Mailday Security Overview

Last updated: 2026-05-13

Mailday takes a defense-in-depth approach to keeping member and workspace data secure. This page summarizes the technical and organizational measures we implement today. A more detailed description forms Annex II to our Data Processing Addendum.

If you discover a security issue, please report it to security@mailday.ai. We support responsible disclosure and will not pursue legal action against good-faith research conducted within these guidelines.

Encryption

• In transit: TLS 1.2 or higher for all customer-facing traffic. TLS termination at the AWS Application Load Balancer with auto-renewing certificates.
• At rest: AES-256 for primary databases, file storage, and backups.

Access control

• Role-based access controls in-application (Member, Workspace Admin, Workspace Manager, Super Admin) enforced at every API boundary.
• Internal access to production systems is restricted to authorized personnel on a need-to-know basis, with mandatory multi-factor authentication and periodic access reviews.
• Admin actions on customer accounts are logged to an immutable audit log.

Personnel

• Confidentiality obligations apply to all personnel with access to customer data.
• Background checks where lawful.
• Security awareness training during onboarding and at least annually thereafter.

Network and infrastructure

• VPC isolation; security groups enforce least-privilege ingress.
• Web Application Firewall in front of public endpoints.
• Amazon GuardDuty for cloud-infrastructure threat detection.
• Rate-limiting on authentication and other write endpoints.

Email security

• SPF, DKIM, and DMARC configured on all sending domains.
• SES bounce and complaint feedback wired into automatic suppression lists.
• Size limits and source checks on inbound and outbound messages and attachments. Deeper malware scanning is on our roadmap.

Logging and monitoring

• Centralized audit logging for administrative and security-sensitive actions.
• Application observability via LaunchDarkly (errors, performance, optional session replay) — see the Cookie Policy for the customer-facing privacy posture.
• Anomaly alerts route to the on-call team.

Vulnerability management

• Regular dependency scanning and patching.
• Coordinated vulnerability disclosure to security@mailday.ai — see § Responsible disclosure below.

Incident response

• Documented incident response plan.
• 24/7 on-call rotation for production.
• Security incidents involving customer Personal Data are reported to customers without undue delay and, where feasible, within 72 hours, as required by GDPR.

Backups and resilience

• Encrypted backups with 90-day retention.
• Redundancy and geographic distribution within hosting regions.
• Periodic restoration testing.

Vendor management

• Due diligence on every third-party processor.
• Written data-protection agreements with each subprocessor.
• Periodic review of our Subprocessor List.

Privacy by design

• Data minimization at collection.
• Purpose limitation and retention limits documented in the Privacy Policy § 9.
• Role separation between application logic and observability data.

Certifications and roadmap

We are planning SOC 2 Type II certification. Updates will be posted here.

Responsible disclosure

If you believe you have found a security vulnerability, please:

1. Email security@mailday.ai with a description of the issue and reproduction steps.
2. Give us a reasonable opportunity to investigate and remediate before public disclosure.
3. Avoid privacy violations, destruction of data, and interruption or degradation of our Service.
4. Do not test against accounts you do not own, run automated scans without prior authorization, or perform denial-of-service tests.

We will acknowledge receipt within 5 business days and keep you informed as we investigate.

Contact

• Security: security@mailday.ai
• Privacy: privacy@mailday.ai