Data Handling & Security

This page describes how FormaMail handles your data throughout its lifecycle - from collection to deletion.

Security Measures

Data in Transit

All connections to FormaMail are secured via TLS through CloudFlare:

Protocol	Status
TLS 1.3	Enabled (preferred)
TLS 1.2	Enabled (fallback)
TLS 1.1	Disabled
TLS 1.0	Disabled
SSL	Disabled

Additional protections:

HSTS (HTTP Strict Transport Security) enforced via CloudFlare
DDoS protection via CloudFlare
Certificate transparency logging enabled

Credential Security

All sensitive credentials are hashed before storage:

Credential Type	Security Measure
User passwords	bcrypt hashed (12 rounds)
API keys	bcrypt hashed (never stored in plain text)
OAuth access tokens	Hashed before storage
OAuth refresh tokens	Hashed before storage

We never store passwords or API keys in plain text. Once created, you cannot retrieve the full API key - only the first and last 4 characters are displayed in the dashboard.

Infrastructure Security

FormaMail uses a multi-cloud infrastructure with managed security:

Component	Provider	Security
Database (PostgreSQL)	Railway	Encrypted at rest (storage-level)
Cache (Redis)	Railway	TLS connections
Email Delivery	AWS SES	TLS, SPF/DKIM/DMARC
CDN/WAF	CloudFlare	TLS 1.3, DDoS protection

Database encryption at rest is provided by Railway’s infrastructure at the storage level. Application-level encryption is not implemented in the FormaMail codebase - we rely on infrastructure providers for encryption.

API Key Security

API keys are handled securely:

Keys are generated using cryptographically secure random number generators
Only the first and last 4 characters are displayed in the dashboard
Keys are hashed before storage (you cannot retrieve the full key after creation)
Keys can be scoped to specific permissions

Data Retention

FormaMail implements a three-tier data retention system designed to balance functionality with data minimization and GDPR compliance:

Retention Tiers

Tier	Period	Description
Full Logs	30 days	Complete email/attachment logs with all details
Archived Data	5 years	Basic records without PII for compliance
Daily Summaries	Indefinite	Aggregated analytics per team/template

Full Log Retention (30 Days)

During the first 30 days, full data is available including:

Complete email metadata
Recipient email addresses (for unsubscribes and tracking)
Detailed engagement data (opens, clicks with timestamps)
Full attachment job details

Archived Data (5 Years)

After 30 days, data is archived with the following changes:

Recipient emails are removed - GDPR compliance, no PII stored
Basic metrics preserved (sent count, status, error category)
Engagement summary (was opened, was clicked, counts)
Template and batch references maintained

Archived records cannot be used for retry operations since recipient information is not preserved.

Daily Summaries (Indefinite)

Aggregated analytics are kept indefinitely:

Volume metrics (sent, delivered, bounced, etc.)
Engagement rates (open rate, click rate)
Error category breakdowns
Template performance comparisons

Retention Periods by Data Type

Data Type	Full Data	Archived Data	Summary Data
Email logs	30 days	5 years	Indefinite
Attachment jobs	30 days	5 years	Indefinite
Email opens/clicks	30 days	Summarized	Indefinite
Webhook events	30 days	-	-
Generated PDFs/Excel	7 days	-	-
Audit logs	2 years	-	-
Soft-deleted records	30 days	-	-

Archive Process

The archiving process runs daily at 2:30 AM UTC:

Summary Update: Daily summaries are updated from live data
Data Archive: Records older than 30 days are moved to archive tables
PII Removal: Recipient emails and detailed tracking data are removed
Cleanup: Original full records are deleted

What Happens at Expiration

When data reaches its retention limit:

Archive First: Data is archived with PII removed (email/attachment logs)
Soft Delete: Data is marked as deleted but retained for 30 days
Hard Delete: Data is permanently removed from primary storage
Backup Purge: Backups containing the data expire per backup schedule

Data Deletion

If you received emails from a FormaMail customer and want your data removed, you can submit a data removal request:

Visit app.formamail.com/data-removal
Enter the email address you want removed
Choose your removal type:
- Delete All: Permanently delete all associated data
- Anonymize: Replace PII with anonymous data
- Export & Delete: Get a copy before deletion
Verify your email by clicking the link we send
Our team processes requests within 30 days

Data removal requests are processed for email recipients. If you’re a FormaMail customer wanting to delete your account, see the Account Deletion section below.

