Effective Date: 2026-03-31 Last Updated: 2026-03-31
Our security commitment
EuroMail is built for GDPR-compliant transactional email with EU data residency. Security is foundational to that promise.
- All data is stored and processed in Finland (EU)
- Encryption in transit (TLS 1.2+) and at rest
- DKIM, SPF, DMARC, MTA-STS, and DANE for email authentication
- Argon2 password hashing, scoped API keys, TOTP two-factor authentication
- Rate limiting, CSRF protection, and security headers on all endpoints
- Dependency vulnerability scanning in CI/CD
- Complete audit logging with client IP tracking
Reporting a vulnerability
If you discover a security vulnerability in EuroMail, we appreciate your help in disclosing it responsibly.
How to report
Send your report to [email protected] with:
- A description of the vulnerability and its potential impact
- Steps to reproduce
- Any proof-of-concept code or screenshots
- Your preferred contact method for follow-up
What to expect
- Acknowledgment within 2 business days
- Assessment within 5 business days
- Resolution timeline communicated based on severity
- Credit in our changelog if you wish (with your permission)
Scope
In scope:
euromail.devand all subdomainsapi.euromail.devREST APIdashboard.euromail.devweb application- Official SDKs (Rust, TypeScript, Python, Go)
- MCP server (
@euromail/mcp-server)
Out of scope:
- Third-party services we integrate with (Stripe, etc.)
- Social engineering or phishing attacks
- Denial of service attacks
- Issues in dependencies without a demonstrated exploit path
Safe harbor
We will not pursue legal action against security researchers who:
- Act in good faith and follow this policy
- Do not access, modify, or delete other users' data
- Do not disrupt service availability
- Report findings promptly and allow reasonable time for remediation
- Do not publicly disclose before we have addressed the issue
Machine-readable policy
Our security.txt file follows the RFC 9116 standard for automated discovery.