Security

Security at Mailnurse.

How we protect customer data, credentials, and the systems we monitor.

AES-256
Encryption at rest
TLS 1.3
Transport encryption
0
Customer-data leaks since launch
In progress
SOC 2 Type II

Encryption

Customer data and credentials are encrypted at rest with AES-256-GCM, using keys managed by AWS KMS. Key material never leaves the HSM boundary; the application receives only short-lived data encryption keys, which are rotated on a quarterly cadence.

All customer-facing traffic is served over TLS 1.3 with modern cipher suites; older TLS versions are disabled at the load balancer. Service-to-service traffic inside the VPC uses mutual TLS, so every internal call is mutually authenticated before any payload is exchanged.

Credential handling

OAuth tokens and API keys for Workspace, Cloudflare, Instantly, and Spaceship are stored encrypted in a dedicated vault namespace, isolated from the application database. Credentials are decrypted only at the point of use, are never written to application logs or analytics, and are scrubbed from any error reports. The vault encryption key is rotated quarterly.

Access control

  • Role-based access for Mailnurse staff — engineering, support, and billing each receive scoped roles with the minimum privileges required.
  • Two-factor authentication is mandatory on all employee accounts.
  • SSH access to production infrastructure is key-only, with no password fallback.
  • Every internal access action is audit-logged to an append-only store.
  • Access reviews are performed quarterly; permissions for any departed staff are revoked the day employment ends.

Hosting and data residency

The default processing region is AWS us-east-1. Customers on the Agency tier and above may request eu-west-1, which keeps all customer data inside the European Economic Area. The marketing site you are reading is served via Cloudflare. The dashboard at app.mailnurse.io runs on a VPS with strict ingress rules — only the load balancer is publicly reachable, all other instances are private.

Vulnerability management

  • Dependency-bot plus automated CVE scanning runs on every pull request; high-severity findings block merge.
  • A third-party penetration test is conducted quarterly; the findings summary is shared with enterprise customers under NDA.
  • A responsible-disclosure program operates at [email protected] with a ninety-day public-disclosure window from the date of confirmation.

Incident response

Mailnurse runs a 24/7 on-call rotation. Severity-1 incidents trigger customer notification within four hours of confirmation; a written root-cause analysis is published within fourteen days. Live incident status is mirrored at status.mailnurse.io.

Compliance roadmap

  • GDPR — compliant (see our DPA).
  • CCPA — compliant.
  • SOC 2 Type I — in progress, target Q3 2026.
  • SOC 2 Type II — in progress, target Q1 2027.
  • ISO 27001 — on the roadmap.

Report a vulnerability

Found something? Email [email protected] — a PGP key is available on request.

Care, expressed as precision.

Cold-email infrastructure that watches itself — so you can focus on the campaign, not the chassis.

Start free trial → Book a demo

14-day free trial · No credit card · Instant setup