Back

Security & Trust

Your data security is our top priority

Security Overview

ExtractMail is built with security-first principles. We implement industry-standard security measures and best practices to protect your data, ensure service availability, and maintain the confidentiality of your email validation activities.

Data Protection

Encryption in Transit

  • • All data transmission uses TLS 1.3 encryption
  • • HTTPS enforced across all endpoints and web interfaces
  • • Perfect Forward Secrecy (PFS) enabled
  • • Strong cipher suites and key exchange protocols

Encryption at Rest

  • • AES-256 encryption for all stored data
  • • Database encryption with managed keys
  • • Encrypted backups and disaster recovery systems
  • • Key rotation and management best practices

Data Minimization

  • • Email addresses are not permanently stored
  • • Validation results cached temporarily for performance only
  • • User data collection limited to service requirements
  • • Automatic data deletion based on retention policies

Authentication & Access Control

User Authentication

  • • OAuth 2.0 integration with Google for secure login
  • • JWT tokens with secure signing and expiration
  • • No password storage on our systems
  • • Session management with secure cookies

API Security

  • • API key authentication for programmatic access
  • • Rate limiting and abuse prevention
  • • Request validation and sanitization
  • • CORS protection and origin validation

Access Controls

  • • Principle of least privilege for system access
  • • Multi-factor authentication for administrative access
  • • Regular access reviews and audit trails
  • • Role-based permissions and segregation of duties

Infrastructure Security

Cloud Security

  • • Hosted on enterprise-grade cloud infrastructure
  • • Automatic security patching and updates
  • • Network segmentation and firewalls
  • • DDoS protection and traffic filtering

Application Security

  • • Secure coding practices and code reviews
  • • Input validation and SQL injection prevention
  • • XSS protection and content security policies
  • • Dependency scanning and vulnerability management

Monitoring & Alerting

  • • 24/7 security monitoring and incident response
  • • Automated threat detection and anomaly analysis
  • • Real-time alerting for security events
  • • Comprehensive logging and audit trails

Compliance & Standards

Data Protection Regulations

  • • GDPR compliance for European users
  • • CCPA compliance for California residents
  • • Data processing agreements available
  • • Right to deletion and data portability

Security Standards

  • • Follows OWASP security guidelines
  • • ISO 27001 aligned security practices
  • • SOC 2 Type II certification in progress
  • • Regular third-party security assessments

Industry Certifications

  • • Regular penetration testing
  • • Security audits by certified professionals
  • • Vulnerability assessments and remediation
  • • Compliance reporting and documentation

Privacy & Data Handling

Email Processing

  • • Email addresses processed in memory only
  • • No permanent storage of validated email addresses
  • • Temporary caching for performance optimization only
  • • Automatic purging of processed data

File Upload Security

  • • Uploaded files scanned for malware
  • • File type validation and size limits
  • • Temporary storage with automatic deletion
  • • Encrypted file processing pipelines

Data Retention

  • • Minimal data retention policies
  • • User-controlled data deletion
  • • Automated data lifecycle management
  • • Transparent data handling practices

Incident Response & Business Continuity

Security Incident Response

  • • 24/7 security incident response team
  • • Documented incident response procedures
  • • Rapid containment and remediation processes
  • • Customer notification for data breaches

Business Continuity

  • • High availability architecture with redundancy
  • • Automated failover and disaster recovery
  • • Regular backup testing and restoration
  • • Business continuity planning and testing

Service Level Agreements

  • • 99.9% uptime commitment for paid plans
  • • Maximum response times for support requests
  • • Service credit policies for outages
  • • Transparent status page and communications

Security Best Practices for Users

Account Security

  • • Keep your Google account secure with 2FA
  • • Regularly review account activity and permissions
  • • Use secure networks when accessing the service
  • • Log out from shared or public computers

API Security

  • • Store API keys securely and never expose in code
  • • Use environment variables for API key storage
  • • Implement rate limiting in your applications
  • • Monitor API usage for unusual activity

Data Handling

  • • Only validate email addresses you have permission to check
  • • Implement proper data protection in your applications
  • • Follow applicable privacy laws and regulations
  • • Secure any validation results you store locally

Reporting Security Issues

We take security vulnerabilities seriously and appreciate responsible disclosure.

How to Report

  • • Email security issues to [email protected]
  • • Include detailed information about the vulnerability
  • • Provide steps to reproduce the issue if possible
  • • Do not disclose publicly until we have addressed the issue

Our Commitment

  • • Acknowledge receipt within 24 hours
  • • Provide regular updates on investigation progress
  • • Fix verified vulnerabilities promptly
  • • Credit researchers in our security acknowledgments

Contact Our Security Team

For security-related questions, concerns, or to report vulnerabilities: