Annex 2

• 1: Pseudonymisation and encryption of Personal Data
  • Customer data
  • Encryption Key Management
• 2: Backup and restoring Personal Data
  • Customer data and internal system backups
  • Backup verification
  • Backup and disaster recovery testing
• 3: Testing, assessing and evaluating our security
  • Bug bounty
  • External and Internal Audit
• 4: User identification and authorisation
  • Secure authentication systems
  • User identification processes
  • Remote logout
• 5: Protection of data during transmission
  • Secure access to mail
  • Encrypted sending/receiving
• 6: Protection of data during storage
  • Password encryption
  • On-disk encryption
• 7: Physical security
  • Physical data centre security
• 8: Event logging
  • Tracking and logging staff access
  • Viewing who logged into your account
• 9: Secure configuration of our software and systems
  • We only allow necessary communications
  • Content security policy
  • We keep track of software updates
• 10: Embedded privacy controls by default
  • Image loading
  • Privacy controls
• 11: Internal information security control and processes
  • Staff access to your data
• 12: Vendor and third-party security
  • We use software systems that take security seriously
• 13: Ensuring data minimisation
  • Limited access to customer data
  • Data minimisation with third parties
• 14: Ensuring data quality
  • Updating your personal information
  • Data integrity
• 15: Ensuring limited data retention
  • Destruction of customer data
  • Destruction of system logs
  • Destruction of deleted emails, contacts, and calendars
  • Destruction of backup and search index data
  • Destruction of data after account closure
• 16: Ensuring accountability
  • Internal policies
  • Vendor contracts
• 17: Allowing data portability and ensuring erasure
  • Self-service data export
  • Self Service Account Closure
• 18: Data transfer to third parties
  • Transfer of confidential data with third parties
  • Onward Transfer
• 19: Additional information for Fastmail users
  • Limitations to email encryption

We have a great responsibility at Fastmail to keep your email and personal information secure.

We continually review our policies and processes, and take new measures wherever possible to further secure your data. On this page, we list some of the things we do to maintain not just the confidentiality, but also the availability and integrity of your data.

1: Pseudonymisation and encryption of Personal Data

Customer data

We know that email is free-form and could contain all kinds of information about our customers and other people they correspond with, including data of the most confidential sort. Due to the nature of our business (hosting, receiving and sending free-form emails), our systems process large amounts of data that is potentially highly confidential.

For this reason, we treat all Personal Data belonging to our customers (“your data”) as Customer Confidential, which is the highest level of protection within our data modelling and classification.

To provide the services we offer, it is necessary for our computer systems to process unencrypted and unobfuscated data (for example: to build the search indexes which allow fast message retrieval, or to push alarm notifications for calendar events). This document details technical and organisational security controls in place to secure your data.

Encryption Key Management

Encryption keys are long and extremely complex passwords, created in software that we use to encrypt storage, backups and other systems at Fastmail.

Keys used within Fastmail systems are reliably managed, securely generated, securely stored, and revoked, and rotated if ever thought to be compromised.

All encryption keys are retained solely under the control of Fastmail, which means that even if access to encrypted data were to occur, without access to our encryption keys, it would be unreadable.

2: Backup and restoring Personal Data

Customer data and internal system backups

Fastmail not only backups and encrypts your data at rest, but backup our own system to ensure that if the event of a system failure, we can restore all the systems that allow you to access your data.

Backup verification

Backing up your data is only useful if that backup can be restored. Fastmail verify backups using integrity checks that ensure the data backed up is readable and is exactly the same as the data in your inbox.

Backup and disaster recovery testing

As well as testing the recovery processes for customer data, Fastmail internal systems span across numerous components. Each one of these components and systems undergo a range of different recovery tests, and disaster recovery scenarios. These ongoing processes across our platform reduces the chance that any single outage will stop you from accessing your data.

3: Testing, assessing and evaluating our security

Bug bounty

We run a tight ship, but we’re only human and humans can make mistakes. That’s why we run a bug bounty program to encourage responsible disclosure of security issues and to reward security researchers who take the time to help us keep Fastmail safe.

External and Internal Audit

Fastmail undergoes external audits by vendors, including penetration tests against our systems to ensure that we meet or exceed industry standards.

Our internal staff are always testing and improving the security at Fastmail, which is a never-ending process. The continuous improvement of our software and system is the responsibility of all Fastmail staff.

