🔒

Security at Bestemail

BestEmail is still in a guided rollout, so this page describes the current security posture carefully instead of promising controls we have not fully verified on every surface.

🔐

Transport Security

  • BestEmail uses HTTPS on its public web experience and secure transport for application traffic
  • Exact protocol and provider-level settings can vary by environment as the platform evolves
  • If you need a control-by-control review, contact security@bestemail.in before rollout
🗄️

Stored Data

  • Core product data is stored on managed application and database infrastructure
  • Backup and platform protection depend on the active hosting environment and provider controls
  • We avoid publishing stronger at-rest guarantees here than we have separately verified
💳

Payment Security

  • BestEmail does not store full card numbers or CVV data
  • Broad self-serve billing is not live yet and remains a controlled-rollout area
  • Any approved payment flow is expected to run through a supported third-party provider
  • Billing security controls are reviewed before wider public activation
✉️

Email Authentication

  • BestEmail includes domain-auth workflows for SPF, DKIM, and DMARC setup
  • Verification depends on your actual DNS records and sending-domain configuration
  • Cloudflare-assisted DNS setup is available in the current product flow where supported
🏗️

Infrastructure Posture

  • BestEmail runs on managed cloud infrastructure
  • Security updates, backups, and operational hardening are ongoing responsibilities rather than blanket guarantees
  • Cloudflare is used on public web surfaces, but exact protection layers can differ by route and environment
🔑

Account Controls

  • Team roles and session-based account access exist in the current product
  • Access is still being rolled out carefully, including admin approval for account activation
  • Advanced controls such as universal 2FA enforcement or account-level IP restrictions should be confirmed with us before relying on them

Data Protection

We try to keep product, legal, and operational handling aligned with the real system that exists today.

  • Data minimization — we aim to collect only what the product needs to operate
  • Purpose limitation — subscriber and account data should be used for the workflows it was collected for
  • Access review — internal access should stay limited to people who need it for support or operations
  • Policy alignment — legal/privacy commitments should stay in sync with the actual platform state

Compliance

  • BestEmail publishes privacy, terms, and DPA materials for customer review
  • Customers are still responsible for their own lawful sending practices and consent basis
  • Regulatory needs such as GDPR or DPDPA should be validated against your use case before wider rollout
  • If you need a formal security or compliance review, request it directly instead of relying on marketing shorthand

Responsible Disclosure

Found a vulnerability? We appreciate responsible disclosure.

Report to: security@bestemail.in

We take good-faith reports seriously and aim to respond promptly.

We will not take legal action against researchers who act in good faith.

Guided
rollout approach
Managed
hosting posture
Human
security contact