Security & Privacy
How laim.email protects your data and your privacy.
EU Data Residency
All laim.email infrastructure runs in German data centers. Email content, metadata, calendars, contacts, and account data are processed and stored exclusively in the EU.
- +All servers hosted in Germany (Contabo)
- +No data replication outside the EU
- +GDPR-compliant by architecture, not just policy
- +Your emails never leave the EU for processing or storage
Encryption
laim.email uses encryption at every layer to protect your data in transit and at rest.
| Layer | Method |
|---|---|
| In transit (web) | TLS for all HTTPS connections |
| In transit (mail) | IMAPS (port 993), SMTPS (port 465), STARTTLS (port 587) |
| At rest | AES-256 encryption for stored email |
| Passwords | Argon2id hashing (memory-hard, GPU-resistant) |
Infrastructure Security
The platform runs on Kubernetes with multiple layers of isolation and defense in depth.
- +Namespace isolation — workloads separated by Kubernetes namespaces with restricted access
- +Network policies— strict rules restricting inter-service communication
- +Sealed Secrets— no plaintext secrets in version control; encrypted at rest with Bitnami Sealed Secrets
- +Automated backups — Velero backups to EU-based object storage with periodic restore drills
- +GitOps deployment — all infrastructure changes are version-controlled and auditable
Spam & Abuse Prevention
Multiple layers of protection keep spam out and prevent abuse of the platform.
| Measure | Details |
|---|---|
| Spam filtering | Rspamd on all inbound mail |
| SMTP rate limit | 60 requests/min |
| IMAP rate limit | 120 requests/min |
| JMAP rate limit | 300 requests/min |
| Abuse controls | Account suspension handling and outbound send suspension per domain |
Account Deletion
When you delete your account, we follow a clear, transparent process:
- You request deletion from your account settings
- A 30-day grace period begins — you can cancel and restore your account at any time
- After 30 days, all data is permanently and irreversibly deleted — email, contacts, calendars, account metadata
- No data is retained for advertising, analytics, or any other purpose
Privacy Transparency
We believe in being clear about how your data is handled.
No email scanning
We never scan your emails for advertising, profiling, or any purpose beyond spam filtering.
No data selling
Your data is never sold, shared with third parties, or used for purposes you didn't consent to.
Clear access policy
We document what we can and cannot access. Infrastructure operators have access only for service operation.
