23 Oct 2019 • BLOG - News
Data Privacy and Security at Mailjet
23 Oct 2019
You’ve probably already heard, but just in case you haven’t, let us share the news with you: Mailjet has been acquired by Mailgun!
While we’re all very excited here, we understand that some of you might have questions about what this means for Mailjet clients, especially in regards to data privacy and security.
The short answer is that nothing will change and Mailjet will remain a separate entity that will continue to offer the highest standards of data privacy and security.
Want to know more about how Mailjet protects your data? Read on!
Email Data privacy and security: Mailjet’s core values
If you are a Mailjet user, you probably know that we’ve been putting data privacy and security first for a long time, working hard to guarantee the highest standards for all our users.
As a European entity, we abide by the EU’s General Data Protection Regulation. In fact, we were the first company to obtain the AFAQ certification from AFNOR, which guarantees compliance with the principles of GDPR. This hasn’t changed and Mailjet will continue to offer a GDPR-compliant email solution for all of our clients around the world.
Mailjet also makes data security a priority, which is why we went through the rigorous process to obtain the ISO 27001 certification, the international standard for best practices of information security process. This certification requires companies to not only implement company-wide processes pertaining to security policies, data handling and access, but also infrastructure controls.
Our security processes begin with our product development, and the scope, lifecycle and fundamental principles of Mailjet’s security policy are to the highest standard, ensuring all information hosted on the Google Cloud platform is secure.
These accomplishments in data privacy and security propel Mailjet to another level of service excellence in the competitive email industry. We’re proud of these achievements and what it means not just for our clients, but for the individuals whose data we protect on behalf of our clients.
How does Mailjet ensure the privacy of your personal data?
Mailjet’s ‘privacy by design’ approach ensures that personal data processing is compliant from the very beginning.
We ensure the protection of our customers’ data from end to end through the implementation of strong technical and organizational measures including, our data retention periods, data storage and transfers, and encryption protocols – are publicly available under the principles of accountability and transparency we prioritise at Mailjet.
The most important regulation businesses with European contacts need to comply with is the EU General Data Protection Regulation (or GDPR).
GDPR came into force on May 25, 2018. Any company, organization, association and administration, both European or non-European with EU customers, has to comply with GDPR. And this doesn’t just affect your own business, it also means that any third-party solutions you work with has to be GDPR-compliant as well.
Mailjet was the first company to obtain the AFAQ certification from AFNOR, which guarantees compliance with the principles of GDPR, and our clients can continue to expect the highest level of data protection.
Third-party providers are often the weakest link in a company’s ability to be GDPR-compliant. Email service providers pose an especially high risk as they regularly process and store a large scale of personal data (example: first name, email address, IP addresses) on behalf of enterprises. That is why compliance from the entire processing chain is so important today.
Data Servers in the EU
At Mailjet, all our data is and will continue to be stored in EU servers.
While GDPR doesn’t strictly demand that EU citizen’s data remains in the EU, it does require that the physical servers where the data is stored are safe and under protection, and that any data transfer out of the EU has to be done under strict rules.
By keeping our data servers in the EU, we offer our clients additional reassurance over the privacy and security of their data, as we can ensure that their protection is ruled by the stricter European laws.
Over the last few months, the United States’ CLOUD Act (or Clarifying Lawful Overseas Use of Data Act) has become an important issue in the data privacy landscape. The CLOUD Act came into effect on March 23, 2018 and allows federal law enforcement to request the data stored on US-based technology companies servers, regardless of where those servers are based. This includes companies most of us use on a daily basis, like Apple, Google, Facebook or Microsoft, as well as most companies hosted on a cloud infrastructure (GCP, AWS, Azure, etc.).
However, there are many misconceptions surrounding the CLOUD Act. US authorities can only request disclosures to personal data directly related to the investigation of serious criminal activities and/or national security concerns, and will have to do it through a warrant or subpoena.
Like many of our European competitors, our data is stored on Google Cloud servers in Europe, meaning we were already under CLOUD Act requirement and our recent acquisition doesn’t affect this. Mailjet will continue to adhere to the strictest security standards under its ISO 27001 certification. All our data will continue to be secured and encrypted at rest, and can only be requested for the investigation of serious criminal activities.
How does Mailjet keep your data safe?
Data security is key for email sending. When you partner with Mailjet, all your data is stored on servers within Europe (Google Cloud Platform). Your data is copied and placed in separate locations in real-time, and all communications sent through our application are encrypted.
One of the ways in which we protect the information contained in emails is through encryption. Contrary to popular belief, DKIM does not provide encryption of the messages, however, it does add a layer of authentication that helps you protect your emails.
Mailjet encrypts the channel that sends your email from server A (your sending server) to server B (your recipient’s server). This is the role of the Transport Layer Security, or TLS. The only issue here is that TLS is still not used by all the ISPs. Meaning that if you send a TLS encrypted message and your recipient’s server doesn’t follow this protocol, the encryption won’t be effective.
Security of the data storage servers
We’ve already mentioned how important it is to ensure that the servers where the data is stored are safe.
If you rely on a third party to store the data, look for solutions that offer the best guarantee for concerns like redundancies, fire risk prevention, high security levels, energy self-sufficiency, and so on. Since you’re not the one directly managing the server, you have to be sure that all of these necessary precautions are followed, to ensure the maximum level of security. If you have European customers, having your servers located in Europe can also be a good idea, since the stricter European laws will apply. Both Mailjet and Mailgun have servers in the EU to help ensure optimal security and privacy.
To ensure our servers are secure, Mailjet keeps its data in the European Union, where the privacy and security requirements of GDPR guarantee the highest level of protection, including limited access to the servers and 24/7 surveillance. On top of that, our data centers are controlled against power failure, with redundant power systems.
Organizations collect, process and hold ever-increasing volumes of personal data to enable relevant and timely email communication with their customers. Data security continues to be a huge responsibility and challenge, and they need assurance that their email service provider can deliver this.
Learn more about data security at Mailjet on our blog post ‘What Makes Mailjet a Secure Email Solution?’
More questions? Ask Mailjet!
Do you have any more questions about Privacy and Security at Mailjet? Check out our FAQs to learn more about how we use and store your data, or send your questions directly to our team by filling in a Support ticket.