Table of Content
Lasted Updated: October 17, 2019.
At Elastic Email, we take the security of your privacy and data extremely seriously and we want to be as transparent as possible with how we conduct business around security measures. Not every detail is shared of course, as we do not want our transparency to lead to exploitation of our system and your data.
2. Application and API
- Elastic Email account passwords are hashed when they are stored. A hash is one-way encryption so your passwords cannot be viewed by anyone (including our administrators) and can only be reset.
- Login log with details such as user agent, browser, IP.
- Event logging including password changes, password forgets, account email changes, payments, API Key changes/additions/deletions, exports and more.
- We support standard SSL encryption for all application and API access.
- We support standard SSL and TLS encryption for all SMTP traffic.
- API Keys require account login and password to obtain.
- Access levels are defined for both our accounts, users and our administrators. We support a granular access model where only the required access needed can be granted for all stakeholders.
- Changes of Account information such as email and password require the Account holder confirmation by email confirmation.
- We have sophisticated algorithms protecting your account from malicious content as well as 24/7 human monitoring of your mail looking for inappropriate content or unusual activity.
3. Data Redundancy
- Databases have full real-time replication configured.
- Storage redundancy is used to increase the reliability of data storage.
- Backups are done regularly and rotated for special circumstance restore.
- Multi-tenancy is realized by using separate databases and data logic to prevent overlap or corruption.
4. Training and Protocols
Our staff is provided training on our security policies and personal information privacy policies. Yearly, our staff is required to:
- Take employee GDPR training and obtain a certificate of the training.
- Review our internal policies in areas such as security and personal information privacy.
- Sign a Non Disclosure Agreement highlighting their responsibilities in protecting your data.
All employees and contractors go through a rigid employment reference check and criminal record check where applicable before starting with Elastic Email.
5. Data Centers
Elastic Email hosts your data at several data centers in the EU, the United States, and Canada. In all our data centers, access is strictly monitored. Some of the security measures are outlined below that our hosts adhere to:
- Perimeter’s secured with barbed wire fences.
- Constant video surveillance and motion detection sensor monitoring.
- Activity both within and outside of the data centers is monitored and recorded on secure servers, with surveillance teams working on site, 24/7.
- Staff member receives an RFID name badge, which is also used to restrict their access. Employees must hand in their badges for verification before passing through the security doors.
- Employee access rights are reassessed regularly, according to their remit.
- The server rooms have an even higher level of protection, as only authorized personnel can gain entry.
- DDOS mitigation is in place.
6. Payment Processing
Elastic Email uses two payment processing services Stripe and Paypal who follow industry standards in protecting your personal data. Elastic Email does not store your credit card information. We keep only transaction fingerprints to help with fraud and abuse.
7. Email and Website Phishing
Elastic Email will never send a regular email that asks you to provide, confirm or verify personal, login or account information. Also, Elastic Email will never include a link to an online service in a regular email and ask you to sign in using that link. If you receive an email of this type, that appears to be from Elastic Email, please forward it to firstname.lastname@example.org and then delete it.
If you believe your confidential information may have been stolen or obtained by a fraudulent party either online or through any other means, contact us immediately at email@example.com.
To report fake websites impersonating Elastic Email websites, send an email to firstname.lastname@example.org with the subject "Fake Elastic Email website." Remember to copy the full URL (website address) into the body of the email.
Report fake websites impersonating Elastic Email websites to Google and Microsoft - link https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en and https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site