Security & Compliance

EmailAlias, a product of LLMView IT Services, is built security-first. Every layer of our infrastructure is designed to protect your email identity with zero-knowledge privacy.

Encryption Architecture

AES-256

AES-256 Encryption at Rest

All alias mappings, user metadata, and sensitive configuration data are encrypted with AES-256 (Advanced Encryption Standard with 256-bit keys) in our PostgreSQL database. Even if our database were compromised, attackers would only see encrypted ciphertext.

TLS 1.3

TLS 1.3 in Transit

Every connection — between email servers, between your browser and our API, and between our internal services — is encrypted with TLS 1.3, the latest transport layer security protocol. We enforce HSTS and reject connections below TLS 1.2.

Zero-Knowledge

Zero-Knowledge Forwarding

Email content passes through our servers in an encrypted stream. We never parse, read, index, or store email bodies or attachments. Only minimal delivery metadata (sender, timestamp, status) is retained for your analytics dashboard.

KMS

Encrypted Key Management

Encryption keys are managed through a dedicated key management service with automatic rotation. Keys are never stored alongside encrypted data and are protected by hardware security boundaries.

Email Authentication

We implement the full email authentication stack to prevent spoofing, ensure delivery integrity, and protect your aliases from being impersonated:

SPF (Sender Policy Framework)

Specifies which mail servers are authorized to send email on behalf of emailalias.io. Receiving servers check SPF records to verify the sending server is legitimate.

DKIM (DomainKeys Identified Mail)

Every outgoing email is cryptographically signed with a DKIM key. The receiving server verifies the signature against our published DNS record, ensuring the email hasn't been tampered with in transit.

DMARC (Domain-based Message Authentication)

Our DMARC policy instructs receiving servers to reject any email that fails SPF or DKIM verification. This prevents attackers from spoofing @emailalias.io addresses.

MTA-STS (Mail Transfer Agent Strict Transport Security)

Forces receiving mail servers to use TLS when accepting email from our domain. Prevents downgrade attacks where an attacker could intercept email by forcing an unencrypted connection.

Infrastructure Security

Isolated Network

Database servers are in a private subnet with no public internet access. Only our application servers can communicate with the database through encrypted internal connections.

DDoS Protection

Multi-layer DDoS mitigation with rate limiting at the edge, application-level throttling, and automatic traffic analysis to block malicious request patterns.

Automated Backups

Encrypted database backups run every 6 hours with 30-day retention. Backups are stored in a separate region and encrypted with a different key than production data.

Intrusion Detection

Real-time monitoring for suspicious activity including failed login attempts, unusual API patterns, and unauthorized access attempts. Automated alerts to our security team.

Dependency Scanning

Automated vulnerability scanning of all dependencies on every deployment. Critical vulnerabilities are patched within 24 hours of disclosure.

Access Controls

Principle of least privilege across all systems. Employee access requires MFA, is logged, and is reviewed quarterly. No employee can access user email content (zero-knowledge).

Compliance & Regulations

GDPR Compliant

EmailAlias is fully compliant with the EU General Data Protection Regulation. We collect minimal data, process it lawfully, and give users complete control over their information including the right to export and delete all data.

  • Right to access — export all your data anytime
  • Right to erasure — delete your account and all associated data
  • Data minimization — we only collect what's needed to operate
  • Lawful basis — subscription contract and legitimate interest
  • No data transfers to non-adequate countries without safeguards

CCPA / CPRA Compliant

For California residents, we comply with the California Consumer Privacy Act and California Privacy Rights Act. We never sell personal information and honor all consumer rights requests.

  • We do not sell or share personal information
  • Right to know what data we collect
  • Right to delete personal information
  • Right to opt-out of sale (N/A — we never sell)
  • No discrimination for exercising privacy rights

SOC 2 Type II

Our infrastructure and processes are designed to meet SOC 2 Type II requirements across all five trust service criteria. We maintain continuous monitoring and undergo regular security assessments.

  • Security — encryption, access controls, threat detection
  • Availability — 99.9% uptime SLA with redundant infrastructure
  • Processing Integrity — email delivery verification and logging
  • Confidentiality — zero-knowledge architecture, encrypted storage
  • Privacy — minimal data collection, no third-party sharing

Vulnerability Disclosure

We take security vulnerabilities seriously. If you discover a security issue in EmailAlias, we encourage responsible disclosure. We commit to:

  • Acknowledging your report within 24 hours
  • Providing regular updates on our investigation
  • Resolving critical vulnerabilities within 72 hours
  • Crediting researchers who report valid issues (with permission)
  • Not pursuing legal action against good-faith security researchers

Report vulnerabilities to security@emailalias.io. Please include a detailed description, reproduction steps, and your contact information.

Transparency

Annual Transparency Report

We publish an annual transparency report detailing: the number of government and law enforcement requests received, the number of requests we complied with, and the types of data provided. We will always challenge overbroad or unlawful requests.

Warrant Canary

As of the last update, EmailAlias has not received any national security letters, FISA orders, or gag orders. We have not been required to build backdoors into our system. We have not provided any government with direct access to user data.

Security you can verify

We don't ask you to trust us blindly — our zero-knowledge architecture means we can't compromise your privacy even if we wanted to.

Get Your Encrypted Alias — FreeDo We Read Your Email?