Security Statement
Effective Date: September 29, 2025 • Security Contact: security@mailopened.com
1) Overview
Mail Opened employs layered security controls across people, process, and technology, consistent with industry best practices for SaaS platforms.
2) Authentication & Sessions
- Passwords hashed with Argon2id; minimum complexity enforced.
- Optional multi-factor authentication (MFA).
- CSRF tokens for state-changing requests; session regeneration on privilege changes.
3) Encryption
- TLS for all app traffic; HSTS on primary domain.
- Encrypted backups and secure key management practices.
4) Access Control
- Least-privilege, role-based access; periodic reviews and revocation on role change.
- Administrative actions logged and monitored.
5) Infrastructure Security
- Hardened OS images, patch management, and firewalling/security groups.
- Network segmentation and rate limiting to reduce blast radius.
6) Application Security
- Dependency scanning, code review, and secure SDLC practices.
- Protection against common web vulnerabilities (XSS, SQLi, SSRF) via validation and parameterization.
7) Monitoring & Logging
- Centralized logging, anomaly detection, and alerting.
- Abuse and intrusion detection signals with progressive mitigation.
8) Backups & Disaster Recovery
- Regular encrypted backups; periodic restore tests.
- Documented recovery procedures and RTO/RPO targets appropriate to plan tier.
9) Responsible Disclosure
If you discover a vulnerability, please email security@mailopened.com with details and reproduction steps. We ask you to avoid privacy violations, data destruction, or service disruption while testing.