Security

Infrastructure Security

Our infrastructure is hosted across multiple availability zones in SOC 2 Type II certified data centers. Network traffic is restricted by security groups and private subnets. All production systems are isolated from development and staging environments.

We perform regular penetration testing and maintain an automated vulnerability scanning pipeline that evaluates every deployment before it reaches production.

Data Encryption

All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted with AES-256. Encryption keys are managed through a dedicated hardware security module (HSM) and rotated on a regular schedule. Email content is encrypted during processing and never written to disk in plaintext.

Authentication & Access Control

We enforce multi-factor authentication for all internal systems and offer it as an option for customer accounts. Access to production infrastructure is granted on a least-privilege basis and reviewed quarterly. API keys are hashed at rest and never displayed in full after creation.

Incident Response

Our incident response team is available around the clock. We maintain a documented runbook for common incident classes and conduct tabletop exercises quarterly. Affected customers are notified within 72 hours of a confirmed security incident, with a detailed post-mortem published within five business days.

Compliance

FlashPost is GDPR-compliant and actively working toward SOC 2 Type II certification. We conduct annual third-party audits and maintain a comprehensive compliance program covering data protection, access management, and incident handling.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. Reports can be sent to security@flashpost.io. We commit to acknowledging reports within 24 hours and providing a resolution timeline within five business days. We ask that researchers avoid accessing customer data or disrupting service availability during their investigation.