Security @ Mailform

Security of your personal and business data provided to Mailform is of the utmost importance. We host Mailform on using secure infrastructure services from a number of providers, including Heroku, Google Cloud and Linode.

Product Security

Authentication

Mailform allows authentication using:

• Google Workspace
• Facebook
• FreshBooks
• QuickBooks
• Xero

For all these authentication methods, no password information is requested, required or stored.

Mailform also supports authentication with an email address and a password: in this case the password is securely hashed with bcrypt.

Permissions

Mailform offers support for teams: the team owner(s) can invite additional members of their team and permit those members to purchase services from Mailform without granting them access to payment information.

Operational Security

Mailform's production systems are managed infrastructure services provided and secured by Heroku, Linode and Google Cloud.

All network traffic is encrypted in transit using industry standard HTTPS security, with certificates provided by LetsEncrypt.

All employee access to critical infrastructure requires two-factor authentication.

Data Security

All customer data stored in Mailform's databases and on disk are encrypted at rest.

Network Security

Mailform uses web application firewalls and rate limiting to protect our systems from errors and attacks.

Customer Financial Information

Mailform accepts payments using Stripe and Paypal: we do not store any credit card information in our systems.

API and Integrations

Access to the Mailform API endpoints requires a security access token that can be managed by customers: existing tokens can be deleted and new tokens generated on demand.

All other integrations are on demand and access tokens for those integrations can be deleted on demand.

Vulnerability Reporting

If you believe you've identified a potential security vulnerability on Mailform or with one of the services we use, please report it to us right away. We will evaluate all legitimate reports as soon as possible and try to fix any problems quickly.

More Information

Please send any reports to security@mailform.io: we will get back to you as soon as possible. We would be grateful if you:

• Notify Mailform and provide all details of the vulnerability before making any information public.
• Provide us a reasonable amount of time to address the issue before publication.
• Provide all details of the vulnerability to support validation and reproduction of the issue.
• Work with us to avoid data destruction, theft, privacy violations or service interruptions.

Exclusions

While researching, we'd respectfully ask that you don't:

• Perform denial of service attacks
• Spam our service and endpoints
• Perform any social engineering or phishing of our staff or contractors
• Perform any physical attempts

In addition, our security policy considers the following to be out of scope:

• DMARC configuration
• External services used

Acknowledgements

Mailform would like to thank the following security researchers for working with us to provide secure products and protect our customers' information.

2020

---

Jagadeesh V

https://linkedin.com/in/jagadeesh-jd-79308b93

2019

---

Mohamed Saqib C

https://www.linkedin.com/in/mohamed-saqib

Abin Joseph

https://www.facebook.com/hacker.abin1337

Pethuraj M

https://www.pethuraj.com, https://www.pethuraj.in

2018

---

Sumit Sahoo

https://www.sumitsahoo.com