4: User identification and authorisation

Secure authentication systems

Fastmail enforce username and password authentication, and highly recommend Two Factor Authentication (2FA). We also support advanced authentication methods such as U2F or YubiKey OTP, with allow you to log on using a secure USB device, as well as supporting SMS account recovery methods.

Fastmail help pages include a password security page, and a two factor authentication page to ensure that you can select an authentication method appropriate for you.

User identification processes

Fastmail has both detailed policies and processes in place to verify our users. These include the existing authentication processes used when you access your mail, as well as additional verification processes. We require internal escalation to senior staff that ensure we do not interact with unverified individuals until we are absolutely certain that they are, in fact, who they claim to be. These processes are reinforced with both information security and privacy training.

Remote logout

Fastmail provides you with a remote logout feature, which allows you to log out of device that was used to access your email. It may be a lost or misplaced device, a computer at an internet café, library, or a friend’s house.

This ensures you have complete control over all devices that can access your data.

5: Protection of data during transmission

Secure access to mail

We mandate all connections to our servers use Transport Layer Security (TLS) and Secure Sockets Layer (SSL) encryption, for all email client connections including webmail, the Fastmail official app, and IMAP/POP/SMTP email client access. This prevents eavesdropping, tampering, and message forgery on any communication between your computer or phone and our servers.

We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. All connections in supporting browsers have been protected by PFS since July 2012.

A Strict Transport Security header is sent with all of our webpages. This tells all modern browsers to only connect to us over an encrypted connection, even if you have a bookmark, click a link or type a URL to an unencrypted page at our site.

Encrypted sending/receiving

Whenever you send a message to someone outside of Fastmail we have to send it across the open internet. Since January 2010 we have fully encrypted all connections between us and the receiving server whenever the other server supports it, preventing passive eavesdropping, tampering or forgery. Similarly, we have accepted encrypted connections for mail delivery to our servers since April 2009, and we encourage all servers connecting to us to use it.

6: Protection of data during storage

Password encryption

Where you are using a password to access our systems, we store that password in a non-reversible encryption scheme using current best practices.

Where we are storing a password used to access other systems on your behalf (for example, POP links and calendar links) the password is stored with reversible encryption using a key that is stored separately from the encrypted data. These are stored in Hardware Security Modules (HSM), specialist dedicated hardware designed specifically for the secure storage of encrypted data.

On-disk encryption

All your data is stored on encrypted disk volumes, including backups. We believe this level of protection strikes the correct balance between confidentiality and availability.

At this stage, some system log data (which could contain personal information) is temporarily stored on un-encrypted disks on individual servers, however, we have a plan to bring encryption to all system logging as well.

7: Physical security

Physical data centre security

Our main servers are located at 365 Data Centers in Bridgewater, New Jersey, USA. Their facility is a high-security, video-monitored location with backup power, air conditioning, fire systems, 24x7x365 monitoring, and onsite technical support.

365 does a whole lot more to ensure security, including their hardware, best-practices, and routines. You can read all about them on their homepage.

Our secondary site in Seattle has equivalent physical security.

We use “remote hands” staff from the data centres to perform routine maintenance on our servers (e.g., replacing hard disks or installing new machines), however they do not have logins, encryption keys, or the ability to access your data.

Our data centre vendors provide us with power, cooling, and network links (public internet) but do not manage or have permitted access to our internal network between servers. All public internet-facing machines have a firewall.

All data transfer between our datacentres is over an encrypted VPN (virtual private network) managed by us.

8: Event logging

Tracking and logging staff access

While Fastmail staff may need to access your data when providing support that you have requested, on top of the obfuscation controls to ensure that staff view only the least possible amount of data to do their jobs, all access by staff across all system are logged.

Access to core systems by administrators, which includes direct access to customer data, is also strictly logged and audited, to ensure that access to systems that store and process your data is highly restricted.

Viewing who logged into your account

Fastmail allows you to view details around the most recent access into your account. You can see how your account was accessed, successful and failed attempts, time and date, as well as technical details such as the IP address and the device or verification method used.

This allows you to take appropriate measures should you believe someone is trying to gain access into your account.

9: Secure configuration of our software and systems

We only allow necessary communications

Many unexpected forms of attack come from failing to close potential vulnerabilities, including database port access, SSH port access, and so forth. We use kernel-level firewalling to only allo connections to the services provided by each machine.

