Security we take seriously
Protecting customer data is a top priority. Here is how our infrastructure, data handling, and recovery are built to keep your lists safe.
Infrastructure
Our architecture is built to be secure and reliable, in certified data centers, with recovery built in.
System architecture
Built to be secure and reliable. API access happens locally with a key kept out of public reach, and traffic to and from our Mailman servers runs over SFTP, SSH, and SSL.
Data centers
Our applications run on Linode, certified SOC 1 Type 2, SOC 2 Type 2, HIPAA Type 1, HITECH, and PCI DSS.
PCI DSS
Payments and card data are handled by Authorize.net, a certified PCI Level 1 Service Provider. We do not typically receive card data, keeping us PCI DSS compliant in most situations.
Continuity and recovery
Fault-tolerant by design. Any cloud server detected as failing triggers a migration that moves it to a more stable hypervisor.
Firewall and encryption
Servers sit behind firewalls and malware scanners. All web traffic is forced over HTTPS, and our SMTP servers upgrade connections to TLS.
Isolated environments
Development and testing systems are kept fully isolated from production.
Data
Where your data lives, how it is reached, and how it is backed up.
Your domain or ours
Use your own private domain, or a subdomain of ours. Email to either is governed by that subscriber's per-list settings.
Data storage
Data stores are reachable only by the servers that actually require access.
Backups
Server-wide snapshots run daily, weekly, and monthly, and are retained for one month.
Logs
Sensitive information in logs is handled with the same care as the rest of our data.
Questions about security or compliance?
Tell us what your organization needs. We are happy to walk through our controls in detail.