data is strictly limited on a need-to-know basis and logged.
Backup & recovery
We take automated daily backups of all customer data with point-in-time recovery capability. Backups are stored in a separate AWS region and tested regularly.
Monitoring & incident response
We use 24/7 automated monitoring and alerting. Our incident response plan includes defined escalation paths, communication protocols, and post-incident reviews. Security incidents are disclosed to affected users within 72 hours.
Email security standards
DevMail automatically configures your domain with the industry-standard email authentication suite:
Specifies which mail servers are authorised to send email for your domain, reducing spoofing.
Adds a cryptographic signature to every outgoing email, verifying it hasn't been tampered with.
Tells receiving servers what to do when an email fails SPF or DKIM checks, and sends you forensic reports.
Enforces TLS for all email sent to your domain, preventing downgrade attacks.
Responsible disclosure
We believe security researchers play an important role in keeping the internet safe. If you discover a vulnerability in DevMail, please disclose it to us responsibly.
Report a vulnerability
Email: security@devmail.app
Please include: a description of the vulnerability, steps to reproduce, potential impact, and your contact details.
We will acknowledge your report within 48 hours, investigate promptly, and notify you when the issue is resolved. We do not take legal action against researchers who report vulnerabilities in good faith.
Security questions?
For any security-related questions, contact our security team directly at security@devmail.app.