# AcelleMail — security

> Canonical HTML: https://acellemail.com/security
> Content-Type: text/markdown

## Self-hosted = data sovereignty

The single largest security difference vs SaaS competitors: **subscriber lists never leave your server**. AcelleMail runs entirely on infrastructure you control. There is no AcelleMail cloud that holds your customer data — the company has nothing to subpoena, breach, or accidentally expose.

## GDPR + privacy posture

- **Self-hosted by design** — subscriber PII stays on your server, in your jurisdiction
- **Subject-access export** built into the subscriber detail screen
- **Right-to-erasure** with one click — full subscriber record + activity log purge
- **Consent logs** for double-opt-in and bulk-invite flows
- **Unsubscribe** RFC 8058 one-click + RFC 2369 list-unsubscribe headers, signed routes
- **No third-party tracking pixels** unless you add them — open + click tracking happens on your server

## Authentication + access control

- **Admin / customer / staff role separation**
- **Two-factor authentication** for admin and customer accounts (TOTP)
- **Password policy** with min length, complexity, breach-list check
- **Session management** with revocable tokens
- **Audit log** of admin actions (login, settings change, subscriber export, plan change)
- **API tokens** via Laravel Sanctum — per-user, per-scope, revocable

## Data at rest + in transit

- **HTTPS only** in production — HSTS supported, HTTP/2 + Brotli recommended (see KB §"Server hardening")
- **Database encryption** for sensitive fields (API keys, OAuth tokens, payment-method secrets) via Laravel Crypt
- **At-rest disk encryption** is your hosting provider's responsibility — instructions in KB
- **Outbound SMTP** via TLS 1.2+ (most major providers default to enforced TLS)

## Email-channel security

- **SPF / DKIM / DMARC** setup wizard with DNS record generator
- **DKIM key rotation** with grace period for in-flight messages
- **Bounce + complaint handling** keeps reputation clean
- **List-Unsubscribe** signed routes prevent enumeration attacks
- **Spam-score preview** before send

## Server hardening

- **HTTPS-only** enforced via nginx config snippet in `/kb/article/server-hardening`
- **Rate limiting** at app + nginx layer for login, registration, password reset, contact form
- **CSRF protection** on every state-changing endpoint
- **CSP + X-Frame-Options + X-Content-Type-Options** headers configurable
- **SQL-injection-proof** — Laravel Eloquent + parameterized queries throughout

## Vulnerability disclosure

Security issues: email `security@acellemail.com` with reproduction steps. Disclosure timeline: typical 14-day patch + public advisory after fix released.

## Compliance

- GDPR: yes (data sovereignty + DSAR tooling)
- CCPA / CPRA: yes (same export + erasure mechanisms)
- CAN-SPAM: yes (unsubscribe + sender identification)
- HIPAA: no — AcelleMail is not HIPAA-certified; do not store PHI in subscriber records

## Next

- [Features](https://acellemail.com/features.md)
- [About](https://acellemail.com/about.md)
- [Pricing](https://acellemail.com/pricing.md)