MailSlurp is cloud-hosted software as a service. This document outlines our security policies and procedures.

What is MailSlurp?

MailSlurp is an email and SMS testing and development platform. It can be used to send and receive email and SMS messages from software applications. It is used by developers and quality assurance teams to test and develop software applications and build powerful automations.

What does MailSlurp consist of?

MailSlurp is made up of a number of components. These include:

  • A web application for managing email accounts and sending and receiving email and SMS messages.
  • A backend for managing data via a REST API.
  • Mailservers using IMAP and SMTP to send and receive email.
  • A database for storing customer data.
  • A website for marketing and support.

Where is MailSlurp hosted?

MailSlurp is hosted on the AWS Cloud in the us-west-2 region. This region is located in Oregon, USA. The AWS Cloud is a secure cloud services platform that offers compute power, database storage, content delivery, and other functionality to help businesses scale and grow. All applications and data are hosted on AWS using security best practices.

Security procedures

MailSlurp uses a number of security procedures to ensure that customer data is secure. These include:

Authentication

  • TLS/SSL secure HTTPs API endpoints
  • SAML 2.0 Single Sign On user management
  • Federated OAuth 2.0 user management

Enterprise teams can manage user sign-in and access using their own identity provider. This allows them to control access to the platform using their own security policies. Enterprise customers have their own login page and can manage their own users and permissions.

Data security

  • Data is stored in a secure database hosted by AWS RDS with AES-256 encryption at rest.
  • All data in transit is encrypted using TLS/SSL.
  • Daily backups are stored securely in AWS S3.
  • Email and SMS content is stored in AWS S3 with AES-256 encryption at rest.

Network security

  • Secure VPN access to AWS resources
  • Public and private subnets for applications and data
  • Network ACLs to control access to resources

Risk management

  • Regular security audits
  • Regular penetration testing
  • Regular security training for staff
  • Regular security reviews of third-party services, AWS services, application code, dependencies, architecture, and data flows

Incident response

  • 72-hour update to affected customers upon a security incident
  • Detailed incident report outlining the cause, remediation, and preventative measures
  • Post-incident analysis feeds back into security improvements

Compliance

  • MailSlurp is a European company and complies with GDPR privacy protocols.

Physical and Environmental Security

MailSlurp implements robust controls to protect physical assets and hosting environments:

  • Data Center Standards: AWS data centers maintain compliance with certifications such as ISO 27001 and SOC 2.
  • Access Controls: AWS data centers require multiple layers of authentication (e.g., biometric scanners, ID badges) to protect restricted areas.
  • Environmental Safeguards: Automated fire suppression, redundant HVAC systems, flood detection, and on-site generators maintain secure and stable conditions.
  • Monitoring and Auditing: CCTV surveillance, visitor logs, and regular inspections are leveraged by AWS to detect and deter unauthorized access.

Cryptographic Key Management

  • AWS KMS (AES-256): All cryptographic keys used to encrypt MailSlurp data are generated and stored in AWS KMS, leveraging hardware security modules.
  • Key Rotation: Automatic rotation of master keys is enabled annually. Unscheduled rotations occur if a compromise is suspected.
  • Access Restrictions: IAM roles enforce the principle of least privilege for services or personnel accessing cryptographic keys.

Logical Access Management

  • Role-Based Access Control (RBAC): Users and services are granted only the privileges necessary for their roles.
  • Approval Workflow: Any request for new or elevated privileges undergoes formal review.
  • Revocation: Access is revoked immediately upon role change or employee departure.
  • Audit Trails: Logs of all access changes are retained and periodically reviewed for anomalies.

Asset Management

  • Identification and Ownership: Each physical and digital asset is uniquely identified in an internal registry, with designated owners accountable for its lifecycle.
  • Lifecycle Management: Assets are tracked from acquisition through decommissioning, ensuring secure disposal and minimal risk of data exposure.
  • Change Tracking: Software, hardware, and configurations are updated in a controlled manner, with audit logs to identify unauthorized modifications.

Security contact

If you have any questions about MailSlurp security, please contact us at contact@mailslurp.dev.