Security

Overview

Security is fundamental to the Cascade Mail platform. As an email service provider handling sensitive communications and subscriber data on behalf of our customers, we implement comprehensive security measures across every layer of our infrastructure. This document outlines our security practices, controls, and commitments.

Infrastructure Security

Cascade Mail infrastructure is hosted in professionally managed data centers with physical security controls including biometric access, 24/7 surveillance, and environmental protections. Our servers run hardened Linux operating systems with minimal attack surface, regular patching cadence, and automated security updates for critical vulnerabilities.

We employ a defense-in-depth approach with multiple layers of security controls at the network, application, and data layers. All production systems are isolated from development and testing environments.

Encryption

Data in Transit

All connections to the Cascade Mail platform — including the web dashboard, API endpoints, and SMTP relay — are encrypted using TLS 1.2 or higher. We support opportunistic TLS for outbound email delivery, upgrading to encrypted connections whenever the receiving server supports it. Our SMTP servers advertise STARTTLS to all connecting clients and enforce TLS for API and web traffic.

Data at Rest

Sensitive data including authentication credentials, API keys, and encryption keys are stored using AES-256 encryption. Database backups are encrypted before transfer and storage. Subscriber data and email content in transit through our queues are protected with appropriate encryption measures.

Email Authentication

Cascade Mail provides and enforces comprehensive email authentication for all sending domains:

• SPF (Sender Policy Framework): We publish SPF records authorizing our sending infrastructure and guide customers through proper SPF configuration for their domains.
• DKIM (DomainKeys Identified Mail): Every outbound message is signed with DKIM using 2048-bit RSA keys. Each customer domain receives unique DKIM key pairs, with automated key rotation available.
• DMARC (Domain-based Message Authentication, Reporting and Conformance): We support full DMARC alignment and provide guidance to customers on implementing DMARC policies for their domains, including aggregate and forensic report processing.

Access Control

Access to Cascade Mail systems follows the principle of least privilege. All administrative access to production systems requires multi-factor authentication (MFA). Role-based access control (RBAC) restricts permissions based on job function. Customer accounts support multiple user roles with configurable permissions. API keys can be scoped to specific operations and are revocable at any time. All access is logged and subject to periodic review.

Network Security

Our network security architecture includes firewall rules restricting access to only required ports and protocols, network segmentation isolating the email delivery pipeline from management systems, DDoS mitigation at the network edge, rate limiting on all public-facing endpoints, and intrusion detection and prevention systems (IDS/IPS) monitoring for suspicious activity.

Data Protection

Customer data is logically separated at the application layer with strict tenant isolation. Database queries are parameterized to prevent injection attacks. Input validation and output encoding are applied throughout the application. Sensitive fields are masked in logs and administrative interfaces. Data deletion requests are processed completely, including backups, within the retention periods specified in our Privacy Policy.

Monitoring & Logging

We maintain comprehensive monitoring and logging across all systems. This includes real-time infrastructure health monitoring with automated alerting, centralized log collection and analysis, SMTP transaction logging for delivery audit trails, API access logging with request details and source IPs, administrative action logging for all configuration changes, and anomaly detection for unusual sending patterns or access behavior. Logs are retained for a minimum of 90 days and are protected against tampering.

Incident Response

Cascade Mail maintains a documented incident response plan that covers identification, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of confirming the incident, provide details of the incident scope and potential impact, describe remediation steps taken and recommended customer actions, and conduct a thorough post-incident review with a published root cause analysis for significant incidents.

Vulnerability Management

Our vulnerability management program includes regular security assessments and code reviews, automated vulnerability scanning of infrastructure and dependencies, timely patching of identified vulnerabilities (critical within 24 hours, high within 7 days), and dependency monitoring for known vulnerabilities in third-party libraries.

Employee Security

All personnel with access to customer data or production systems undergo security awareness training and are bound by confidentiality agreements. Access to production systems is limited to essential personnel only and is reviewed quarterly. Departing employees have access revoked immediately upon separation.

Business Continuity

Cascade Mail implements business continuity measures including regular automated backups with verified restoration procedures, redundant systems for critical email delivery infrastructure, geographic distribution of backup data, and documented disaster recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO).

Reporting a Vulnerability

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to us:

Email: security@cascade-mail.com