Security

Mailmundo is built to protect customer data and the integrity of the email infrastructure we run. This page describes our security practices and how to report vulnerabilities.

Encryption

• TLS 1.3 in transit, HSTS preload on mailmundo.com.
• Encryption at rest for the database and storage layers.
• MTA-STS and TLS-RPT enforced for outbound mail.

Access control

• Role-based access control (RBAC) with granular scopes.
• Multi-factor authentication for staff accounts.
• API keys are hashed; only the prefix is stored in plaintext for identification.
• Optional IP allowlist per API key.

Audit logging

Every privileged action is recorded in an immutable, hash-chained audit log. Tampering is detectable.

Email authentication

We require SPF, DKIM, and DMARC for every sending domain. We support DKIM key rotation, custom MAIL FROM, MTA-STS, TLS-RPT, ARC, and BIMI (when DMARC enforcement is in place).

Sub-processors

Our current sub-processor list is at /sub-processors. Material changes are announced in advance.

Compliance posture

• CAN-SPAM compliant by default.
• Architecture is GDPR / LGPD / CASL ready; specific markets activated as we open in those jurisdictions.
• SOC 2 Type I audit planned for year 2; controls implemented from day 1.

Vulnerability disclosure

Report suspected vulnerabilities to security@mailmundo.com. Please:

• Provide enough detail to reproduce.
• Avoid privacy violations, denial of service, and data destruction.
• Give us reasonable time to remediate before public disclosure.

We do not currently run a bounty program. We acknowledge meaningful reports publicly (with permission). A formal bug bounty program will launch alongside our open beta.

Incidents

Service status is published at status.mailmundo.com. Material incidents involving customer data are notified by email within 72 hours of confirmation.