Security & Trust
Smailor is an email infrastructure service. We take security, deliverability, and privacy seriously — not as marketing, but as the core of a service your team depends on every day.
GDPR compliant
Data processed in Europe. Full DPA available for business customers.
TLS everywhere
All connections encrypted in transit. STARTTLS enforced on email delivery.
SPF · DKIM · DMARC
Full email authentication stack on all outbound mail. BIMI support available.
How outbound and inbound email actually works.
Outbound mail — SMTP with authentication
Every outbound email is signed with DKIM (RSA-2048) on your custom domain. SPF records delegate sending rights to Smailor's infrastructure. DMARC enforcement prevents spoofing of your domain. Envelope-from alignment is enforced for consistent delivery.
Inbound mail — MX routing
Your domain's MX records point to Smailor's mail receivers. Incoming messages are validated, spam-scored, and routed to the correct inbox in under a second. Attachments are stored separately and served via authenticated URLs.
Data center — Hetzner (Germany / Finland)
All data is stored on Hetzner servers located in the EU (Germany and/or Finland). Hetzner is ISO 27001 certified. Data never leaves the European Economic Area without appropriate safeguards.
Deliverability — reputation
Per-domain sending stats are visible in your dashboard. BIMI logos are supported for brand recognition in Gmail and Apple Mail. We monitor bounce rates and automatically throttle to protect your domain's reputation.
Anti-spam & abuse prevention
Outbound rate limiting per domain and per account. Sending through Smailor for unsolicited bulk mail violates our Acceptable Use Policy and results in immediate suspension. We score inbound messages for spam and phishing before routing. Abuse reports go to [email protected].
What we collect, why, and for how long.
We do not sell your data
Your emails, contacts, and message content are never sold or shared with third parties for advertising. We process data solely to provide the service, ensure security, and comply with the law.
We do not train AI on your content
Your private messages are never used to train public or third-party machine learning models. AI features run on a self-hosted model (Qwen 2.5, 1.5 B). Your data never leaves our servers.
Encryption in transit & at rest
All HTTP traffic uses TLS 1.2+. Email delivery uses STARTTLS with opportunistic encryption. Database volumes are encrypted at rest by Hetzner's storage layer.
Access controls & audit
Role-based access within workspaces. Authentication via password (bcrypt-hashed) or OAuth (Google, Discord). Session tokens are short-lived and rotate on sensitive actions.
What's in place to protect your account and your customers' data.
Two-Factor Authentication (TOTP)
Available for all accounts via Google Authenticator, Authy, 1Password, and any TOTP-compatible app.
Session revocation
Immediately invalidate all active sessions from Settings → Security.
Login brute-force protection
Accounts are locked for 15 minutes after 5 failed login attempts per IP and email combination.
AES-256-GCM encryption at rest
SMTP credentials, API keys, DKIM private keys, and TOTP secrets are encrypted in the database.
DKIM signing (RSA-2048)
Every outbound email is signed with a unique per-domain key. Recipients can verify message authenticity.
SPF & DMARC enforcement
Both records are required during domain verification to prevent spoofing.
TLS in transit
All API connections and SMTP relay traffic use TLS. Certificate validation is enforced on remote relay hosts.
HttpOnly, SameSite=Lax session cookies
Session tokens are inaccessible to JavaScript and protected against CSRF.
Timing-safe secret comparison
Internal API auth uses constant-time comparison to prevent timing side-channel attacks.
Site audit log
Every login, sensitive action, and security event is recorded with a timestamp and IP.
Shared inbox functionality requires the server to read and route emails. Here's the honest breakdown of what we protect and what we can't.
| Data | Encrypted | Note |
|---|---|---|
| Passwords | Yes | bcrypt — never stored in plain text |
| SMTP / API credentials | Yes | AES-256-GCM |
| DKIM private keys | Yes | AES-256-GCM |
| TOTP secrets (2FA) | Yes | AES-256-GCM |
| Session tokens (cookies) | Yes | Signed JWT, HttpOnly |
| Email subject lines | No | DB plaintext — required for search and triage |
| Email body content | No | DB plaintext — required for AI triage and display |
Specific claims about what happens to emails that flow through Smailor.
Where data is stored
All email content, contacts, attachments, and account data are stored on Hetzner servers located in Germany (FSN1/NBG1) and Finland (HEL1). No data is replicated outside the European Economic Area.
AI runs on-server — no third-party LLM
AI triage (available on Pro and Business plans) uses a self-hosted Qwen 2.5 model running on our VPS. Customer email subject lines and bodies are processed locally. Nothing is sent to OpenAI, Anthropic, Google, or any external AI provider. The model never trains on your data.
Data retention
Email content and ticket history are retained for the duration of your subscription. You can export or delete data at any time from Settings. On account deletion, all data is purged within 30 days. Retention can be configured on Business plan.
Audit log — who handled what
Every action on every ticket is logged: who viewed it, who assigned it, who replied, and at what time. This supports GDPR data subject access requests and internal accountability. Audit logs are available on all plans.
AI privacy: Smailor vs cloud-AI helpdesks
| Question | Smailor | Freshdesk / Zendesk / Help Scout AI |
|---|---|---|
| Where is AI model hosted? | On-server (Hetzner DE/FI) | OpenAI / Azure / Google Cloud (US) |
| Is email content sent to external API? | No — processed locally | Yes — sent to LLM API |
| Could data be used for model training? | No | Depends on vendor agreement |
| Data residency guaranteed EU? | Yes | Not for AI processing |
| AI processing disclosed in DPA? | Yes | Varies by vendor |
Third-party services we use to run Smailor. All are bound by appropriate data processing agreements.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Servers, storage, networking | 🇩🇪 Germany / 🇫🇮 Finland (EU) |
| Mollie | Payment processing | 🇳🇱 Netherlands (EU entity) |
| Cloudflare | DNS, CDN, bot protection (Turnstile) | 🇺🇸 USA (SCC covered) |
| Qwen 2.5 (self-hosted) | AI triage & drafting (on-premises) | 🇩🇪 Germany — no data transfer |
SCC = Standard Contractual Clauses (EU transfer mechanism). Full list updated as sub-processors change.
All public legal and compliance documents in one place.
Terms of Service
Rules for using the service, plans, and liability.
Privacy Policy
How we collect, use, and protect personal data.
Data Processing Agreement
GDPR DPA for business customers (Art. 28 RGPD).
Acceptable Use
Prohibited conduct, spam, and abuse policy.
Cookie Policy
Cookies and similar technologies on our sites.
Legal Notice
Company details, imprint, and contact information.
Responsible disclosure
Please disclose security issues responsibly. We investigate all credible reports and will acknowledge receipt within 48 hours. Do not publish vulnerabilities before we've had a chance to address them.