Master Inbox Security Overview

Last updated: March 28, 2026

At Master Inbox, we take security and data protection seriously and implement industry-standard measures aligned with GDPR requirements. Our goal is to ensure that customer data is handled securely, transparently, and only for the purposes of delivering and improving our Services.

Infrastructure

Master Inbox is hosted on secure cloud infrastructure provided by Hetzner. Our platform is protected by Cloudflare, which provides network security, DDoS protection, and traffic filtering.

Data Encryption

All data is encrypted in transit using TLS (Transport Layer Security).
Data is encrypted at rest, including databases and backups, to protect against unauthorized access.

Access Controls

We enforce role-based access controls (RBAC) across our systems.
Access to production systems is restricted to authorized personnel only and is granted based on least-privilege principles.
All access is logged and monitored.

Data Isolation

Each customer workspace is logically isolated. Customer data is not shared across accounts, ensuring strict separation between clients.

Monitoring and Logging

We maintain logging and monitoring systems to detect suspicious activity, investigate incidents, and maintain system integrity.
System logs are retained for security, debugging, and abuse prevention purposes.

Data Retention

Master Inbox retains customer data for as long as the account remains active and as necessary to provide the Services.

Customers may request deletion of their data at any time.

Upon account termination or deletion request:

• Active data is deleted from production systems within 7 business days
• Backup data is retained for up to 6 months and is permanently deleted thereafter

Master Inbox does not use customer data for any purpose other than providing and improving the Services.

Subprocessors

We engage trusted third-party subprocessors to operate our services. These include infrastructure, communication, AI, and integration providers.

Subprocessors include:

• Hetzner (cloud infrastructure)
• Cloudflare (security and CDN)
• OpenAI and Google (AI features opt-in only)
• Slack, Twilio, Postmark (communications and notifications)
• HubSpot, Pipedrive (CRM integrations)
• Paddle (billing and payments)

A full and updated list of subprocessors is available upon request or in our subprocessor documentation.

AI Processing

AI features within Master Inbox are strictly opt-in and are only activated when explicitly enabled by the Customer.
AI processing is limited to the minimum data required to provide the feature and is not used beyond the scope of the Service.

Compliance

Master Inbox follows GDPR-aligned data protection practices.

We utilize Standard Contractual Clauses (SCCs) for international data transfers where applicable.

SOC 2 compliance is currently in progress.

Incident Response

We maintain internal procedures to detect, respond to, and investigate security incidents.
In the event of a data breach affecting customer data, Master Inbox will notify affected customers without undue delay.

Contact Us

For security, privacy, or data protection inquiries, please contact:

[email protected]

We aim to respond to all inquiries within 24–48 hours.