Security controls. Not security theatre.
Outbound email is a high-blast-radius surface. We treat access, credentials, logs, and suppression as first-class. Here's exactly what we do — no hand-waving.
This page is a living summary. For current attestations, sub-processor lists, and DPAs, contact [email protected].
Six controls that matter more than a badge.
Role-based access control
Custom roles with resource-level permissions. Give marketers campaigns, lock down sending servers and domains to operators.
Audit logs
Every change to roles, credentials, domains, automations, and destructive actions is recorded with actor and timestamp.
Scoped API keys
API keys inherit role-like scopes. Keys can be rotated, revoked, and restricted to specific resources.
Encryption in transit & at rest
TLS for all traffic. Data and provider credentials encrypted at rest with scoped access.
Suppression enforcement
Suppression, unsubscribe, and DNC lists are evaluated before every send. No exceptions.
Isolation & SSO
Workspace-level isolation keeps customers and clients separated. SAML / OIDC SSO on Premium and Enterprise.
What we store, and why.
Subscriber data
Customers upload subscriber lists. We process this data on customers' behalf as a processor. Retention follows the customer's instructions.
Sending telemetry
Delivery, bounce, complaint, and webhook events are retained for analytics and audit. Retention windows are plan-specific.
Sending domains & DNS
We verify SPF, DKIM, and DMARC against your DNS. We do not host or modify your DNS records.
Provider credentials
BYOP credentials are encrypted at rest and only decrypted at send time. Rotation and revocation are first-class operations.
Audit logs
Audit events for role changes, credential events, and destructive operations are retained per workspace plan.
Abuse & incident signals
Suspicious activity triggers platform-side throttling and customer-side alerts. Incidents are communicated via status page and direct contact.
What senders need to know.
GDPR
Mailers.io acts as a processor for subscriber data controlled by the customer. A Data Processing Addendum (DPA) is available on request. Lawful basis, consent records, and data subject requests are the controller's responsibility; we provide the tooling (exports, deletions, suppression) required to honour them.
CAN-SPAM
Marketing and cold email sends must include a working unsubscribe mechanism and a valid physical address. Mailers.io provides unsubscribe link handling, suppression enforcement, and template-level footer controls, but customers are responsible for content compliance.
Provider acceptable use
Sends go out through providers you connect (SES, Mailgun, SendGrid, SMTP, etc.). You remain responsible for adhering to each provider's acceptable use policy. Mailers.io surfaces provider errors and throttles as they occur.
Certifications & attestations
Certification and attestation status evolves. Contact [email protected] for the current status, our security questionnaire response, and our sub-processor list.
Questions enterprise buyers ask.
We'll walk through the exact controls you care about.
Send us your questionnaire, or book a review call. We respond with specifics, not marketing.