Trust Center
Last updated: May 29, 2026
At MailVeriQ, earning and maintaining customer trust is fundamental to everything we do. This Trust Center provides transparency into our security posture, certifications, and the measures we take to protect your data. We process some of the most sensitive information in your organization — outbound email content — and we hold ourselves to the highest standards of security and operational integrity.
Certifications & Compliance
Certified
ISO 27001:2022
MailVeriQ Technologies maintains ISO 27001:2022 certification for our Information Security Management System (ISMS). This internationally recognized standard validates that we have implemented a systematic approach to managing sensitive information, including risk assessment, security controls, and continuous improvement processes. Our certification scope covers the MailVeriQ Gateway platform, supporting infrastructure, and all associated operational processes.
Certified
SOC 2
Our SOC 2 report, issued by an independent third-party auditor, provides assurance that our controls are effectively designed and operating over an extended observation period. The report covers the Security, Availability, and Confidentiality Trust Services Criteria. Enterprise customers may request a copy of the most recent report under NDA by contacting their account representative.
Infrastructure Security
MailVeriQ Gateway is hosted on Amazon Web Services (AWS) infrastructure, leveraging services that are themselves SOC 2 and ISO 27001 certified. Our infrastructure security includes:
- Network Isolation: All production services operate within private VPC subnets with no direct internet access. Inbound traffic is routed exclusively through hardened load balancers with Web Application Firewall (WAF) rules.
- Host Security: Production compute instances run hardened, minimal operating system images. All hosts are monitored by endpoint detection and response (EDR) agents with automated alerting.
- Container Security: Application workloads run in isolated containers with read-only filesystems, non-root execution, and regularly scanned base images. Container registries enforce vulnerability scanning before deployment.
- Access Controls: Production infrastructure access requires multi-factor authentication, VPN connectivity, and is restricted to authorized personnel on a least-privilege basis. All access is logged and reviewed quarterly.
Data Protection
- Encryption at Rest: All customer data, including quarantined email content, metadata, and audit logs, is encrypted using AES-256-GCM with keys managed through AWS KMS. Enterprise customers may use customer-managed keys (CMK).
- Encryption in Transit: All data transmitted between clients, the MailVeriQ platform, and internal services is encrypted using TLS 1.3. SMTP connections to the gateway support STARTTLS with enforced encryption for configured domains.
- Tenant Isolation: Customer data is logically isolated at the database level using PostgreSQL Row-Level Security (RLS) policies. Each tenant's data is accessible only to authenticated users within that tenant's scope. No cross-tenant data access is possible.
- Data Retention: Quarantined email content is retained according to each organization's configured retention policy and permanently deleted upon expiration. Immutable audit logs are maintained for the subscription duration plus 90 days.
Incident Response
MailVeriQ maintains a documented Incident Response Plan that defines procedures for detection, containment, investigation, remediation, and communication. Key elements include:
- 24/7 automated monitoring and alerting for security events across all production systems
- Defined severity classification framework with corresponding response time objectives
- On-call rotation staffed by senior engineering and security personnel
- Customer notification within 72 hours of confirming a security incident that affects customer data, in accordance with contractual and regulatory obligations
- Post-incident review process with root cause analysis and corrective action tracking
Penetration Testing
MailVeriQ conducts penetration testing on a regular cadence to validate the effectiveness of our security controls:
- External Testing: Annual penetration tests performed by independent, qualified third-party security firms. Testing scope includes the MailVeriQ web application, APIs, SMTP gateway, and supporting infrastructure.
- Internal Testing: Continuous automated vulnerability scanning of all production systems and container images. Critical and high-severity findings are triaged and remediated within defined SLA windows.
- Remediation: All findings from penetration tests are tracked to resolution. Enterprise customers may request a summary of the most recent test results under NDA.
Responsible Disclosure
MailVeriQ values the security research community and welcomes reports of potential vulnerabilities in our platform. If you believe you have discovered a security issue, we encourage you to disclose it to us responsibly.
Reporting Guidelines
- Send your report to security@mailveriq.com, including a detailed description of the vulnerability, steps to reproduce, and any supporting evidence.
- Allow reasonable time for us to investigate and remediate the issue before any public disclosure.
- Do not access, modify, or delete data belonging to other customers or tenants.
- Do not perform denial-of-service attacks, social engineering, or physical security testing.
Our Commitment
- We will acknowledge receipt of your report within two business days.
- We will provide an initial assessment within five business days.
- We will not pursue legal action against researchers who follow these guidelines in good faith.
- We will credit researchers (with permission) for valid, responsibly disclosed vulnerabilities.
Questions
For security inquiries, certification requests, or questions about our security posture, contact us at security@mailveriq.com.