Security Policy — Mail-Organiser

Security is fundamental to Mail-Organiser. Because we touch your inbox, we hold ourselves to a high standard. This policy describes the technical and organisational measures we use to protect your data and account.

1. Encryption

All communication between your browser or add-in and our API uses TLS 1.2 or higher. We do not support older SSL or TLS 1.0/1.1 protocols. Data at rest — including access tokens, session data, and user records — is encrypted using Cloudflare's native encryption at rest. Sensitive secrets (API keys, OAuth credentials, JWT signing keys) are stored exclusively as Cloudflare Worker secrets and are never committed to source code or logs.

2. Authentication

Mail-Organiser uses Microsoft's OAuth 2.0 for authentication. We never handle your Microsoft password — authentication is delegated entirely to Microsoft's identity platform. After authentication, we issue short-lived JWTs (24-hour expiry) signed with HS256. OAuth access tokens are stored encrypted in Cloudflare KV with a maximum lifetime of 7 days.

3. Least-privilege access

We request only the Microsoft Graph scopes necessary to deliver the service: Mail.ReadWrite, User.Read, and offline_access. We never request access to your contacts, calendar, files, or any other data. Access to our internal systems follows the principle of least privilege — only the specific service that needs data has access to it.

4. Infrastructure security

Mail-Organiser runs entirely on Cloudflare's serverless infrastructure:

Cloudflare Workers: code runs in isolated V8 contexts with no persistent memory between requests.
Cloudflare D1: SQLite database with row-level isolation.
Cloudflare KV: key-value store used for session and token data with automatic TTL expiry.
Cloudflare Pages: static frontend hosting with automatic HTTPS.

We use Cloudflare's DDoS protection and Web Application Firewall on all API endpoints.

5. Audit logging

All significant events are written to an audit log: login events, email scans, folder moves, billing changes, and account modifications. Audit logs are retained for 12 months and are used for security monitoring and incident investigation.

6. Protected categories

Emails in Banking, Health, Medical, Legal, Financial, Tax/HMRC, and HR/Payroll folders are marked as protected. Protected emails cannot be moved to "Review to Delete" and cannot be permanently deleted through any automated action. All actions on protected emails require explicit user confirmation.

7. Incident response

In the event of a security incident affecting personal data, we will:

Notify affected users within 72 hours of becoming aware of the breach.
Report to the ICO within 72 hours where required by UK GDPR.
Provide a clear description of the incident, data affected, and remediation steps taken.

8. Vulnerability disclosure

If you discover a security vulnerability, please report it responsibly via our Vulnerability Disclosure Policy. We do not pursue legal action against good-faith security researchers.

9. Security reviews

We conduct periodic internal security reviews of our codebase, dependencies, and infrastructure configuration. We keep all dependencies updated and monitor for known vulnerabilities using automated tooling.

Security questions or concerns?

Email: security@mail-organiser.com

For vulnerability reports, see our Vulnerability Disclosure Policy.