Security
SOC 2 Compliance
Security certifications, data protection, and compliance documentation
Overview
daimon.email is built on SOC 2 Type II compliant infrastructure and follows industry best practices for data security, privacy, and operational integrity.
Info
All customer data is stored on Cloudflare and Supabase, both of which maintain SOC 2 Type II certification. daimon.email inherits these controls and adds additional security measures.
Infrastructure Security
SOC 2 Certified Providers
| Provider | Service | Certification |
|---|---|---|
| Cloudflare | Workers (compute), R2 (storage), KV (rate limiting) | SOC 2 Type II |
| Supabase | PostgreSQL (database), authentication | SOC 2 Type II |
| Stripe | Payment processing | PCI DSS Level 1, SOC 2 Type II |
All data flows through certified infrastructure with no exceptions.
Data Storage Locations
- Email messages: Cloudflare R2 (raw MIME) + Supabase (metadata)
- Attachments: Cloudflare R2 with signed URLs
- Account data: Supabase PostgreSQL
- Rate limit state: Cloudflare KV (ephemeral, no PII)
- Logs: Cloudflare Workers Analytics (aggregated, no PII)
Note
Enterprise customers can request specific geographic data residency (e.g., EU-only storage). Contact sales@daimon.email for details.
Encryption
At Rest
- Database: AES-256 encryption for all Supabase Postgres data at rest
- Object storage: AES-256 encryption for all R2 buckets
- Backups: Encrypted snapshots with separate encryption keys
- API keys: Hashed using bcrypt before storage (one-way, non-reversible)
In Transit
- API communication: TLS 1.3 with perfect forward secrecy
- Webhook delivery: HTTPS required (we reject
http://URLs) - Email transmission: TLS 1.2+ for SMTP (both inbound and outbound)
- Dashboard: HTTPS-only with HSTS enabled
# All API responses include strict security headers:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=blockAuthentication & Access Control
API Key Security
- Format:
dm_free_*(free tier) ordm_live_*(paid tier) - Storage: Hashed with bcrypt, never stored in plaintext
- Transmission: HTTPS only, never logged in plaintext
- Rotation: Self-service rotation via dashboard (coming soon)
// API keys are scoped to accounts, not users
// One account can have multiple API keys for rotation
// Create a new API key (revokes old one)
const newKey = await client.account.rotateApiKey({
note: 'Production agent key - rotated March 2026'
});
// Old key stops working immediately# API keys are scoped to accounts, not users
# One account can have multiple API keys for rotation
# Create a new API key (revokes old one)
new_key = client.account.rotate_api_key({
'note': 'Production agent key - rotated March 2026'
})
# Old key stops working immediatelyJWT Token Security
Magic upgrade links use JWT tokens with:
- Expiration: 24 hours (short-lived)
- Signature: HS256 with rotating secret keys
- Payload: Account ID only (no PII, no email addresses)
- Single use: Tokens are invalidated after first use
// JWT payload (no sensitive data):
{
"sub": "acct_abc123",
"iat": 1710599040,
"exp": 1710685440,
"jti": "upgrade_xyz789"
}Warning
JWT tokens never contain email addresses, inbox IDs, or other PII. This minimizes risk if a token is intercepted.
Data Privacy
PII Handling
daimon.email minimizes PII collection:
- No email addresses required for free tier signup
- No phone numbers ever collected
- No personal names required (agents use service names)
- Email content stored only as long as needed for delivery
Data Retention
| Data Type | Retention Period | Deletion Policy |
|---|---|---|
| Email messages | 30 days (default) | Auto-purged after 30 days |
| Sent messages | 7 days | Auto-purged after 7 days |
| Attachments | Same as message | Deleted with parent message |
| Account metadata | Until account deletion | Deleted within 24 hours of account deletion |
| API logs | 7 days (aggregated only) | No message content in logs |
| Audit logs | 1 year (enterprise only) | Deleted after 1 year |
Info
Enterprise customers can configure custom retention periods (e.g., 90 days for compliance). Contact sales@daimon.email.
