At Mailinator, protecting customer data is a top priority. We take the responsibility of securing it very seriously.
Mailinator's architecture is built to be secure and reliable. It is a multi-tier architecture where server-to-server communication occurs over a firewalled, private network. Access keys are rotated regularly and stored separate from code and data.
Our application is hosted by Linode and Digital Ocean with the following certifications:
- SOC 1 Type 2
- SOC 2 Type 2
- HIPAA Type 1
- PCI DSS
- SOC 2 Type 2
- SOC 3 Type 2
- PCI DSS
Mailinator's payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry. Mailinator does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.
Site Continuity and Disaster Recovery
Mailinator's architecture is built with fault tolerant capability. Each service is redundant with replication and failover.
Mailinator retains development and testing systems that are fully isolated from the production environment.
Firewall and Encryption
Our servers are protected by Firewalls. The Mailinator web service is proxied through Cloudflare. All Mailinator web traffic is served over HTTPS. We force HTTPS for all web resources including our REST API.
Our SMTP servers support upgrading connections to TLS encryption. Bodies of Emails sent to the Private Mailinator sytem is encrypted at rest. Email sent to the Public Mailinator system is not encrypted (and is freely available to all users).
Vulnerability Scans and Penetration Testing
Mailinator monitors all third-party tools that are used within the system for security upgrades
and patches. All such patches are patched promptly when new issues are reported
The Mailinator system undergoes third-party security reviews and penetration tests at least yearly. Issues that are categorized as high-impact are addressed within 30 days.
Security Training and Confidentiality
Mailinator has mandatory security training for all employees. Additionally, all employees sign confidentiality agreements with Mailinator.
Mailinator takes data security seriously.
Public Email Domains (e.g. @mailinator.com) are intended as public domain data. There is no intended or implied privacy surrounding data sent to any Mailinator public domain. The public access of Mailinator's public domains is, in fact, a intended goal of the usability of that service.
In contrast, Subscribers to the Mailinator service receive a "Private Domain" (e.g. something akin to yourCompanyQATesting.com). Emails sent to a Subscriber's private domain are not public and viewable only by those subscribers.
Mailinator data stores are accessible only by servers that require access.
Mailinator conducts backups on a weekly and monthly basis. Hot backups are retained for one month. Off-net backups are retained for up to one year.
All sensitive information (including passwords, API keys, etc) is filtered from all server logs. Subscriber activity is logged and kept for 6 weeks. No user activity is logged in the Mailinator Public system.
We never store passwords in a form that can be retrieved. Mailinator stores an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.
Secure Single Sign On (SSO)
SSO is available for Enterprise subscriptions supporting SAML.
We monitor and rate limit authentication attempts on all accounts. Our system automatically blocklists any IP addresses responsible for suspicious authentication activity.
We provide multiple user roles with different permissions levels within the product. Roles vary from account admins to users.
Mailinator has a defined protocol for responding to security
Security and Confidentiality
All employees are trained in Security procedures pertinent to their position. All employees sign confidentiality agreements with Manybrain (Mailinator).
All credit card payments paid to Mailinator/Manybrain go through our payment processing partner, Stripe. Details about their security posture and PCI compliance can be found at Stripe's Security page.
Mailinator conducts software development and updates through a system of standards and repeatable tests. Code pushes to production occur through a repeatable and automated process with immediate capability for reversion if necessary.
If you have any questions or concerns regarding the security of this site, please email us at: firstname.lastname@example.org