Compliance & Certifications

Encryption

• TLS 1.3: All data in transit
• AES-256: Data at rest encryption
• PGP: Optional end-to-end encryption (Business plan)
• Key Management: Hardware security modules (HSM)

Access Controls

• Multi-factor authentication (MFA) required for staff
• Role-based access control (RBAC)
• Principle of least privilege
• Regular access reviews and audits

Infrastructure Security

• 🇮🇸 Hosted in Iceland - privacy-first jurisdiction
• SOC 2 Type II certified data centers
• 24/7 security monitoring and intrusion detection
• DDoS protection and rate limiting
• Regular penetration testing
• Automated security patching

Zero-Knowledge Architecture

• Email content processed in memory only
• No persistent storage of email content
• Encrypted metadata storage
• Secure key management

🇮🇸 Iceland Jurisdiction

RacterMX is hosted in Iceland, providing enhanced privacy protections:

• Strong constitutional privacy protections
• No membership in Five Eyes or other surveillance alliances
• EEA member with full GDPR compliance
• Robust data sovereignty and protection laws
• Journalist and whistleblower protection framework
• Limited government data access requirements

GDPR (EU)

• Data Protection Officer (DPO) appointed
• Privacy by design and by default
• Data processing agreements with all vendors
• Iceland EEA membership ensures seamless GDPR compliance
• Data breach notification within 72 hours
• Regular Data Protection Impact Assessments (DPIA)

CCPA (California)

• Transparent data collection practices
• Consumer rights to access and delete data
• No sale of personal information
• Non-discrimination for exercising rights

Other Regulations

• PIPEDA: Canadian privacy compliance
• LGPD: Brazilian data protection law
• Privacy Shield: EU-US data transfer framework

CAN-SPAM Act (US)

• Prohibition of spam and unsolicited bulk email
• Enforcement of acceptable use policies
• Immediate account termination for violations

Email Authentication

• SPF: Sender Policy Framework support
• DKIM: DomainKeys Identified Mail signing
• DMARC: Domain-based Message Authentication
• BIMI: Brand Indicators for Message Identification

Regular Audits

• Annual SOC 2 Type II audits
• Quarterly internal security reviews
• Third-party penetration testing (bi-annual)
• Vulnerability scanning (continuous)

Transparency Reports

• Law enforcement requests (published semi-annually)
• Data breach notifications (if any)
• Service availability and uptime statistics

View Transparency Report →

Incident Response

• 24/7 security operations center (SOC)
• Documented incident response plan
• Breach notification within 72 hours (GDPR)
• Post-incident reviews and improvements

Disaster Recovery

• Automated daily backups
• Geographically distributed backup storage
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour

High Availability

• Redundant infrastructure across multiple availability zones
• Automatic failover for critical services
• 99% uptime SLA (Professional and Business plans)
• Load balancing and auto-scaling