Trust center

Security is a feature, not a tab.

We built Mailapp to handle the data you wouldn't hand to anyone else. This page is our standing answer to your security review.

Download our DPA Sub-processor list Live status

Certifications

The compliance you'd expect, the evidence you can audit.

GDPR-aligned

EU-aligned data handling. DPA available without negotiation for any customer.

CCPA / CPRA

California consumer rights honoured globally by default.

No cardholder data

Mailapp never stores cardholder data. Payments processed by Stripe (PCI Level 1).

Residency

Your data, where you need it.

EU customers stay in the EU. Nothing crosses a border without your explicit consent.

Region

Status

US — us-east-1

Default for new workspaces

EU — eu-west-1

Strict residency on request · Enterprise

AU — ap-southeast-2

Available Q4 2026

Singapore — ap-southeast-1

Planned 2027

Practices

How we operate, in plain English.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. All keys rotated quarterly via AWS KMS. Customer-managed keys available on Enterprise.

Least-privilege access

Engineers don't access customer data by default. Every read is logged with a justification and routed to your dedicated audit log if you enable it.

Continuous monitoring

Anomaly detection on every privileged action. Alerts route to a 24/7 on-call rotation. Median mean-time-to-detect is under 6 minutes.

AI data governance

AI prompts never train shared models. Local model endpoints available for regulated industries. PII redaction is on by default.

Tenant isolation

Logical isolation by default, physical isolation available on Enterprise. Test data is segregated and purged on a 30-day cycle.

Incident response

Practiced quarterly via tabletop and game days. We publish post-mortems for any incident of severity 2 or higher.

Sub-processors

Every party with a chance to touch your data.

We notify on changes at least 30 days in advance. Customers can opt out of any change before it takes effect.

Sub-processor

Purpose

Region

Amazon Web Services

Primary hosting infrastructure

US, EU

Amazon SES

Primary outbound email transport

US, EU

Cloudflare

Edge, WAF, CDN

Global edge

Stripe

Payment processing

Anthropic

AI assistant default model

US (opt-in)

Datadog

Application monitoring

US, EU regions matched

Linear

Engineering ticketing — no customer data

Vulnerability disclosure

A bounty program, not a PR program.

Reported in good faith, paid promptly. Our scopes and bounty bands below. Submit via hello@mailapp.app or HackerOne.

Class

Bounty range

Account takeover

$5,000 – $25,000

RCE / SSRF on production

$10,000 – $50,000

IDOR / cross-tenant data leak

$5,000 – $40,000

Stored XSS in dashboard

$1,000 – $5,000

DMARC / DKIM key handling

$2,000 – $20,000

Legal documents

Every contract and policy, in one place.

Every paid plan automatically gets our DPA. Every page is plain-English first, then the legalese. No mystery PDFs, no NDAs to read the policies.

What we collect, why, and how to delete it. GDPR + CCPA aligned.

Read privacy

The agreement between you and Mailapp. With plain-English summaries.

Read terms

Cookie Policy

Every cookie, who sets it, why, how to refuse it.

Read cookies

Data Processing Agreement

EU SCCs, UK IDTA, sub-processor notice. No negotiation needed.

Read DPA

Acceptable Use Policy

What we don't allow. Read this before your first send.

Read AUP

Anti-Spam Policy

CAN-SPAM, CASL, GDPR, ePrivacy, Yahoo/Google 2024 — and our own bar.

Read anti-spam

Refund & Cancellation

When we refund, when we don't, and how SLA credits work.

Read refund policy

Your Data Rights

Access, correct, export, delete, restrict, object. Global by default.

Submit a request

Sub-processors list

Every vendor that could touch your data, with 30-day change notice.

See sub-processors