Infrastructure Security
MailEditor is hosted on Amazon Web Services (AWS), a cloud provider certified against ISO/IEC 27001, PCI DSS, SOC 1 Type II, and SOC 2 Type II standards.
- Network isolation: Our services run inside a dedicated AWS Virtual Private Cloud (VPC) with strict Security Group rules. Only required ports and services are exposed to the public internet.
- Environment separation: Development, staging, and production run as fully separated environments. Customer data lives only in production.
- Web Application Firewall (WAF): AWS WAF is attached to our load balancers and configured to block SQL injection, cross-site scripting (XSS), known malicious botnets, and traffic from high-risk regions.
- DDoS protection: AWS Shield protects our infrastructure against network and transport-layer denial-of-service attacks.
- Managed compute and patching: Our application runs on managed AWS infrastructure, and operating system and runtime patches are applied as part of our regular deployment cycle.
Data Encryption
- Encryption in transit: All traffic between your browser and MailEditor, and between MailEditor and third-party services, is encrypted using TLS 1.2 or higher. Plain HTTP connections are not accepted.
- Encryption at rest: All databases (Amazon RDS) and file storage (Amazon S3) are encrypted at rest using AWS KMS with AES-256.
- Template protection: Email templates are the only customer content we store. Template names and content are not accessible to any other user unless the owner explicitly shares them. Templates are private by default.
Access Control
- Access to production systems and customer data is restricted to authorized personnel only, on a least-privilege basis, and all such personnel are bound by confidentiality obligations.
- Administrative access to AWS is protected by strong authentication, and sensitive root-level API actions are logged and monitored through AWS CloudTrail.
- Customer accounts are protected by individual credentials. Passwords are never stored in plain text. We recommend that users choose strong, unique passwords and never share account credentials.
Third-Party Integration Security (Including Klaviyo)
MailEditor integrates with email service providers such as Klaviyo, Mailchimp, Brevo, SendGrid, and others so that users can export templates directly into their own accounts. We apply the following principles to every integration:
- Credential protection: API keys and OAuth tokens that users connect to MailEditor are stored encrypted at rest and are never exposed in logs, error messages, or to other users.
- Minimal scope:We request only the permissions required to deliver the integration's functionality (for example, creating and updating email templates). We do not request access to data we do not need.
- No subscriber data storage:MailEditor does not store our customers' subscriber lists, contact profiles, or campaign analytics from connected platforms. Integration access is used only to perform the action the user requests, such as pushing a template into their account.
- Revocation: Users can disconnect an integration at any time from their account settings or from the third-party platform. Upon disconnection, the associated credentials are invalidated and removed from our systems.
- No resale or secondary use: Data accessed through integrations is never sold, shared with third parties, used for advertising or profiling, or used to train AI or machine learning models.
Application Security
- Secure development: Code changes go through review and are deployed through automated CI/CD pipelines, ensuring consistent, repeatable, and auditable releases across development, staging, and production.
- Dependency scanning: Automated dependency scanning (GitHub Dependabot) runs in our CI/CD pipeline, and builds are blocked when high-severity vulnerabilities are detected.
- Container scanning: Every deployment image is scanned for known operating system vulnerabilities (CVEs) using Amazon ECR scan-on-push before it can reach production.
Monitoring, Logging, and Threat Detection
Our infrastructure is monitored 24/7 using Amazon CloudWatch and EventBridge. Automated alerts notify our team of:
- Traffic anomalies that exceed normal baselines.
- Spikes in requests blocked by the WAF.
- Excessive failed login attempts.
- Sustained high CPU or memory usage.
- Unusual outbound traffic patterns that could indicate data exfiltration.
- Unauthorized or sensitive administrative API calls (via AWS CloudTrail).
Application and security logs are centralized in CloudWatch Logs, allowing rapid investigation of any suspicious activity.
Backups and Disaster Recovery
- Database backups: Automated daily backups of our databases with point-in-time recovery, plus manual snapshots before major changes.
- File storage: S3 versioning is enabled to protect stored files against accidental deletion or modification.
- Recovery plan: In the event of a failure, systems and data can be restored to any point within the backup retention period. Backup and recovery procedures are reviewed regularly.
Payment Security
MailEditor does not store credit card numbers or payment credentials on our servers. All payments are processed by Stripe, a PCI DSS Level 1 certified payment provider, which is the highest level of certification in the payments industry.
Data Ownership, Retention, and Deletion
- You retain full ownership of the templates and content you create in MailEditor.
- Templates are the only customer content we store, and they remain private unless you choose to share them.
- You may request deletion of your account and all associated data at any time by contacting us. Upon a verified request, your data is permanently removed from our active systems, and removed from backups as those backups expire under our retention schedule, except where retention is required by law.
To request data deletion, email us at dpo@maileditor.net.
Incident Response
In the unlikely event of a security incident affecting customer data, we will:
- Contain and investigate the incident promptly.
- Notify affected users without undue delay.
- Notify relevant authorities where required by applicable law (including GDPR breach notification requirements).
- Take corrective measures to prevent recurrence.
Compliance
- GDPR readiness: Data is encrypted at rest and in transit, stored in a defined AWS region to respect data residency requirements, and subject to user rights including access, correction, deletion, and portability. See our Privacy Policy for full details on your rights.
- CCPA: California residents may exercise their rights as described in our Privacy Policy.
- Subprocessors: A current list of our subprocessors (including AWS, Google, Stripe, and OpenAI) is maintained in our Privacy Policy.
Responsible Disclosure
We welcome reports from security researchers. If you believe you have discovered a vulnerability in MailEditor, please report it to us at security@maileditor.net with enough detail for us to reproduce the issue. We ask that you:
- Do not access, modify, or delete data belonging to other users
- Do not perform denial-of-service testing
- Give us reasonable time to investigate and fix the issue before public disclosure
We will acknowledge valid reports, keep you informed of our progress, and will not pursue legal action against researchers who act in good faith under these guidelines.
Changes to This Policy
We may update this Security Policy from time to time as our infrastructure and practices evolve. Material changes will be posted on this page with an updated effective date.
Contact
For security questions or concerns:
MailEditor LLC
1209 Mountain Road Pl NE Ste R,
Albuquerque, NM 87110
Security contact: security@maileditor.net
Data protection: dpo@maileditor.net
Website: https://maileditor.net