Security & Trust

Last updated:

DDSEMail is built as a HIPAA-conscious email platform. Traffic is encrypted with TLS 1.3; sessions and sensitive material are encrypted at rest with AES-256-GCM; passwords are PBKDF2-stretched; every access is recorded in a HIPAA audit trail. We rely on a short, named list of sub-processors and accept vulnerability reports via security.txt.

Compliance posture

  • HIPAA: DDSEMail offers HIPAA-conscious email for dental practices. Customers requiring a Business Associate Agreement should review our BAA overview. PHI flows are restricted to service tiers covered by the executed BAA — the alias relay feature is positioned as non-PHI only and warns in-product accordingly.
  • SOC 2 Type II: a Type II audit is part of our compliance roadmap. Report status: {{TODO: SOC 2 Type II report status / date}}. Until then, treat any SOC 2 reference in marketing as a planned milestone, not an attestation.
  • GDPR: we honor data-subject access, correction, deletion, restriction, portability, and objection rights, and we transfer data internationally only under appropriate safeguards.

Encryption

  • In transit: TLS 1.3 for the web app, the Cloudflare edge, and SMTP delivery wherever the peer supports it.
  • At rest (sessions & tokens): AES-256-GCM, sealed with HKDF-derived keys from an audited AUTH_SECRET.
  • At rest (database): Neon Postgres encrypts customer data using provider-managed keys.
  • Passwords: never stored in plaintext; stretched with PBKDF2-SHA256 and compared in constant time.

Authentication and access

  • Session cookies are __Host-prefixed (Secure, HttpOnly, SameSite=Lax, no Domain), so they are bound to ddsmail.me and cannot leak cross-site.
  • Sessions are also tracked server-side and can be revoked.
  • Edge guards enforce origin checks and per-IP rate limits on every state-changing API.
  • Production access is least-privilege and recorded in the HIPAA audit log.

Audit logging

Every meaningful action (sign-in, alias creation, mailbox access, admin events) is written to a tamper-evident, append-only audit trail tied to the actor's identity and the affected practice. Audit logs are retained for the HIPAA-required minimum period and can be exported on request.

Sub-processors

DDSEMail relies on a short, named list of sub-processors. The current list lives on the Sub-processors page. New sub-processors are added only after a privacy/security review, and material changes are communicated in advance to BAA-covered customers.

Responsible disclosure

Found something? Please email {{TODO: security contact email}} or follow the machine-readable instructions at /.well-known/security.txt. We will confirm receipt within a reasonable timeframe and coordinate remediation in good faith. Please do not access or modify other customers' data.

Incident response

We maintain an incident response process and will notify affected customers of any confirmed security incident affecting their data without undue delay, consistent with HIPAA Breach Notification requirements and applicable law.

Operational practices

  • Code, infrastructure, and secrets are managed via version-controlled configuration and short-lived credentials.
  • The relay worker enforces blocklists, suppression for bounces/complaints, and reverse-alias tokens with stored, short lifetimes.
  • Webhooks from third parties are signature-verified before any state change.

For deeper detail, request our security questionnaire response or BAA package via {{TODO: security contact email}}.