Skip to content
SuperMail docs

Security overview

Email is a high-stakes inbox. This page explains exactly what SuperMail does (and doesn’t do) to keep your data safe. See also the public Security page for a shorter summary.

Architecture at a glance

  • Frontend + mobile talk exclusively to the SuperMail API over HTTPS.
  • API is stateless; stores nothing except session state in a database.
  • Postgres holds account metadata, message metadata, and tags.
  • Object storage holds message bodies and attachments, encrypted at rest with AES-256.
  • No shared tenancy in bodies: each workspace’s object-storage prefix is unique and IAM-scoped.

Encryption

LayerDetail
In transit (browser/app ↔ SuperMail)TLS 1.2+ only, HSTS enforced.
In transit (SuperMail ↔ provider)TLS enforced. Gmail, Outlook, Yahoo, iCloud, Fastmail all enforce TLS; IMAP falls back to STARTTLS; plaintext IMAP/SMTP connections are refused.
At rest (database)AES-256 via cloud-managed keys.
At rest (bodies + attachments)AES-256, server-side.
Gmail OAuth refresh tokensEncrypted at rest with a workspace-scoped key separate from the DB key.
IMAP/SMTP app passwords (Outlook, Yahoo, iCloud, Fastmail, etc.)Encrypted at rest with a workspace-scoped key separate from the DB key.

SuperMail is not end-to-end encrypted. We decrypt server-side in order to index, thread, render, and search your mail. This is standard for email clients that provide a unified inbox and server-side search. If you need E2E, use PGP inside SuperMail (it’s a client like any other, so encrypted bodies stay encrypted in our storage but most features like search, previews, threading won’t work on those messages).

Authentication

  • Email + password sign-in, handled by Supabase. Passwords are bcrypt-hashed by Supabase and never seen by SuperMail’s own servers.
  • Biometric unlock on the mobile apps (see Mobile → Biometric unlock).
  • API tokens are bearer JWTs scoped to your user; the API authenticates each request via Supabase token verification.

That’s the full auth surface today. We do not support TOTP 2FA, social sign-in for SuperMail accounts (Google “Sign in with Google” is used to link Gmail mailboxes, not to log in to SuperMail itself), or per-device session lists. WebAuthn / passkeys and TOTP 2FA are on the roadmap.

Application access controls

  • One user per account. There’s no “shared inbox” role yet; each person has their own workspace.
  • Engineers do not access user data in normal operation. When a support investigation requires looking at a workspace, it’s done on explicit user request via support and logged internally.

Infrastructure

  • Hosted on AWS in us-east-1 and us-east-2 (multi-AZ within the active region).
  • Object storage in AWS S3 (server-side-encrypted, versioned).
  • Database in Amazon RDS Postgres with automated nightly backups, point-in-time recovery, and encrypted backups.
  • Backups retained 30 days for warm recovery; 1-year cold backups for disaster recovery.

Compliance

  • GDPR: see Privacy for data-subject rights.
  • HIPAA / PCI DSS: not in scope currently. Do not send PHI or cardholder data through SuperMail.