SMSESMetric

Security

Email is infrastructure. We secure it like it.

Encryption at rest and in transit, scoped API keys, isolated routing, and audit trails. SESMetric is built for engineering teams who treat email as a production system.

Read the docs Report a vulnerability

Pillars

Four layers of defense, on by default.

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. Every SMTP, REST, and MCP connection is encrypted — no plaintext fallbacks.

Scoped API keys

Per-key scopes (email:send, email:read, articles:write, templates:write). Revocable instantly. Hashed at rest — we never store raw keys.

Zero-trust internal auth

Pod-to-pod calls carry X-Internal-Auth + X-User-Id. No implicit trust based on network location.

Isolated infrastructure

Per-user routing isolates noisy senders from the shared IP pool. A reputation incident on one user cannot poison the rest.

Compliance

SOC 2 Type II

Audited

GDPR

Compliant

CCPA

Compliant

DKIM / SPF / DMARC

Enforced

Controls in detail

Authentication

  • WorkOS AuthKit with PKCE + signed session cookies
  • Per-user SMTP credentials (no shared auth)
  • API keys rejected if owner is not on a paid plan

Data handling

  • Email bodies stored encrypted in S3, retention configurable
  • ClickHouse analytics partitioned by month, exportable on request
  • No PII shared with third-party analytics

Operations

  • All deployments via Drone CI from signed commits
  • Kubernetes RBAC + least-privilege service accounts
  • Audit log of admin actions (impersonation, route flips, deletions)

Responsible disclosure

If you discover a security vulnerability, email security@sesmetric.com. We respond within 24 hours and credit responsible reporters. Please do not publicly disclose until we have shipped a fix.

Response

Within 24 hours

PGP

On request

Bounty

For valid findings