Security and data protection, by design
Specifics, not adjectives. Here's exactly how we protect your mailboxes, your credentials, and your mail.
Per-customer encryption
Each customer gets a dedicated encryption key. Every sensitive field — your mailboxes' OVH SMTP/IMAP passwords, cached message bodies, and outbound message bodies — is encrypted at rest with that per-customer key. Underlying mailbox passwords are never returned by any API response or written to logs; your agent authenticates with a scoped mailbox API key, not the underlying password.
EU data residency
Your mailboxes live on OVH, the authoritative store for your mail. Outbound mail is relayed through Amazon SES in eu-west-1 (Dublin). Your mail and its processing stay in the EU.
Account and access control
Turn on optional two-factor authentication (TOTP), compatible with the usual authenticator apps; enabling it gives you 10 single-use recovery codes, shown once. API keys are scoped to a single mailbox with a read, read-write, or management role, can expire, and can be revoked at any time.
Your data, in your control
Request a data export and we assemble a downloadable archive of your account — domains, mailboxes, keys, DNS records, messages and bodies, bounces, suppressions, audit log, and tickets — behind a signed link valid for 24 hours (one export per 24 hours). Account deletion runs on a 7-day grace period: credentials and keys are revoked immediately, you can cancel during the grace window, and after 7 days your per-customer encryption key is destroyed — which makes every encrypted blob permanently unrecoverable.
Deliverability guard rails
We publish DKIM automatically, suppress hard bounces and complaints per mailbox, and track each mailbox's bounce-and-complaint rate over a rolling window. Sustained high rates throttle, then disable, a mailbox to protect the shared sending reputation — and you're emailed when it happens. We run the machinery; you own your domain's sending reputation. (We don't promise inbox placement — no one honestly can.)
Transparency
A live status page, the full OpenAPI reference published from our live schema, and transparent pricing with domain costs shown at selection. No hidden fees.
Custom security review or DPA?
For a security or legal review, a DPA, or a conversation about negotiated EU-residency assurances, talk to us.