Lasted Updated: May 25, 2018.
At Elastic Email, we take security of your privacy and data extremely seriously and we want to be as transparent as possible with how we conduct business around security measures. Not every detail is shared of course, as we do not want our transparency to lead to exploitation of our system and your data.
2. Application and API
- Elastic Email account passwords are hashed when they are stored. A hash is a one way encryption so your passwords cannot be viewed by anyone (including our administrators) and can only be reset.
- Login log with details such as user agent, browser, IP.
- Event logging including password changes, password forgets, account email changes, payments, API Key changes/additions/deletions, exports and more.
- We support standard SSL encryption for all application and API access.
- We support standard SSL and TLS encryption for all SMTP traffic.
- API Keys require account login and password to obtain.
- Access levels are defined for both our accounts, users and our administrators. We support a granular access model where only the required access needed can be granted for all stakeholders.
- Changes of Account information such as email and password require the Account holder confirmation by email confirmation.
- We have sophisticated algorithms protecting your account from malicious content as well as 24/7 human monitoring of your mail looking for inappropriate content or unusual activity.
3. Data Redundancy
- Databases have full real-time replication configured.
- Storage redundancy is used to increase reliability of data storage.
- Backups are done regularly and rotated for special circumstance restore.
- Multi-tenancy is realized by using separate databases and data logic to prevent overlap or corruption.
4. Training and Protocols
Our staff is provided training on our security policies and personal information privacy policies. Yearly, our staff are required to:
- Take employee GDPR training and obtain a certificate of the training.
- Review our internal policies in areas such as security and personal information privacy.
- Sign a Non Disclosure Agreement highlighting their responsibilities in protecting your data.
All employees and contractors go through a rigid employment reference check and criminal record check where applicable before starting with Elastic Email.
5. Data Centers
Elastic Email hosts your data at several data centers in the EU, the United States, and Canada. In all our data centers, access is strictly monitored. Some of the security measures are outlined below that our hosts adhere to:
- Perimeter’s secured with barbed wire fences.
- Constant video surveillance and motion detection sensor monitoring.
- Activity both within and outside of the data centers is monitored and recorded on secure servers, with surveillance teams working on site, 24/7.
- Staff member receives an RFID name badge, which is also used to restrict their access. Employees must hand in their badges for verification before passing through the security doors.
- Employee access rights are reassessed regularly, according to their remit.
- The server rooms have an even higher level of protection, as only authorized personnel can gain entry.
- DDOS mitigation is in place.
6. Payment Processing
Elastic Email uses two payment processing services Stripe and Paypal who follow industry standards in protecting your personal data. Elastic Email does not store your credit card information. We keep only transaction fingerprints to help with fraud and abuse.