Security & privacy

Privacy is the whole product.

Email is where your business lives. We keep it private, authenticated, and backed up — and we never read, sell, or train AI on what's inside.

TLS in transit

Modern TLS on every connection — HTTPS for the webmail, admin, and API; TLS-encrypted SMTP for mail relay.

Two-factor authentication

Two-step sign-in with any authenticator app you already use, plus one-time recovery codes if you lose your phone. Passwords are stored so that even we can't read them.

DKIM, SPF & DMARC

Your messages land in inboxes, not spam — and no one can send fake mail in your name. Every message proves it really came from your domain, so impersonators get rejected.

Your inbox is never the product

You pay us, so you're the customer — not the product. We never read your mail to target ads, train AI, or sell what's inside. With free email, your inbox is the inventory; here it stays yours.

Audit logs

Every admin action — sign-ins, mailbox creation, password changes, integration tokens — is logged for review and export.

Encrypted off-site backups

Mailbox data and metadata are backed up daily to encrypted off-site storage, so you stay covered even in a worst-case server failure.

Authentication

Your password is never stored in a form anyone could read, and sign-in is built so attackers can't even confirm whether an account exists. Sign-ins are rate-limited per IP and per email; repeated failures lock further attempts for an hour.

Two-factor authentication uses TOTP (compatible with Bitwarden, iCloud Keychain, and other authenticator apps you already use). Each account also gets one-time recovery codes for the case where you lose access to your authenticator. Active sessions are listed in webmail Settings; you can revoke any session — including ones on devices you no longer have.

Mail authentication

Every outbound message is signed with DKIM using a key under your own domain — never a shared signer. Your domain's SPF and DMARC records authorize our infrastructure to send on your behalf, and they tell receiving servers what to do with mail that fails authentication. We help you publish the records during onboarding and re-verify them on demand.

Your data

We don't read your mail, and there's no ad business that would profit if we did. Your messages stay in your mailbox; we never feed them to AI training or advertising. Anything we hold is encrypted and tied only to your account. Webhooks and integrations you set up are signed with HMAC-SHA256 so the apps receiving them can verify authenticity.

Mailbox data and metadata are backed up daily to encrypted off-site storage. The backups are tested periodically by restoring from them.

Reporting a vulnerability

If you've found something concerning, we want to know. Use our support form and pick a high priority — the form goes straight to us and your message is visible to the right person quickly. Please include reproduction steps; we'll get back to you with a status. We treat responsible disclosure seriously and we don't sue researchers acting in good faith.

Email that's yours, the way it should be.

Private by default, on your own domain — and we move your old inbox over for you.

Get started