Product Compare AI Prompts Docs Pricing Changelog
Start free Sign in
Trust & Safety

Security at JS2Mail

We handle credentials that connect to your mailbox. Here is exactly how we protect them and what our security posture looks like.

Credentials
AES-256-GCM encryption

OAuth tokens and SMTP passwords are encrypted with AES-256-GCM before being written to the database. The key is derived from a master secret stored in a separate secrets manager, not in the database.

Encryption key rotation

Keys are rotated quarterly. Existing records are re-encrypted during rotation using a background job that processes records in small batches to avoid downtime.

No plaintext logging

Credentials are never written to log files, error reports, or traces in plaintext. We use structured logging with field-level redaction on any object that contains a token or password.

Minimal OAuth scopes

Gmail: gmail.send only. Microsoft 365: Mail.Send + offline_access. We never request inbox read, contacts, calendar, or any scope beyond what is strictly required to dispatch a message.

Infrastructure
Data residency
All data is processed and stored in the EU (Frankfurt, Germany). We do not transfer personal data outside the EEA without adequate safeguards.
TLS everywhere
All traffic between clients and the API is encrypted with TLS 1.2+. TLS 1.0 and 1.1 are disabled. We enforce HSTS with a 1-year max-age.
Database encryption
The PostgreSQL database is encrypted at rest using AES-256. Backups are also encrypted and retained for 7 days.
Network isolation
API, worker, and database tiers run in isolated VPC subnets. The database has no public endpoint. Egress to mailbox providers goes through a fixed static IP.
Dependency scanning
We run automated dependency scans on every pull request. Critical CVEs are patched within 72 hours of disclosure.
Access control
API keys
API keys are hashed (SHA-256) before storage. Only the prefix is stored in plaintext for identification. The full key is shown once at creation and cannot be retrieved.
Employee access
No employee has standing access to production data. Access requires a time-limited approval with an audit trail. We follow the principle of least privilege.
Audit logging
All administrative actions (key creation, mailbox connect/disconnect, plan changes) are recorded in an immutable audit log retained for 1 year.
MFA
Multi-factor authentication is available for all accounts and mandatory for accounts on paid plans.
Responsible disclosure

If you discover a security vulnerability in JS2Mail, please report it to us privately before disclosing it publicly. We ask for a reasonable window to investigate and patch.

Response Within 24 hours
Critical fix Within 72 hours
Credit Public acknowledgement on request

Please include a description of the vulnerability, steps to reproduce it, and the potential impact. We do not currently offer monetary bug bounties but we will credit you by name if you'd like.