MailOdds

TRUST

Trust is the product.

We run a commerce platform on shared infrastructure. Trust isn't a slogan — it's an audit trail. Here is ours.

DATA RESIDENCY

EU-hosted, by default.

MailOdds runs on 11 Contabo VPS nodes: 4 EU infrastructure nodes (database, app, standby, CI/CD), 4 MTA nodes (EU Central, US East, US West, APAC), and 3 storefront edge nodes (EU, US, APAC). The primary PostgreSQL database lives in Germany; there is no shadow copy outside the EU.

US and APAC nodes replicate configuration + serve the public storefront, but no customer PII is persisted there. Orders + events stream back to the EU primary. Demo stores (paste-a-URL flow) live in the region closest to the visitor and auto-delete after seven days.

AVG / GDPR

Dutch controller, AP enforcement.

MailOdds B.V. is registered in Amsterdam (KVK 99761246) and is the controller for all data processed through our platform. Our lawful basis for processing is contract performance (Art. 6(1)(b) AVG) for merchants and legitimate interest (Art. 6(1)(f) AVG) for storefront visitors, subject to the Telecommunicatiewet Art. 11.7 cookie regime.

Data subject rights (access, rectification, erasure, portability) are served via the privacy policy. Response SLA: 30 days, per AVG Art. 12.

Personal data is encrypted at rest. Production email addresses and reply-forwarding destinations use the DATA_ENCRYPTION_KEY hierarchy with rotation support and a PREVIOUS_DEK grace window. Webhook secrets are stored encrypted. Plaintext columns are staged for removal.

SECRETS

SOPS + age. No plaintext secrets in git.

Every environment file on every production node is encrypted with SOPS using per-node age keypairs. Private keys never leave the Ansible vault; the vault password is out-of-band. To decrypt, an operator must have both the vault password and SSH to the target node. There is no master key that decrypts everything at once.

Secret rotation is first-class: the DATA_ENCRYPTION_KEY hierarchy re-encrypts encrypted DB columns without downtime; webhook secret migrations run through a dual-write window with a hard fail-over if decryption with the new key fails.

SUB-PROCESSORS

Who else touches your data.

MailOdds is the controller for data you submit through our platform. A small number of third-party services act as processors under AVG Art. 28, strictly to make the product work. Customer-initiated integrations (Shopify, WooCommerce, Salesforce, and similar) connect only when you authorize the OAuth flow; you can disconnect at any time from the dashboard.

  • Salesforce - customer-initiated CRM integration; data-in-transit only; MailOdds stores an encrypted refresh token and the customer's Product2 / PricebookEntry / inventory data in our app DB.
  • Contabo GmbH (DE) - primary infrastructure hosting (EU, US, APAC VPS nodes). Data at rest lives on disks under their physical control in the region pinned for that data class.
  • Stripe Payments Europe Ltd (IE) - billing + Connect payouts. Card data is handled by Stripe; MailOdds stores Stripe customer IDs + subscription metadata only.
  • Cloudflare (DNS only) - authoritative DNS for mailodds.com. No HTTP proxying, no visitor data, no TLS termination at Cloudflare.

See the data processing addendum for the full list plus controller/processor roles.

SENDER AUTHENTICATION

DKIM, SPF, DMARC — right the first time.

We own our MTA fleet. Every sending domain signs with both RSA-2048 and Ed25519 DKIM, publishes a correct SPF record with lookup budget, and enforces DMARC at reject. TLS 1.3 on hop-to-hop; MTA-STS + DANE where supported. Bounce + complaint + reply processing is native, not polled.

OBSERVABILITY

SLOs, alerts, status.

Prometheus scrapes every service on every node every 15 seconds. Alertmanager fires SLO-based alerts (validation p95 < 2s, dashboard p95 < 1s, storefront p95 < 500ms) to the dashboard SSE feed and — when wired — to on-call. Grafana lives behind SSH tunnel on the standby node; incident runbooks live in docs/runbooks/.

CREDITS

What made this page.

Typography

Geist (body) by Vercel. Plus Jakarta Sans (display) by Tokotype. Both licensed under the SIL Open Font License.

Color palette

Wong 2011 colorblind-safe palette. Published in Nature Methods as a default-accessible palette for scientific visualization; adopted here as the semantic colorway for the whole product (emerald = positive, red = negative, amber = caution, blue = info, orange = risk).

Hero video

The homepage hero plays a silent looping recording of a real demo provisioner run. Our own product in motion, not stock footage.

The three outcome sections (storefront, email, data) play ambient loops from the following Pexels creators:

Hero composites

Static hero composites + per-page OG cards produced with Google's Gemini 3 Pro Image Preview (gemini-3-pro-image-preview). Every generation call passes personGeneration: "dont_allow", so no human faces are hallucinated. Composites include a SynthID watermark (invisible) per Google's commercial-use guidelines.

Where Gemini was rate-limited or capped, hero composites fall back to a deterministic Pillow build that layers real screenshots on a brand gradient (scripts/demo-inventory/compose-hero-pillow.py). The fallback path is recorded in brand/hero/manifest.json as model: pillow-composite-fallback.

Marketing screenshots

Numbers visible in marketing screenshots (visitor counts, captured leads, revenue) are illustrative demo values, not customer data. They are rewritten at capture time via a temporary browser extension so the dashboard reads as a growing store rather than the near-empty state of our internal test account. Your dashboard always reflects your real activity.

Have a compliance question?

We reply in hours. support@mailodds.com, or send a GitHub issue.

Start free support@mailodds.com →