Security and Privacy


Your business webmail is completely owned by you. No one else should be able to access it, and you should have full control over it. At Bare Metal Email, we highly prioritize the security of your data. We strive every day to ensure that it remains secure.

Data Encryption

Your data is protected through encryption both during transmission and while stored. SSL (Secure Sockets Layer) is employed to secure the data sent from the Bare Metal Email servers to your web browser. When your data is at rest, it is encrypted using AES-256 block level storage encryption. Our data center provider implements top-notch physical protection measures to prevent unauthorized individuals from gaining access.

Disaster Recovery

To date, we have never experienced any data loss; however, we have taken proactive measures to prepare for such an event. Our database is equipped with continuous protection, allowing us to revert to a state from a few hours ago up to a period of 30 days. In the event of an outage in the Bare Metal Email application, we have monitoring systems in place to detect the issue and redeploy the application to alternate operational data centers. As a result, you can be confident that you need not concern yourself with any downtime in Bare Metal Email, and your business operations will proceed without interruption.

SAML based SSO

One of the key security features offered by Bare Metal Email is the capability to integrate with your Identity Provider, allowing you to authorize access through Single Sign-On (SSO). This ensures that you have complete control over determining who can access your data. You can establish your own password requirements and even enforce Two-Factor Authentication (TFA) if desired.

PCI Compliance

We utilize Stripe as our credit card processing service provider. None of the servers utilized by Bare Metal Email have access to any credit card details. Stripe has undergone a thorough audit conducted by a PCI-certified auditor and has attained the highest level of certification in the payments industry, known as PCI Service Provider Level 1. This certification represents the most stringent level of security and compliance available.

Personal and Training

A company is essentially composed of its employees. At Bare Metal Email, we prioritize the implementation of thorough background checks for all our employees. Those who do not pass these checks are not permitted to work here. In order to establish a security-conscious organization, it is imperative to provide training to employees. We employ services like Security Mentor and KnowBe4 to equip our employees with knowledge regarding common errors and potential threats to be vigilant about.

Secure Frameworks

Bare Metal Email employs the PHP Laravel framework to assist our developers in avoiding typical security coding errors. This framework incorporates security measures such as parameter verification, protection against cross-site forgery requests (CSFR), prevention of SQL injection, and mitigation of cross-site scripting (XSS) vulnerabilities.

Penetration Testing

We utilize top-tier tools like OWASP ZAP for conducting penetration testing. OWASP ZAP is an automated tool that attempts to assess the security of our website by simulating attacks and providing detailed reports on any identified vulnerabilities or findings.

Audit Logging

Every request directed to the Bare Metal Email server is logged and recorded. These logs are retained for a duration of 30 days. In the event of a security incident, we possess the necessary data to trace the sequence of events and determine the potential data that may have been accessed.

Got questions?

If you have any further inquiries, please don’t hesitate to reach out to us. For our enterprise customers, we are more than willing to complete any security assessments you may require.