Security & Trust

Built on a foundation you can verify.

Smailor is an email infrastructure service. We take security, deliverability, and privacy seriously — not as marketing, but as the core of a service your team depends on every day.

GDPR compliant

Data processed in Europe. Full DPA available for business customers.

TLS everywhere

All connections encrypted in transit. STARTTLS enforced on email delivery.

SPF · DKIM · DMARC

Full email authentication stack on all outbound mail. BIMI support available.

Email infrastructure

How outbound and inbound email actually works.

Outbound mail — SMTP with authentication

Every outbound email is signed with DKIM (RSA-2048) on your custom domain. SPF records delegate sending rights to Smailor's infrastructure. DMARC enforcement prevents spoofing of your domain. Envelope-from alignment is enforced for consistent delivery.

Inbound mail — MX routing

Your domain's MX records point to Smailor's mail receivers. Incoming messages are validated, spam-scored, and routed to the correct inbox in under a second. Attachments are stored separately and served via authenticated URLs.

Data center — Hetzner (Germany / Finland)

All data is stored on Hetzner servers located in the EU (Germany and/or Finland). Hetzner is ISO 27001 certified. Data never leaves the European Economic Area without appropriate safeguards.

Deliverability — reputation

Per-domain sending stats are visible in your dashboard. BIMI logos are supported for brand recognition in Gmail and Apple Mail. We monitor bounce rates and automatically throttle to protect your domain's reputation.

Anti-spam & abuse prevention

Outbound rate limiting per domain and per account. Sending through Smailor for unsolicited bulk mail violates our Acceptable Use Policy and results in immediate suspension. We score inbound messages for spam and phishing before routing. Abuse reports go to [email protected].

Data & Privacy

What we collect, why, and for how long.

We do not sell your data

Your emails, contacts, and message content are never sold or shared with third parties for advertising. We process data solely to provide the service, ensure security, and comply with the law.

We do not train AI on your content

Your private messages are never used to train public or third-party machine learning models. AI features run on a self-hosted model (Qwen 2.5, 1.5 B). Your data never leaves our servers.

Encryption in transit & at rest

All HTTP traffic uses TLS 1.2+. Email delivery uses STARTTLS with opportunistic encryption. Database volumes are encrypted at rest by Hetzner's storage layer.

Access controls & audit

Role-based access within workspaces. Authentication via password (bcrypt-hashed) or OAuth (Google, Discord). Session tokens are short-lived and rotate on sensitive actions.

Security measures

What's in place to protect your account and your customers' data.

  • Two-Factor Authentication (TOTP)

    Available for all accounts via Google Authenticator, Authy, 1Password, and any TOTP-compatible app.

  • Session revocation

    Immediately invalidate all active sessions from Settings → Security.

  • Login brute-force protection

    Accounts are locked for 15 minutes after 5 failed login attempts per IP and email combination.

  • AES-256-GCM encryption at rest

    SMTP credentials, API keys, DKIM private keys, and TOTP secrets are encrypted in the database.

  • DKIM signing (RSA-2048)

    Every outbound email is signed with a unique per-domain key. Recipients can verify message authenticity.

  • SPF & DMARC enforcement

    Both records are required during domain verification to prevent spoofing.

  • TLS in transit

    All API connections and SMTP relay traffic use TLS. Certificate validation is enforced on remote relay hosts.

  • HttpOnly, SameSite=Lax session cookies

    Session tokens are inaccessible to JavaScript and protected against CSRF.

  • Timing-safe secret comparison

    Internal API auth uses constant-time comparison to prevent timing side-channel attacks.

  • Site audit log

    Every login, sensitive action, and security event is recorded with a timestamp and IP.

What's encrypted — and what isn't

Shared inbox functionality requires the server to read and route emails. Here's the honest breakdown of what we protect and what we can't.

DataEncryptedNote
PasswordsYesbcrypt — never stored in plain text
SMTP / API credentialsYesAES-256-GCM
DKIM private keysYesAES-256-GCM
TOTP secrets (2FA)YesAES-256-GCM
Session tokens (cookies)YesSigned JWT, HttpOnly
Email subject linesNoDB plaintext — required for search and triage
Email body contentNoDB plaintext — required for AI triage and display

How Smailor handles customer email data

Specific claims about what happens to emails that flow through Smailor.

Where data is stored

All email content, contacts, attachments, and account data are stored on Hetzner servers located in Germany (FSN1/NBG1) and Finland (HEL1). No data is replicated outside the European Economic Area.

AI runs on-server — no third-party LLM

AI triage (available on Pro and Business plans) uses a self-hosted Qwen 2.5 model running on our VPS. Customer email subject lines and bodies are processed locally. Nothing is sent to OpenAI, Anthropic, Google, or any external AI provider. The model never trains on your data.

Data retention

Email content and ticket history are retained for the duration of your subscription. You can export or delete data at any time from Settings. On account deletion, all data is purged within 30 days. Retention can be configured on Business plan.

Audit log — who handled what

Every action on every ticket is logged: who viewed it, who assigned it, who replied, and at what time. This supports GDPR data subject access requests and internal accountability. Audit logs are available on all plans.

AI privacy: Smailor vs cloud-AI helpdesks

QuestionSmailorFreshdesk / Zendesk / Help Scout AI
Where is AI model hosted?On-server (Hetzner DE/FI)OpenAI / Azure / Google Cloud (US)
Is email content sent to external API?No — processed locallyYes — sent to LLM API
Could data be used for model training?NoDepends on vendor agreement
Data residency guaranteed EU?YesNot for AI processing
AI processing disclosed in DPA?YesVaries by vendor

Sub-processors

Third-party services we use to run Smailor. All are bound by appropriate data processing agreements.

ProviderPurposeLocation
HetznerServers, storage, networking🇩🇪 Germany / 🇫🇮 Finland (EU)
MolliePayment processing🇳🇱 Netherlands (EU entity)
CloudflareDNS, CDN, bot protection (Turnstile)🇺🇸 USA (SCC covered)
Qwen 2.5 (self-hosted)AI triage & drafting (on-premises)🇩🇪 Germany — no data transfer

SCC = Standard Contractual Clauses (EU transfer mechanism). Full list updated as sub-processors change.

Legal documents

All public legal and compliance documents in one place.

Responsible disclosure

Found a vulnerability?

Please disclose security issues responsibly. We investigate all credible reports and will acknowledge receipt within 48 hours. Do not publish vulnerabilities before we've had a chance to address them.

Privacy Policy