Security

Your data, properly defended.

You trust us with your data and your users' data. We take that seriously. Postbox is built on a foundation of tenant isolation, encrypted transport, and proactive auditing.

Verification

Proactive auditing.

We run periodic internal security audits and publish the results. All findings are resolved before the report is published.

April 2026 Audit

0 critical · 12 findings · all resolved

Read report →

Architecture

Secure by design.

Infrastructure

Postbox is deployed on secure infra with isolated application instances and encrypted storage volumes. All connections are served over TLS 1.2+ — there is no unencrypted path. HSTS headers and SSL for database connections are mandatory.

Data Protection

Account data is tenant-isolated by design. Every database query is scoped to the authenticated user at the query level. Cross-tenant access is architecturally impossible.

Authentication

Passwords hashed with bcrypt. 2FA (TOTP) available for all accounts. Session tokens are encrypted, signed, and rotated. API keys are hashed before storage — the plaintext is shown once and never stored.

Application Security

Strict Content Security Policy (CSP) across all pages. Parameterized queries prevent SQL injection. CSRF protection on all state-changing requests. All input is validated against schemas before storage.

Responsible Disclosure

Found something? Let us know.

If you discover a security vulnerability, we want to hear about it. Please report it to support@usepostbox.com. We commit to acknowledging your report within 48 hours and providing a timeline for resolution.

Ack

48 hour response

Status

Regular updates

Fix

Notification on resolution

Next steps

Ongoing improvements.

SOC 2 Type II

Working toward full certification to verify our operational controls.

GDPR DPA

Standard Data Processing Agreement for all Pro customers.

External Pen-Testing

Third-party penetration testing to validate our technical posture.