Security Overview

Last updated: May 8, 2026

Security is foundational to MonkeysMail. We handle sensitive email data and API credentials for our customers, and we take that responsibility seriously. This page outlines our security practices, certifications, and how we protect your data.

Infrastructure

  • Hosting: Our infrastructure runs on isolated, dedicated servers with strict network segmentation
  • DDoS protection: Multi-layer DDoS mitigation at the network and application layers
  • Uptime: 99.9% SLA on paid plans with automated failover and redundancy
  • Monitoring: 24/7 infrastructure monitoring with real-time alerting

Encryption

  • In transit: All connections use TLS 1.2 or higher. Opportunistic TLS 1.3 where supported
  • At rest: AES-256 encryption for all stored data, including email content, events, and attachments
  • API keys: Stored as salted, one-way hashes. Raw keys are shown once at creation and never stored
  • DKIM keys: 2048-bit RSA keys with automatic rotation

Authentication & Access Control

  • Two-factor authentication: TOTP and WebAuthn/passkey support for all accounts
  • SSO: SAML-based single sign-on available on Scale and above
  • Role-based access: Owner, Admin, Developer, and Viewer roles with granular permissions
  • API key scoping: Per-key domain restrictions, endpoint scopes, and IP allowlisting
  • Session management: JWT tokens with 30-minute expiry and secure refresh token rotation

Email Security

  • DKIM: Every outgoing email is DKIM-signed with per-domain keys
  • SPF: Automatic SPF alignment verification on all sends
  • DMARC: Full DMARC compliance with policy enforcement
  • ARC: ARC sealing for forwarded messages
  • TLS enforcement: Opportunistic TLS on all outbound connections; mandatory TLS configurable per domain

Data Protection

  • Suppression lists: Hard bounces, complaints, and unsubscribes are auto-suppressed within seconds
  • Data isolation: Customer data is logically isolated with per-company encryption keys
  • Retention controls: Configurable log retention per plan (7–30 days), deletable on demand
  • Right to deletion: Full data export and deletion available via API or dashboard
  • EU data residency: Available on Scale plans and above

Audit & Compliance

  • Audit logs: Every API key action, login, configuration change, and data access is logged and immutable
  • SOC 2 Type II: Audit in progress — report available on request
  • GDPR: Data Processing Agreement (DPA) available for all customers
  • CCPA: Full right-to-delete and data export support
  • Webhook signing: All webhook payloads are HMAC-SHA256 signed for verification

Incident Response

We maintain a documented incident response plan. In the event of a security incident affecting customer data, we will notify affected accounts within 72 hours, consistent with GDPR requirements. Our status page at status.monkeysmail.com provides real-time visibility into service health.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly to security@monkeysmail.com. We appreciate responsible disclosure and will acknowledge reports within 48 hours.

Contact

For security-related questions, compliance documents, or to request our SOC 2 report, email security@monkeysmail.com.