Security

• All services run on UK-region cloud infrastructure. Data never leaves British jurisdiction.
• Traffic between clients and our API is encrypted with TLS 1.2 or higher.
• Internal service-to-service communication is encrypted in transit.
• Database backups are encrypted at rest with AES-256.
• Production access is restricted to named engineers via short-lived, audited credentials.

• API keys are displayed to you exactly once at creation. We never store the raw key.
• Keys are hashed with SHA-256 before being written to our database.
• If a key is compromised, you can revoke it instantly from the dashboard — it becomes unusable within seconds.
• You can rotate keys without downtime by creating a new key before revoking the old one.
• Keys take the form mv_live_<random> for production and mv_test_<random> for testing environments.

• Dashboard passwords are hashed with bcrypt (cost factor 12).
• Sessions use cryptographically signed, server-validated tokens.
• CSRF protection is applied to all state-changing dashboard actions.
• We recommend using a strong, unique password and a password manager.

• Email addresses submitted via the API are processed in memory and not written to long-term storage.
• We do not cache or persist verification results. A short-lived Redis job queue entry exists only until your result is returned to you, then it is cleared.
• We do not build or sell lists of verified email addresses.
• Our staff cannot access your API keys — only their hashes are stored.

• We run 24/7 automated monitoring with alerting on anomalous traffic patterns.
• Security incidents are logged and reviewed by our engineering team.
• In the event of a data breach affecting your personal data, we will notify you within 72 hours in accordance with UK GDPR Article 33.
• Post-incident reviews are conducted for any significant security events.

We welcome reports from security researchers. If you discover a vulnerability in MailVerify, please report it responsibly to [email protected] before public disclosure. Please include:

• A description of the vulnerability and potential impact.
• Steps to reproduce or proof-of-concept (without accessing other users' data).
• Your preferred contact details.

We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days. We operate on a responsible disclosure basis — please give us time to patch before publishing.

We do not operate a formal bug bounty programme at this time, but we will acknowledge researchers publicly (with permission) and consider goodwill gestures for significant findings.

• ICO registered — registration number ZC112021.
• We act as a UK GDPR data processor for customer email lists and a data controller for account data.
• Data Processing Agreements (DPA) are available on request for business customers — email [email protected].
• We are registered with Companies House under number 16061949.

For security questions or to request our DPA, contact [email protected] or visit our contact page.