Security is how the product is built, not a bolt-on.

Mailbox passwords in the credential vault are encrypted at rest with AES-256-GCM — a modern authenticated encryption scheme that protects both confidentiality and integrity. Encryption keys are managed separately from the vault itself, and credentials are decrypted only at the moment they are exported or used.

All application traffic runs over TLS. Mail server connections enforce opportunistic TLS for inbound SMTP and authenticated TLS for outbound. IMAP and SMTP submission require TLS. Webmail is served over HTTPS with HSTS.

• Dashboard auth — JWT session tokens with industry-standard password hashing.
• Role-based workspace access — Owner, Admin, and Member roles scope permissions. Invitations use signed, time-limited, single-use tokens.
• Webmail auto-login — HMAC-signed, single-use, time-limited tokens. No long-lived webmail cookies.
• Workspace isolation— Every API request is scoped to the caller's workspace membership; cross-workspace access is blocked at the authorization layer.

Every domain added to SendChief gets the full DNS authentication set published automatically via Cloudflare:

• SPF— Authorizes SendChief's mail servers as legitimate senders for your domain.
• DKIM — Per-domain signing keys that cryptographically prove outbound messages originated from your domain.
• DMARC — Policy layer telling recipients how to handle mail that fails SPF or DKIM.
• DANE / TLSA— Binds your mail server's TLS certificate to DNS, making man-in-the-middle attacks dramatically harder. Most competitors don't publish these at all.
• Reverse DNS (PTR)— Set on both IPv4 and IPv6 so major providers don't drop mail on a technicality.

• Dedicated VPS per subscription — Every server is isolated. No shared kernel, no shared mail queue, no shared IP reputation with other customers.
• Hardened mail server — A production-grade mail stack configured with minimal attack surface, standard relay restrictions, and rate limits calibrated for legitimate outbound volume.
• Nginx reverse proxy with security rules — The dashboard runs behind Nginx with rate limiting, header hardening, and strict security policies.
• Application-layer filtering — A dedicated middleware layer enforces additional request filtering and threat detection.
• IP reputation protection — Provisioning-time blacklist checks across major DNS blacklists, up to 3 auto-rotation attempts, and ongoing monitoring with alerts.

• GDPR — Designed for compliance from the data-model up. Right-to-access and right-to-deletion are first-class operations. A data-processing agreement is available for EU customers on request.
• EU data residency— Scaleway's EU regions (France and Netherlands) are first-class deployment targets. Pick an EU region at provisioning time and your mail server plus mailbox data stays in the EU.
• Data controller / processor— You're the data controller for mail flowing through your SendChief servers. SendChief is the processor for the subset required to run the managed service.
• Sub-processor transparency — The privacy policy lists every sub-processor: Supabase, Scaleway, Cloudflare, Stripe, Resend, PostHog (anonymous mode).
• Roadmap— SOC 2 Type 2 and ISO 27001 are targets we're working toward. We'll publish status when meaningful evidence is available — not before.