Mailinator Security

At Mailinator, protecting customer data is a top priority. We take the responsibility of securing it very seriously.


Infrastructure

System Architecture

Mailinator's architecture is built to be secure and reliable. It is a multi-tier architecture where server-to-server communication occurs over a firewalled, private network. Access keys are rotated regularly and stored separate from code and data.


Data Centers

Our application is hosted by Linode and Digital Ocean with the following certifications:


Linode:

  • SOC 1 Type 2
  • SOC 2 Type 2
  • HIPAA Type 1
  • HITECH
  • PCI DSS

Digital Ocean:

  • SOC 2 Type 2
  • SOC 3 Type 2
  • PCI DSS

For more information, please see the relevant Security pages:
Linode
Digital Ocean


PCI DSS


Mailinator's payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry. Mailinator does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.


Site Continuity and Disaster Recovery

Mailinator's architecture is built with fault tolerant capability. Each service is redundant with replication and failover.


Environments

Mailinator retains development and testing systems that are fully isolated from the production environment.


Safeguards

Firewall and Encryption

Our servers are protected by Firewalls. The Mailinator web service is proxied through Cloudflare. All Mailinator web traffic is served over HTTPS. We force HTTPS for all web resources including our REST API.

Our SMTP servers support upgrading connections to TLS encryption. Bodies of Emails sent to the Private Mailinator sytem is encrypted at rest. Email sent to the Public Mailinator system is not encrypted (and is freely available to all users).


Vulnerability Scans and Penetration Testing

Mailinator monitors all third-party tools that are used within the system for security upgrades and patches. All such patches are patched promptly when new issues are reported
The Mailinator system undergoes third-party security reviews and penetration tests at least yearly. Issues that are categorized as high-impact are addressed within 30 days.


Security Training and Confidentiality

Mailinator has mandatory security training for all employees. Additionally, all employees sign confidentiality agreements with Mailinator.


Data

Mailinator takes data security seriously.

Public Email Domains (e.g. @mailinator.com) are intended as public domain data. There is no intended or implied privacy surrounding data sent to any Mailinator public domain. The public access of Mailinator's public domains is, in fact, a intended goal of the usability of that service.

In contrast, Subscribers to the Mailinator service receive a "Private Domain" (e.g. something akin to yourCompanyQATesting.com). Emails sent to a Subscriber's private domain are not public and viewable only by those subscribers.


Data Storage

Mailinator data stores are accessible only by servers that require access.


Backups

Mailinator conducts backups on a weekly and monthly basis. Hot backups are retained for one month. Off-net backups are retained for up to one year.


Logs

All sensitive information (including passwords, API keys, etc) is filtered from all server logs. Subscriber activity is logged and kept for 6 weeks. No user activity is logged in the Mailinator Public system.

Authentication

Paswords

We never store passwords in a form that can be retrieved. Mailinator stores an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.


Secure Single Sign On (SSO)

SSO is available for Enterprise subscriptions supporting SAML.


Monitoring

We monitor and rate limit authentication attempts on all accounts. Our system automatically blocklists any IP addresses responsible for suspicious authentication activity.


User Roles

We provide multiple user roles with different permissions levels within the product. Roles vary from account admins to users.

Policies

Incident Response

Mailinator has a defined protocol for responding to security


Security and Confidentiality

All employees are trained in Security procedures pertinent to their position. All employees sign confidentiality agreements with Manybrain (Mailinator).


PCI Compliance

All credit card payments paid to Mailinator/Manybrain go through our payment processing partner, Stripe. Details about their security posture and PCI compliance can be found at Stripe's Security page.


SDLC

Mailinator conducts software development and updates through a system of standards and repeatable tests. Code pushes to production occur through a repeatable and automated process with immediate capability for reversion if necessary.



If you have any questions or concerns regarding the security of this site, please email us at: support@manybrain.com