At Mailinator, protecting customer data is a top priority. We take the responsibility of securing it very seriously.
Mailinator's architecture is built to be secure and reliable. It is a multi-tier architecture where server-to-server communication occurs over a private network.
Mailinator’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry. Mailinator does not directly receive credit card data.
Site Continuity and Disaster Recovery
Mailinator's architecture is built with fault tolerant capability. Each service is redundant with replication and failover.
Mailinator retains development and testing systems that are fully isolated from the production environment.
Mailinator takes data security seriously.
Public Email Domains (e.g., @mailinator.com) are intended as public domain data. There is no intended or implied privacy surrounding data sent to any Mailinator public domain. The public access of Mailinator’s public domains is, in fact, an intended goal of the usability of that service.
In contrast, Subscribers to the Mailinator service receive a “Private Domain” (e.g., something akin to yourCompanyQATesting.com). Emails sent to a Subscriber’s private domain are not public and viewable only by those subscribers.
Mailinator data stores are accessible only by servers that require access.
Mailinator conducts backups on a weekly and monthly basis. Hot backups are retained for one month. Off-net backups are retained for up to one year.
All sensitive information (including passwords, API keys, etc) is filtered from all server logs. Subscriber usage activity is stored for up to 6 weeks. No user activity is logged in the Mailinator Public system (for example, for any @mailinator.com email address).
Firewall and Encryption
Our servers are protected by Firewalls. The Mailinator web service is proxied through Cloudflare. All Mailinator web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API.
Our SMTP servers support upgrading connections to TLS encryption.
Vulnerability Scans and Penetration Testing
Mailinator monitors all third-party tools that are used within the system for security upgrades and patches. All such patches are patched promptly when new issues are reported. The Mailinator system undergoes penetration tests at least yearly. Issues that are categorized as high-impact are addressed within 30 days.
Security Training and Confidentiality
Mailinator has mandatory security training for all employees. Additionally, all employees sign confidentiality agreements with Mailinator.
Secure Single Sign On (SSO)
SSO is available for Enterprise subscriptions supporting SAML.
We never store passwords in a form that can be retrieved. Mailinator stores an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.
We monitor and rate limit authentication attempts on all accounts. Our system automatically blocklists any IP addresses responsible for suspicious authentication activity.
We provide multiple user roles with different permissions levels within the product. Roles vary from account admins to users.
Mailinator has a defined protocol for responding to security.
Mailinator conducts software development and updates through a system of standards and repeatable tests. Code pushes to production occur through a repeatable and automated process with immediate capability for reversion if necessary.
Security and Confidentiality
All employees are trained in Security procedures pertinent to their position. All employees sign confidentiality agreements with Manybrain (Mailinator).
All credit card payments paid to Mailinator/Manybrain go through our payment processing partner, Stripe. Details about their security posture and PCI compliance can be found at Stripe’s Security page.