Security & Compliance

Password Requirements

All passwords must meet these requirements:

• Minimum 8 characters
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one special character

Passwords are hashed using bcrypt with a cost factor of 12. Plain text passwords are never stored.

Two-Factor Authentication (2FA)

Add an extra layer of security with 2FA:

1. Go to Settings → Security → Two-Factor Auth.
2. Click "Enable 2FA".
3. Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password).
4. Enter the 6-digit code to verify.
5. Save your recovery codes in a secure location.

Recovery Codes

When you enable 2FA, you receive 10 single-use recovery codes:

• Each code can only be used once
• Store them in a secure location (password manager)
• Regenerate codes anytime from Settings → Security
• If you lose access to your authenticator and codes, contact support

Session Management

Manage your active sessions:

• View sessions: See all devices where you're logged in
• Session details: Device type, browser, location, last activity
• Revoke sessions: Sign out from specific devices remotely
• Sign out all: Terminate all sessions except current one

Sessions expire after 30 days of inactivity. JWT tokens are refreshed automatically during active use.

OAuth Connections

When connecting Gmail or Outlook accounts:

• Secure OAuth flow: We never see or store your email password
• Token encryption: OAuth tokens are encrypted using AES-256-GCM
• Minimal permissions: We request only necessary scopes for email access
• Token refresh: Tokens are refreshed automatically before expiration

IMAP/SMTP Credentials

For IMAP/SMTP connections:

• Credentials are encrypted at rest using AES-256-GCM
• Connections use TLS/SSL for transport security
• App-specific passwords recommended where available
• Credentials are only decrypted when establishing connections

Revoking Access

1. Go to Settings → Email Accounts.
2. Find the account to disconnect.
3. Click "Disconnect" and confirm.
4. For OAuth accounts, also revoke access from your Google/Microsoft account settings for complete removal.

Encryption

Data Retention

• Account data: Retained while account is active
• Email content: Synced emails follow your email provider's retention
• Analytics data: Campaign metrics retained for 2 years
• Audit logs: Security events retained for 1 year
• After cancellation: Data deleted after 30-day grace period

Data Export

Export your data anytime:

1. Go to Settings → Data & Privacy.
2. Click "Export My Data".
3. Choose what to include (contacts, campaigns, analytics).
4. Receive a download link via email when export is ready.

Exports are provided in standard formats (CSV, JSON) for portability.

Data Deletion

Request complete data deletion:

1. Go to Settings → Data & Privacy.
2. Click "Delete My Account".
3. Confirm by entering your password.
4. All data is permanently deleted within 30 days.

This action is irreversible. Export your data first if needed.

API Key Management

• Create keys: Generate API keys in Settings → API Keys
• Name your keys: Use descriptive names (e.g., "Production Server", "Zapier Integration")
• Copy immediately: Full key shown only once at creation
• Revoke unused keys: Delete keys that are no longer needed

Rate Limiting

Rate limit headers are included in API responses. Implement exponential backoff when receiving 429 responses.

GDPR Compliance

For EU recipients, GDPR requires:

• Lawful basis: Obtain consent or have legitimate interest before emailing
• Consent records: Mailneo tracks when and how consent was given
• Right to access: Export subscriber data on request
• Right to erasure: Delete subscriber data on request
• Data portability: Provide data in standard formats

Double Opt-In

Enable double opt-in for stronger consent:

1. Go to your newsletter settings.
2. Enable "Require email confirmation".
3. Customize the confirmation email if needed.
4. Only confirmed subscribers are marked as active.

Double opt-in provides proof of consent and improves list quality.

CAN-SPAM Compliance

For US recipients, CAN-SPAM requires:

• Clear sender: Accurate "From" name and email
• Honest subject: Subject line must reflect content
• Physical address: Include your postal address (Mailneo adds automatically)
• Unsubscribe link: Clear opt-out mechanism (Mailneo adds automatically)
• Honor opt-outs: Process within 10 days (Mailneo processes immediately)

CASL Compliance (Canada)

For Canadian recipients:

• Express consent required (not just implied)
• Clear identification of sender
• Unsubscribe mechanism in every message
• Physical contact information

Automatic Unsubscribe

Mailneo automatically handles unsubscribes:

• One-click unsubscribe: List-Unsubscribe header added to all emails
• Footer links: Unsubscribe link in every campaign email
• Instant processing: Unsubscribes take effect immediately
• Preference center: Let subscribers manage which lists they receive

Suppression Lists

Suppressed contacts won't receive emails:

• Unsubscribed: Opted out from emails
• Bounced: Hard bounced addresses
• Complained: Marked email as spam
• Manual: Added to suppression list by you

View and manage suppression lists in Settings → Compliance.

Security Audit Log

Mailneo logs security-relevant events:

• Login attempts (successful and failed)
• Password changes
• 2FA enable/disable
• API key creation/deletion
• Email account connections
• Team member changes
• Data exports and deletions

Viewing Audit Logs

1. Go to Settings → Security → Audit Log.
2. Filter by event type, date range, or user.
3. View details including IP address and user agent.
4. Export logs for compliance documentation.

Audit logs are retained for 1 year and cannot be modified or deleted.

Platform Security

• Hosting: Cloud infrastructure with SOC 2 compliance
• Network: DDoS protection and WAF
• Database: Encrypted backups, point-in-time recovery
• Monitoring: 24/7 infrastructure monitoring
• Updates: Regular security patches and updates

Incident Response

In the event of a security incident, we follow a documented response process including containment, investigation, and notification. Affected users are notified within 72 hours as required by GDPR.

Responsible Disclosure

If you discover a security vulnerability:

• Email security details to our security team
• Include steps to reproduce the issue
• Allow reasonable time for us to respond and fix
• Don't disclose publicly until fixed

We appreciate responsible disclosure and will acknowledge researchers who report valid vulnerabilities.