Security Policy — Mail-Organiser

To report a security vulnerability: Email security@mail-organiser.com with details. We respond within 24 hours. See our Vulnerability Disclosure Policy for full details.

1. Our Security Commitments

Security is a core part of how Mail-Organiser is designed, not an afterthought. We commit to:

Protecting your email metadata using industry-standard encryption
Never storing email body content — eliminating the most sensitive data risk
Maintaining the minimum required Microsoft Graph API permissions
Notifying you of any security incident affecting your data within 72 hours
Conducting regular security reviews of our code and infrastructure
Operating a responsible disclosure programme for security researchers

2. Infrastructure Security

☁️

Cloudflare Workers

All backend code runs on Cloudflare's isolated Worker runtime. No shared infrastructure. Automatic DDoS protection and rate limiting.

🔒

TLS 1.3

All communications between clients and our API use TLS 1.3. Older TLS versions are not accepted. HSTS enforced.

🗄️

Encrypted at Rest

All data stored in Cloudflare D1 and KV is encrypted at rest using AES-256. OAuth tokens receive additional application-level encryption.

🌐

Edge Network

Running on Cloudflare's global edge network provides resilience and eliminates single points of failure. No central server to attack.

3. Authentication and Access Control

3.1 OAuth 2.0 with PKCE

All Microsoft account authentication uses OAuth 2.0 with PKCE (Proof Key for Code Exchange). We request only the minimum required Microsoft Graph API permissions:

Mail.ReadWrite — to read email metadata and move emails to folders
MailboxSettings.Read — to read time zone settings
User.Read — to read your name and email address for account setup

We do not request Mail.Read permissions that would allow us to read email body content. This permission scope restriction is an architectural security control.

3.2 JWT Authentication

After authentication, we issue short-lived JSON Web Tokens (JWTs) for API access. These tokens:

Are signed using RS256 (asymmetric signing)
Expire after 24 hours
Are stored in sessionStorage — not persistent storage
Are invalidated on sign-out
Cannot be renewed silently without user action if expired

3.3 Rate Limiting

All API endpoints are protected by rate limiting enforced at the Cloudflare edge. Scan operations are additionally constrained by the subscription quota system to prevent abuse.

4. Data Minimisation

We apply strict data minimisation principles:

Email body content is never requested from the Microsoft Graph API
Only the fields necessary for classification are sent to the AI provider (sender, subject, timestamp)
Classification results are retained for 12 months, then automatically deleted
Scan logs contain metadata only — never email content
Deleted accounts are purged from all databases within 30 days

5. Sentinel — Prompt Injection Protection

Mail-Organiser's Sentinel system monitors email metadata for prompt injection attacks — attempts to embed AI-manipulation instructions in email subject lines or sender names. This protects both the integrity of our classification system and our AI provider from adversarial inputs.

Emails detected by Sentinel are:

Classified as "Suspicious" in scan results
Not processed through the AI classification pipeline
Never moved, regardless of whether the user approves all
Logged for security monitoring purposes

See the Sentinel Policy for full technical details.

6. Incident Response

6.1 Detection

We monitor our infrastructure for security anomalies using Cloudflare's security analytics, error rate monitoring, and automated alerting. Unusual access patterns, high error rates, or authentication failures trigger immediate investigation.

6.2 Response

Our incident response process:

Triage (within 1 hour): Assess scope and severity of the incident
Containment (within 4 hours): Isolate affected systems and prevent further damage
Investigation (within 24 hours): Determine root cause and extent of any data exposure
Notification (within 72 hours): Notify affected users and relevant authorities
Remediation: Fix the underlying issue and implement preventive measures
Post-incident review: Document lessons learned and update procedures

6.3 Breach Notification

In the event of a personal data breach, we will notify the UK Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. Affected individuals will be notified directly if the breach is likely to result in a high risk to their rights and freedoms.

7. Employee and Access Controls

Production system access is restricted to essential personnel only
All staff with access to personal data complete data protection training
Multi-factor authentication is required for all internal system access
Access is reviewed quarterly and revoked immediately upon departure
Privileged access is logged and audited

8. Third-Party Security

We select sub-processors that meet high security standards. Key certifications and programmes:

Cloudflare: ISO 27001, SOC 2 Type II, PCI DSS Level 1
Microsoft: ISO 27001, SOC 2 Type II, FedRAMP, UK Cyber Essentials Plus
Anthropic: SOC 2 Type II
Stripe: PCI DSS Level 1, SOC 2 Type II

9. Vulnerability Disclosure

We welcome reports from security researchers. If you discover a vulnerability in Mail-Organiser, please review our Vulnerability Disclosure Policy for responsible disclosure guidelines and our commitment to researchers.

Security contact: security@mail-organiser.com