← Back to Postboi

Security & data

Last updated: 10 July 2026

Email is a trust business. This page explains where your data lives, how it's protected, and who touches it — in plain language. For what we collect and why, see the privacy policy.

Where your email is processed

Email delivery runs in the EU. Mail sent through Postboi is delivered by Amazon SES from the eu-north-1 region (Stockholm, Sweden) — message content is processed and delivered from there. The application itself (dashboard and API) runs on Cloudflare Workers, which execute on Cloudflare's global edge network close to whoever's making the request, with account data stored in Cloudflare D1.

We're a UK-operated service, and our processing is governed by UK GDPR. If you need a data processing agreement for your own compliance, email support@postboi.email.

Encryption

  • In transit: TLS everywhere — browser to dashboard, your app to the API, and onward delivery to recipient mail servers (opportunistic TLS, as SMTP allows).
  • At rest: stored data is encrypted at rest by our infrastructure providers (Cloudflare and AWS).

Keys and credentials

  • API keys are stored as one-way hashes. We can't read a key back after creation — if one leaks, revoke it and mint another in the dashboard.
  • No passwords. Sign-in is by magic link or SSO (Google, Microsoft, GitHub), so there's no password database to breach.
  • Card details never touch our servers — payment is handled end-to-end by Stripe.

Sending isolation

Every account sends under its own isolated sending identity with per-account bounce and complaint tracking. An account whose sending turns abusive is paused automatically — which means one bad actor can't burn the deliverability of your mail. Suppression lists, rate limits and daily caps back that up.

Form endpoints

Hosted form submissions are spam-checked (honeypot, and optionally a managed captcha) before anything is sent, rate-limited per form, and can only deliver to a verified team member's email address — a public form URL can never be pointed at an arbitrary inbox.

Subprocessors

The full list of companies that process data on our behalf:

  • Amazon Web Services (SES, eu-north-1) — email delivery.
  • Cloudflare — application hosting, data storage, captcha (Turnstile).
  • Stripe — payments and billing.
  • Google Analytics — site analytics, only with cookie consent.

That's the whole list. We'll update this page before adding to it.

Reporting a vulnerability

Found something? Email support@postboi.email with details and we'll respond quickly — usually same day. Please give us a reasonable window to fix before disclosing publicly, and don't test against other people's accounts or data. We're grateful to anyone who reports in good faith.

Status

Live service health is published at postboi.email/status.