Security at PostStack

Email infrastructure handles some of the most sensitive data your business owns — customer addresses, message contents, and authentication tokens. This page outlines the controls PostStack uses to keep that data safe.

Encryption

  • In transit: All API and dashboard traffic is served over HTTPS with TLS 1.2 or higher. HSTS is enforced.
  • SMTP transit: Outbound mail uses opportunistic STARTTLS by default; you can switch your domain to enforced TLS in the dashboard.
  • Inbound mail: The Postfix submission port accepts only authenticated TLS connections (port 587 with STARTTLS, port 465 with implicit TLS).
  • At rest: Customer data is stored on encrypted volumes inside Hetzner data centers in the EU. Database backups are encrypted before leaving the database host.

Authentication and authorization

  • Passwords are hashed with Argon2id(memory-hard, resistant to GPU cracking).
  • Mailbox passwords are hashed with bcrypt for Dovecot compatibility.
  • Two-factor authentication via TOTP is available for every user; backup codes are hashed.
  • API keys are stored as cryptographic hashes — the plaintext key is shown once at creation and never persisted. Each key has a fixed sk_live_ / sk_test_ prefix that is validated before any database lookup.
  • Sessions and API requests are scoped to a single team. Cross-team data access is blocked at the service layer.

Infrastructure

  • All production infrastructure runs in EU data centers operated by Hetzner. No customer data leaves the EU.
  • Postfix, Dovecot, OpenDKIM, Redis, and PostgreSQL run in isolated containers behind a firewalled network. Only the API and SMTP submission ports are exposed to the internet.
  • Outbound SMTP traffic uses dedicated IP addresses (on Pro and higher plans) with documented warmup schedules. Each IP is monitored for blocklist status.
  • Database access is restricted to the application server. The database is not directly reachable from the internet.

Application security

  • All API requests are rate-limited via Redis (sliding window, scoped per team).
  • All SQL access goes through Drizzle ORM with parameterized queries — no hand-built SQL strings touch user input.
  • Webhook deliveries include an HMAC signature header so customers can verify the payload originated from PostStack.
  • Dependency updates are reviewed continuously. Security-relevant CVEs are patched within 7 days for high severity, 30 days for moderate.

Audit logging

Every administrative action — user creation, role change, API key creation, domain modification, billing change — is recorded in an append-only audit log scoped to your team. Audit log retention follows your plan's data retention policy.

Vulnerability disclosure

If you believe you have found a security vulnerability in PostStack, please report it privately to privacy@poststack.dev. We will acknowledge your report within 2 business days and keep you updated as we investigate.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to fix them. We do not currently run a paid bug bounty program, but we will publicly acknowledge your contribution (with your permission) once a fix is shipped.

Our security.txt file is published per RFC 9116.

Compliance

PostStack is operated by MICCI (Fyrretoften 31, 7100 Vejle, Denmark), a Danish company. We comply with the EU General Data Protection Regulation (GDPR). See our Privacy Policy and Data Processing Agreement for details on how customer data is processed.

SOC 2 Type II certification is on our roadmap and will be linked from this page once it is achieved.