Security Policy
Last updated: January 1, 2026. See also our security features.
Infrastructure Security
DO Mailbox operates enterprise-grade data centers in the US and Canada with multiple layers of physical and logical security. Our infrastructure is certified to SOC 2 Type II standards. Learn more about our security architecture →
Data Encryption
- All data in transit encrypted with TLS 1.3 (minimum TLS 1.2)
- Data at rest uses AES-256 encryption
- Email content encrypted end-to-end where supported by client
- Encryption keys managed via HSM (Hardware Security Modules)
Access Controls
- Multi-factor authentication required for all admin access
- Zero-trust network architecture
- Role-based access control (RBAC) with principle of least privilege
- All access logged and auditable
Email Authentication (DMARC/SPF/DKIM)
We implement and enforce SPF, DKIM, and DMARC for all customer domains. Our AI-powered threat intelligence is updated in real-time from global threat feeds.
Vulnerability Management
Quarterly penetration testing by independent security firms, continuous automated vulnerability scanning, and a responsible disclosure program. Critical patches applied within 24 hours of release.
Incident Response
Our Security Incident Response Team (SIRT) operates 24/7/365. In the event of a breach affecting your data, we will notify you within 72 hours as required by US and Canadian regulations.
Reporting a Security Issue
Contact: [email protected]. We aim to respond within 24 hours. For general inquiries, contact our team.