What Gets Removed

When a data removal request is processed:

Data Type	Action
Suppression list entries	Deleted
Unsubscribe records	Deleted
Email open/click tracking	Anonymized
Email log references	Already anonymized after 30 days

Status Tracking

You can check your request status at app.formamail.com/data-removal/status

Status	Meaning
Pending	Awaiting email verification
Verified	In queue for processing
Processing	Currently being processed
Completed	All data has been removed
Rejected	Request could not be fulfilled
Expired	Verification link expired (24 hours)

Automatic Deletion

FormaMail automatically deletes:

Generated attachments after 7 days
Soft-deleted records after 30 days
Email logs (archived after 30 days, deleted after 5 years)
Expired OAuth tokens and authorization codes

Manual Deletion

You can manually delete data via:

API:

# Delete a specific email log
DELETE /api/emails/:id
 
# Bulk delete email logs
DELETE /api/emails/bulk

Dashboard:

Go to Email Logs → Select emails → Delete
Go to Templates → Select template → Delete

Account Deletion

To delete your entire account and all associated data:

Go to Settings → Account → Delete Account
Confirm your identity
Enter “DELETE” to confirm
All data is scheduled for deletion within 30 days

⚠️

Account deletion is irreversible. All templates, logs, and data will be permanently deleted.

Access Controls

Role-Based Access Control (RBAC)

FormaMail implements RBAC at the team level:

Role	Permissions
Owner	Full access, billing, team deletion
Admin	Manage members, API keys, templates
Member	Create/edit templates, send emails
Viewer	Read-only access to logs and analytics

API Key Permissions

API keys can be scoped to specific permissions:

emails:send - Send emails
emails:read - Read email logs
templates:read - Read templates
templates:write - Create/edit templates
analytics:read - Access analytics
webhooks:manage - Manage webhook subscriptions

OAuth Scopes

Third-party applications access your data through OAuth with explicit scopes:

Scope	Access Granted
`emails:send`	Send emails on your behalf
`emails:read`	Read your email logs
`templates:read`	Read your templates
`templates:write`	Create and modify templates
`webhooks:read`	Read webhook configurations
`webhooks:write`	Manage webhook subscriptions
`analytics:read`	Read analytics data
`profile:read`	Read basic profile information

Audit Logging

FormaMail maintains audit logs for security-sensitive operations:

Logged Events

Event Category	Examples
Authentication	Login, logout, password change, 2FA enable/disable
API Keys	Create, revoke, update permissions
Team Management	Member invite, role change, removal
Data Access	Template export, email log export
OAuth	App authorization, token revocation
Settings	Retention changes, billing updates

Accessing Audit Logs

Audit logs are available to team Owners and Admins:

Dashboard: Settings → Activity Log
API: GET /api/teams/:teamId/activity

Log Retention

Audit logs are retained for 2 years and cannot be deleted manually. This ensures accountability and supports incident investigation.

Data Processing

Where Data is Processed

Process	Provider	Region
API requests	Railway	US
Database	Railway	US
Email sending	AWS SES	eu-north-1 (Stockholm)
PDF generation	Railway	US

Data Flow

API Request: Your request arrives via HTTPS at our API servers
Validation: Input is validated and sanitized
Processing: Email is queued, attachments generated
Delivery: Email sent via AWS SES
Logging: Delivery status logged for tracking
Cleanup: Temporary files deleted after delivery

Backups & Recovery

Backup Schedule

Backup Type	Frequency	Retention
Database snapshots	Daily	30 days
Point-in-time recovery	Continuous	35 days
Configuration backups	Weekly	90 days

Disaster Recovery

RTO (Recovery Time Objective): < 4 hours
RPO (Recovery Point Objective): < 1 hour
Infrastructure: Railway managed PostgreSQL with automated backups

Data Recovery Requests

If you accidentally delete data, contact support@formamail.com within the retention period. Recovery may be possible from backups depending on timing.

We Do Not Sell Data

FormaMail does not sell, rent, or trade your data to third parties.

Service Providers

We share data with service providers only as necessary to operate the service:

Provider	Purpose	Data Shared
Railway	Infrastructure (DB, API)	All data (encrypted at rest)
AWS SES	Email delivery	Email content, recipients
CloudFlare	CDN, WAF, DNS	Request metadata
Cashfree	Payments	Billing info (not stored by us)

Legal Requirements

We may disclose data if required by law, court order, or to protect our rights. We will notify you unless legally prohibited.

Security Best Practices for Users

Recommended Practices

Rotate API keys regularly (at least every 90 days)
Use scoped API keys with minimum required permissions
Enable 2FA for dashboard access
Review connected OAuth apps periodically
Monitor your email logs for unusual activity
Use strong passwords (16+ characters, unique)

What to Do If Compromised

If you suspect your account or API key is compromised:

Immediately revoke the compromised API key
Change your password
Revoke all OAuth authorizations
Review recent activity in audit logs
Contact support at security@formamail.com

Compliance & Certifications Infrastructure & Reliability