MailOdds

Security

Security

Protecting your storefront, your customers, and your data across every part of the platform. Here is how we keep it safe.

Encryption

TLS 1.3 for all data in transit. AES-256 for data at rest. API keys and credentials are hashed and never stored in plain text.

EU Hosting & Data Residency

Core platform data is hosted in the European Union. Where regional commerce, sending, or optional integrations require it, transfers outside the EEA rely on an appropriate mechanism (EU adequacy, the EU-US Data Privacy Framework, or Standard Contractual Clauses).

Multi-Tenant Isolation

Every merchant's storefront, orders, customers, and audiences are isolated. Data access is scoped to your account, so one merchant can never read or address another merchant's data.

Payment Security

Card payments and payouts run through Stripe, which is PCI DSS compliant as the payment service provider. We never see or store full card numbers; only payment references and metadata stay with the related order.

Customer & Visitor Data

Order and customer PII is processed on your instruction and retained per your policy. Visitor-intelligence signals (identity, intent, risk scores) are treated as sensitive, support per-visitor opt-out, and probabilistic links decay over time.

GDPR Compliant

Built for GDPR. Data Processing Agreements are available, and our sub-processors, retention schedule, and transfer mechanisms are published.

Our Practices

  • Regular security audits and dependency updates
  • Role-based access control (RBAC) for team members, with account-scoped data access enforced on every request
  • Tenant isolation so merchant storefronts, orders, and audiences never cross account boundaries
  • Consent and suppression handling for messaging, with honoured opt-outs across email, SMS, and RCS
  • Automated backups with encryption
  • Rate limiting and DDoS protection
  • Incident response plan with 24-hour notification

Data Lifecycle

Retention varies by data type. Storefront and customer data is kept per your instruction; intelligence and operational data follows the defaults below. The full schedule is published in our data-retention policy.

  • -- Storefront orders and customer records: retained per your policy; order rows may be kept for tax retention, and erased on request (DSAR)
  • -- Storefront visitor events: configurable, default 365 days
  • -- Visitor identity graph and scores: probabilistic links decay after 30 days; email-anchored links are severed on erasure
  • -- Messaging: SMS/RCS opt-in records kept for compliance; message logs ~90 days; campaign and engagement data per your policy
  • -- Email validation (one capability among several): single checks processed in memory and not persisted; bulk job results auto-purged after 7 days
  • -- Payments: only payment references and metadata stored with the order; full card data held by Stripe, never by us
  • -- Audit logs purged after 90 days. Webhook delivery records purged after 30 days.

Infrastructure

EU Hosting

Core infrastructure is hosted in the European Union (Germany). Regional storefront edges in the US and APAC serve those markets; personal data leaving the EEA is covered by an appropriate transfer mechanism.

Network Isolation

Private network isolation between services over an encrypted mesh. TLS-only internal communication. No services exposed to the public internet except the API gateway and storefront edge.

Redundancy

Automated encrypted backups and a replicated database. Continuous delivery with health-gated rollout and post-deploy verification keeps production updates low-risk.

Data Processing Agreement

We act as your processor for the storefront, customer, messaging, and validation data you run through the platform, and as an independent controller for our own visitor intelligence. You can request a Data Processing Agreement (DPA) for GDPR compliance; our sub-processor list, retention schedule, and transfer mechanisms are published. Contact us at security@mailodds.com to get started.

Responsible Disclosure

To report a security vulnerability, please email security@mailodds.com with details. We aim to acknowledge reports within 48 hours.

Questions? For general security inquiries, DPA requests, or to report a vulnerability, contact us at security@mailodds.com