Your data is safe with us

All email credentials are encrypted at rest using AES-256-GCM, the same standard used by financial institutions and government agencies. Encryption keys are stored separately from the encrypted data and rotated regularly.

Data in transit is protected with TLS 1.3 for all connections between your browser, our servers, and your email providers. We enforce HSTS and perfect forward secrecy on all endpoints.

Each account's data is strictly separated at the database level. No user can access another user's mailboxes, credentials, or warm-up data under any circumstances.

Warm-up emails are AI-generated and exist solely to build your sender reputation. We never read, store, or analyze the content of your real business emails.

We support OAuth2 for connecting Gmail and Microsoft 365 accounts, which means we never need to handle your email passwords directly. For providers without OAuth2 support, we use app-specific passwords that are encrypted immediately upon submission.

User authentication is handled via secure session tokens with automatic expiration. We support multi-factor authentication and enforce strong password requirements.

Stekpad is hosted on secure European servers with full redundancy and automated backups. Our infrastructure is designed for high availability with a 99.98% uptime track record.

All servers are hardened according to CIS benchmarks, with automated vulnerability scanning, intrusion detection, and regular penetration testing by independent security firms.

We are fully GDPR compliant. You can request a full export or deletion of your data at any time from your account settings or by contacting our support team.

SOC 2 Type II certification is currently in progress. We also comply with CCPA requirements for California residents. Our data processing agreements are available upon request for Enterprise customers.

We take security vulnerabilities seriously. If you discover a potential security issue, please report it to us responsibly and we will investigate promptly.

Contact us at security@stekpad.com. We commit to acknowledging reports within 24 hours and providing a detailed response within 72 hours. We do not pursue legal action against good-faith security researchers.