Security & Compliance
FormaMail is built with enterprise-grade security. We understand that your transactional emails contain sensitive business data, and we take protecting that data seriously.
Security Overview
All API traffic encrypted in transit
Passwords & keys hashed
EU data protection compliant
Uptime SLA target
Quick Links
- Compliance & Certifications - SOC 2, GDPR, CCPA, PCI DSS
- Data Handling & Encryption - How we protect your data
- Infrastructure & Reliability - AWS, uptime, disaster recovery
Security Principles
Defense in Depth
We implement multiple layers of security:
- Network Layer: WAF, DDoS protection, IP whitelisting (Enterprise)
- Application Layer: Input validation, rate limiting, CSRF protection
- Data Layer: TLS in transit, hashed credentials, access controls
- Operational Layer: Audit logging, monitoring, incident response
Least Privilege Access
- API keys scoped to specific permissions
- Role-based access control (Owner, Admin, Member, Viewer)
- OAuth scopes limit third-party access
- No shared credentials
Data Minimization
- We only store data necessary for the service
- Email content retained for configurable period (default 90 days)
- Generated attachments auto-deleted after 7 days
- Logs retained for compliance then purged
Authentication Methods
FormaMail supports multiple secure authentication methods:
| Method | Use Case | Security Level |
|---|---|---|
| API Keys | Server-to-server | High (scoped permissions) |
| JWT Tokens | Dashboard/web apps | High (short-lived) |
| OAuth 2.0 | Third-party integrations | High (scoped, revocable) |
| 2FA | Dashboard login | Additional layer |
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
Email: security@formamail.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information
We will acknowledge receipt within 24 hours and provide updates as we investigate.
Please do not publicly disclose security issues until we’ve had a chance to address them.
Security FAQ
Is my data protected?
Yes, we implement multiple security measures:
- In transit: All connections secured via TLS (CloudFlare)
- Credentials: Passwords, API keys, and OAuth tokens are hashed with bcrypt
- Email content: Processed in real-time and never stored
Where is my data stored?
FormaMail infrastructure runs on AWS in the US-East-1 region. EU data residency options are planned for Q2 2026.
Can I get a Data Processing Agreement (DPA)?
Yes, DPAs are available for all customers. Contact support@formamail.com to request one.
Do you process credit card data?
No, we never handle or store credit card data directly. Payment processing is handled by Cashfree, a PCI DSS Level 1 certified provider.
How do I report a security issue?
Email security@formamail.com with details of the vulnerability. We take all reports seriously and will respond within 24 hours.