Trust & Security

Last updated: 2026-05-28.

We run a multi-tenant email + AI platform. The same operational rules that protect your inbox protect every other tenant on the platform from the worst behavior on it. This page documents the controls we run.

How to report a vulnerability

Email security@talkingunicorn.email or follow the disclosure policy at /.well-known/security.txt. We respond within 2 business days and aim to remediate critical issues within 7 days. No bounty program at this stage, but we publicly credit researchers (with permission) once a fix has shipped.

We will not pursue legal action against good-faith research that:

• Doesn't access other tenants' data;
• Doesn't degrade service for other tenants;
• Gives us a reasonable window (we suggest 30 days, but talk to us if the issue is critical and time-sensitive) before public disclosure.

Encryption

In transit. TLS 1.2+ on every external surface. HTTPS Strict Transport Security (HSTS) is enabled on inbox.talkingunicorn.email. Inbound and outbound SMTP use STARTTLS opportunistically and prefer modern ciphers; submission (port 587) requires authentication and TLS.

At rest. Mailboxes are stored on encrypted volumes at the hosting provider. CRM OAuth tokens and tenant-provided API keys are encrypted with Fernet (AES-128-CBC + HMAC-SHA-256) before being persisted; the key is derived from BILLING_SECRET_KEY and is never logged or exposed to API consumers.

Access controls

• Operator panel access requires a unique username + bcrypt-hashed password + (optionally) TOTP second factor.
• Login endpoints (/admin/login, /api/auth/login) are rate-limited per-IP and per-username via Redis with a 10-minute window.
• Direct database access is limited to the production host and the on-call engineer. Routine operator actions go through audited endpoints, never bare SQL.

Tenancy isolation

• Each tenant's data is partitioned by tenant_id at the schema level. Every authenticated request resolves a tenant from the session before any data is read, and queries take tenant_id as a parameter.
• Each tenant's mail lives under /var/vmail/<tenant-domain>/... — separate filesystem subtrees, separate IMAP namespaces.
• Per-tenant LoRA fine-tunes are isolated by adapter file; we never cross-train on another tenant's content.

Logging & retention

• Application logs are retained 30 days unless an active investigation extends them. Logs contain account identifiers and metadata; we do not log message bodies.
• The operator audit log is retained for the life of the account plus 90 days. Tenants can request a copy of audit events relating to their account.

Backup & recovery

• MariaDB nightly snapshots are kept for 14 days, with a weekly snapshot kept for 90 days. Restores are tested at least quarterly.
• Mail volumes have hot replicas; the production write path is fsync-durable.
• RPO target: 1 day. RTO target: 4 hours from total infrastructure loss.

Abuse handling

We run automated outbound spam detection plus a per-tenant trust score. Tenants flagged above critical thresholds can be paused automatically (operator-configurable). Pause notifications go to the tenant admin within 5 minutes; restoration is a same-day operator action when the underlying cause has been addressed. See /legal/service-behavior for the full state machine.

Subprocessors

Our complete subprocessor list is at /legal/subprocessors and is the authoritative source for which third parties touch which categories of data.

Compliance posture

We are an early-stage company. We have not completed SOC 2 or ISO 27001 audits yet; we plan to begin SOC 2 Type I scoping once we cross 100 paying tenants. Until then we follow the CIS Controls v8 implementation checklist and can share our internal control mapping under NDA with prospects evaluating us against a security questionnaire.

For specific questionnaires (CAIQ, SIG-Lite, custom Word docs), email security@talkingunicorn.email and we'll turn them around within five business days.