The things you can't audit.
Documented anyway.

Encrypted in transit, at rest, and in the HSM.

Every connection uses TLS 1.3 or better — TLS 1.2 and below are rejected at the load balancer. At rest, every database row and every object in storage is encrypted with AES-256. Sensitive fields (contact PII, DKIM private keys, OAuth tokens) carry an additional Fernet envelope keyed per-workspace so a database compromise doesn't yield decryptable values.

• DatabasePostgres · RLS
  AES-256 at rest. Fernet for PII fields, OAuth tokens, and DKIM private keys. Row-Level Security policies enforce tenant isolation at the DB layer; no application-only enforcement.
• Object storageCloudflare R2 Q3 2026
  AES-256-GCM. Per-object signed URLs with TTL ≤ 1 hour. No public buckets.
• DKIM keysFernet at rest
  2048-bit RSA. Encrypted with a key derived from JWT_SECRET via SHA-256. KMS-backed signing is on the roadmap; today we sign in-process with the decrypted PEM.
• OAuth tokens(Gmail · MS Graph)
  Encrypted with the same per-workspace Fernet envelope. Refresh rotated on schedule and on any anomaly detection.
• BackupsNeon point-in-time
  Neon's built-in PITR covers the last 30 days. Restore tested monthly. RPO 5 min · RTO 1 hour for the primary DB.

Least privilege.
Logged. Reviewed.

Every production access — by us or by automation — is authenticated, authorized, and recorded. No shared service accounts. No bastion-less SSH.

• 2FAOptional today · required for admin roadmap
  TOTP via authenticator app. WebAuthn is Q4 2026. Phone-SMS 2FA is not accepted.
• RBACFive roles
  Owner · Admin · Editor · Sender · Viewer. Permissions are workspace-scoped. Owner role limited to one user; transferable, never duplicated.
• SSOSAML & OIDC Q4 2026
  Will be available on Enterprise. Just-in-time provisioning. SCIM 2.0 for deprovisioning.
• Production accessRender dashboard + service shell
  Render's built-in audit log captures every shell session. No direct SSH (we don't run our own VMs).
• Audit logAppend-only
  Every administrative action emits an audit record (actor · action · target · IP · payload). Retained 7 years on Pro and above.

What we promise, with status.

We don't claim certifications we haven't earned. The list below distinguishes active commitments from items in progress.

Where your data goes — every vendor, listed.

Material additions to this list are notified by email 30 days in advance. Object to a sub-processor change by replying — we take it seriously and have rerouted before.

Pinned to your billing region.

Today: US is our primary region. EU and India are Q4 2026. Cross-region replication is opt-in per workspace, not default.

• US customers
  Data stored in us-west-2 (Render) and us-east-2 (Neon). Backups stored in a separate region within the US.
• EU customers Q4 2026
  Will land in eu-west-1 (Ireland). SCC + DPA in place for any sub-processor that processes EU data.
• India customers Q4 2026
  Will land in ap-south-1 (Mumbai). DPDP-compliant cross-border consent required for replication outside.

What we do when something breaks.

Defined severities, defined response windows, public postmortems. We don't believe in marketing-language status pages.

• Sev-1Critical
  Sending pipeline down · data layer down · security breach. Page immediately · status page updated within 15 min · postmortem within 24h of resolution.
• Sev-2Major degradation
  Backend degraded · elevated error rate · single-tenant impact. Investigate within 1 hour during business hours.
• Sev-3Limited impact
  Workspace-specific issue · minor regression. Ticket within 4 hours.
• RPO · RTORecovery targets
  Postgres: RPO 5 min · RTO 1 hour via Neon PITR. Object storage Q3 2026.
• Status pagestatus.emaildigit.com Q3 2026
  Real-time component health · 90-day uptime history · subscription via email/SMS/webhook.

Found something? Tell us.

We respect good-faith research. If you've discovered a vulnerability in Email Digit, please report it through one of the channels below. We commit to acknowledge within 48 hours and to publish a fix or remediation plan within 14 days for confirmed issues.

• Primary contact
  security@emaildigit.com — PGP key available on request.
• Bug bounty
  Formal program launching with year 2. In the meantime, meaningful disclosures are rewarded individually — we'll work it out with you directly.
• Scope
  All *.emaildigit.com, the public REST API, the SDKs once released. Out of scope: rate-limiting on free public tools, social engineering, third-party tooling we don't control.
• Safe harbor
  We will not pursue legal action against researchers who follow this policy in good faith. Specifically: no testing against other customers' workspaces, no DoS, no data exfiltration beyond proof of access.

What we collect, why, and what we never do.

Email Digit collects exactly the data needed to send your messages and route your replies. We don't sell data. We don't share data with advertisers. The full policy is a separate document, but the short version: your customer list is your customer list, and it doesn't leave your workspace.

Read the full privacy policy →

Plain-language terms.

Month-to-month on Free / Starter / Pro / Business. Cancel anytime. Export your data anytime. Enterprise has a standard 12-month term. We charge in your local currency where supported and never auto-upgrade you to a higher tier without explicit confirmation.

Read the full terms →

What we will not let you do.

Prohibited: spam, phishing, malware distribution, sending without consent, illegal content, complaint-rate violations. We do allow cold B2B outbound with proper warmup, relevant targeting, and honored unsubscribes. We do not allow cold B2C outbound. Complaint thresholds: 0.2% generates a warning, 0.4% suspends sending pending review.

Read the full AUP →

For your legal team.

Our DPA is GDPR-compliant, signed counter-signed by default for any Pro+ customer who needs one, and includes Standard Contractual Clauses for EU↔US transfers. Sub-processor list is referenced and updated monthly.

Download the DPA (PDF) →