GDPR Compliance
daimon.email supports GDPR requirements:
- Right to access: Download all account data via
GET /v1/account/export - Right to deletion: Delete account and all data via
DELETE /v1/account - Right to portability: Export in JSON format
- Data processing agreement: Available for Enterprise customers
Data Deletion
// Export all data before deletion (GDPR right to access)
const exportData = await client.account.export();
// Returns JSON with all inboxes, messages, threads, webhooks
// Delete account and all associated data (GDPR right to deletion)
await client.account.delete();
// All data purged within 24 hours:
// - All inboxes deleted
// - All messages purged from R2
// - All database records removed
// - API keys invalidated immediately# Export all data before deletion (GDPR right to access)
export_data = client.account.export()
# Returns JSON with all inboxes, messages, threads, webhooks
# Delete account and all associated data (GDPR right to deletion)
client.account.delete()
# All data purged within 24 hours:
# - All inboxes deleted
# - All messages purged from R2
# - All database records removed
# - API keys invalidated immediatelyAudit Logging
Enterprise customers get detailed audit logs:
- API access: All requests with timestamp, endpoint, IP, user agent
- Account changes: Tier upgrades, API key rotations, webhook modifications
- Message events: Sends, receives, bounces, complaints
- Security events: Failed auth attempts, rate limit violations
- Retention: 1 year (configurable up to 7 years for compliance)
// Example audit log entry:
{
"timestamp": "2026-03-16T14:30:00Z",
"event_type": "api.request",
"account_id": "acct_abc123",
"ip_address": "203.0.113.45",
"user_agent": "daimon-email-sdk/1.0.0 (python)",
"endpoint": "POST /v1/inboxes/{id}/send",
"status": 200,
"latency_ms": 145
}Access audit logs via dashboard (Enterprise only) or API:
const logs = await client.account.auditLogs({
start_date: '2026-03-01',
end_date: '2026-03-16',
event_types: ['api.request', 'message.sent']
});Vulnerability Management
Responsible Disclosure
We welcome security researchers and offer:
- Coordinated disclosure: 90-day window for fixes before public disclosure
- Acknowledgment: Security Hall of Fame on daimon.email/security
- No legal action: Safe harbor for good-faith security research
Report vulnerabilities to: security@daimon.email
Security Updates
- Dependency scanning: Automated daily scans via Dependabot
- Penetration testing: Annual third-party pen tests
- Bug bounty: Coming Q3 2026 (HackerOne program)
Incident Response
In the event of a security incident:
- Detection: Automated monitoring alerts security team
- Assessment: Severity classification within 1 hour
- Containment: Immediate action to stop active breach
- Notification: Affected customers notified within 24 hours (email + status page)
- Remediation: Root cause analysis and fixes deployed
- Post-mortem: Public incident report within 7 days
Note
All security incidents are published on status.daimon.email with full transparency.
Third-Party Integrations
daimon.email only integrates with SOC 2 certified providers:
- Stripe: Payment processing (PCI DSS Level 1)
- Cloudflare: Infrastructure (SOC 2 Type II)
- Supabase: Database (SOC 2 Type II)
- Inngest: Background jobs (SOC 2 Type II)
No data is shared with third parties for marketing, analytics, or advertising.
Compliance Documentation
Available Reports
Enterprise customers can request:
- SOC 2 Type II report: Annual audit report (under NDA)
- Data Processing Agreement (DPA): GDPR-compliant DPA
- Security questionnaire: Responses to vendor security assessments
- Penetration test results: Summary of annual pen test findings (redacted)
Contact security@daimon.email with your company name and use case.
Compliance Certifications Roadmap
| Certification | Status | Target Date |
|---|---|---|
| SOC 2 Type II (inherited) | ✅ Active | N/A |
| HIPAA BAA | 🟡 In progress | Q4 2026 |
| ISO 27001 | 🔴 Planned | Q2 2027 |
| FedRAMP | 🔴 Planned | 2028 |
Security Best Practices for Agents
API Key Storage
// BAD: Hardcoded API key
const client = new DaimonClient({ apiKey: 'dm_live_abc123...' });
// GOOD: Environment variable
const client = new DaimonClient({ apiKey: process.env.DAIMON_API_KEY });Webhook Signature Verification
Always verify webhook signatures to prevent spoofing:
import crypto from 'crypto';
function verifyWebhook(payload, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
app.post('/webhooks/daimon', (req, res) => {
const signature = req.headers['x-daimon-signature'];
const isValid = verifyWebhook(req.body, signature, process.env.WEBHOOK_SECRET);
if (!isValid) {
return res.status(401).send('Invalid signature');
}
// Process webhook
});Secure Credential Handling
For agents handling sensitive emails (e.g., password resets):
- Use short-lived inboxes (delete after use)
- Don't log email content
- Use webhook delivery instead of polling
- Enable allowlist filtering for expected senders
- Purge messages immediately after processing
Contact
For security inquiries:
- Vulnerabilities: security@daimon.email
- Compliance questions: compliance@daimon.email
- DPA requests: legal@daimon.email
- Incident reports: abuse@daimon.email