Security

Security is built in, not bolted on.

MailPilot handles sensitive email credentials and proprietary send infrastructure. We take that seriously. Here's exactly what we do - and don't do - with your data.

Infrastructure

Where and how your data lives

Hosting

Vercel (edge + serverless) - automatic TLS, DDoS protection, and global CDN.

Database

Supabase (PostgreSQL) - data encrypted at rest with AES-256. Daily automated backups.

Cache / queues

Redis (Upstash) - job queues and short-lived session data, encrypted in transit.

Transport

TLS 1.2+ enforced on all connections. No plaintext HTTP in production.

Authentication

How access is managed

Sessions

JWT-based, signed server-side. Stored in HTTP-only, Secure, SameSite=Lax cookies. Not accessible to JavaScript.

Passwords

bcrypt hashing with a cost factor of 12. Plain-text passwords are never stored, logged, or transmitted.

OAuth

Google sign-in via a secure server-side token exchange. We store only the provider user ID - no OAuth tokens are persisted.

Email credentials

SMTP passwords are AES-256 encrypted before storage. They are never written to logs, never returned via API.

Our commitments

Four principles we don't compromise on

Encryption at rest & transit

AES-256 for all stored data. TLS 1.2+ enforced everywhere. Your email credentials are encrypted before they touch the database.

No credential logging

SMTP passwords, auth tokens, and session secrets are explicitly excluded from all logging pipelines. We audit this regularly.

Data minimization

We collect what we need to run the service, nothing more. We don't sell data, don't build ad profiles, and don't retain data beyond operational necessity.

Right to deletion

You can delete your account at any time from Settings. All personal data, email credentials, seed results, and configurations are permanently removed within 30 days.

Responsible disclosure

Found a vulnerability?

We take security reports seriously and respond within 48 hours. Please email security@mailpilots.in with a detailed description of the issue. We ask that you give us reasonable time to triage and patch before public disclosure.

48-hour response SLA on all security reports

Compliance & privacy

GDPR-conscious design

We don't sell your data. Not to data brokers, not to advertisers, not to anyone.

We don't train AI or ML models on your email content, sending patterns, or account data.

Data processing is limited to what is necessary to provide the service you signed up for.

EU customers: your data is processed within infrastructure that meets GDPR-aligned standards.

Questions about security?

If you have specific security requirements for procurement, a vendor security review, or just want to ask directly - we're happy to talk.

Contact us →

Send like the inbox is yours.

Join the waitlist and lock in founding-member pricing.

Join the waitlistBook a demo