Content security policy

Within our web interface we set a Content Security Policy header, which ensures that only scripts we’ve written can be run. This means that a potentially malicious email that somehow managed to slip through our filters would still not be able to do anything dangerous.

We use isolated domains to separate out untrusted content from the pages we generate. For example, when you open an attachment, it opens at fastmailusercontent.com rather than fastmail.com. Thanks to browser cross-origin security restrictions, this means that a rogue attachment can never access any of your data.

Similarly, user websites are hosted on subdomains of user.fm, keeping them isolated from our site as well.

We keep track of software updates

Software contains bugs. We track the software we use and any security vulnerabilities, and upgrade as soon as an issue is reported.

10: Embedded privacy controls by default

Image loading

When accessing your email through our web interface, we protect your privacy by fetching all referenced images through our servers. This prevents the owner of the image from being sent additional information about you such as your internet address (which reveals your rough location), browser information, and sometimes even tracking cookies.

Privacy controls

You have choices regarding the information we collect and how it’s used. You can review and adjust privacy settings in your account. Some of our products offer specific privacy settings. For example, you can manage your contact information, such as your name, email address, and phone number. You can also delete certain information, or your entire Fastmail account should you wish to do so.

11: Internal information security control and processes

Staff access to your data

We limit staff access to customer data as stringently as their roles allow, strongly adhering to the principles of both least privilege, and need to know.

Due to the nature of their jobs, it is necessary for our operations staff to have access to the systems where customer data is processed. The staff who do require access to production servers for their jobs are aware of their responsibility to protect the confidentiality of your data, and only access that data where it’s required either to provide customer support or for operational necessity.

Our systems are designed to allow our support and operational staff to perform their duties without being exposed to your data: where possible, obfuscated data is presented (like to debug display problems). Your explicit consent is sought if viewing unobfuscated data is necessary to solve customer service issues.

Due to the nature of their jobs, it may be necessary for our security and fraud staff to have access to deobfuscated customer data or other personal information.

Sometimes we anonymize your information, for example creating a test case that reproduces a bug found with your data, by making a case that will trigger the same bug without containing any confidential or personally identifying information. When performing business analytics (how customers use our service) we only work with anonymised or unidentifiable data.

12: Vendor and third-party security

We use software systems that take security seriously

We use Debian and Joyent SmartOS as our operating systems because they both take their security responsibilities and updates seriously. In most cases, an update for a security problem will be available within hours of the original report.

13: Ensuring data minimisation

Limited access to customer data

Fastmail actively develops polices, processes, and technical solutions that limit the exposure of customer data to our staff. We take steps to ensure that only the data relevant to the issue at hand is exposed to our staff, and even then, access is logged.

Data minimisation with third parties

When Fastmail uses a third party to provide services, if not completely encrypted or anonymized, the minimal amount of data is provided, and where possible this includes not disclosing any personal information if is not required to provide a service. For example, when we use bug tracking or support software, we only record information required to address a support issue.

14: Ensuring data quality

Updating your personal information

The personal information attached to your account can be updated at any time. We provide tools via the portal that ensure that your Personal Data is up to date, and accurate.

Data integrity

One benefit of encryption, both at Fastmail and in general, is that it not only secures your data but also ensures that data has not been tampered with. As a result of the encryption used to transmit, store, and back up your data, we ensure your data is not tampered with or modified, and that its integrity is protected.

15: Ensuring limited data retention

Destruction of customer data

Some of the features of our products are designed specifically around not losing data, so as long as you want us to retain your data, it is replicated to multiple systems and backed up with encryption.

When you request destruction of your data by deleting specific items or closing your account, the data is removed in a time-delayed manner. This both allows you to change your mind (undo, or restore from backup), and allows for the possibility that if your account is compromised and the attacker tries to delete everything, we can recover your data.

We also collect some data which is personally identifiable as a side effect of the system monitoring and logging which we require for our operational stability. This is not permanently recorded.

Destruction of system logs

System logs are retained for 180 days before being deleted. We have a legitimate interest in having those logs available both to ensure the reliable operation of our systems, and to provide evidence of activity when users report unexpected states in their account.

Destruction of deleted emails, contacts, and calendars

Emails, contacts, calendars, and other Personal Data including notes that have been deleted in Fastmail or Pobox Mailstore are kept on disk for self-service restore for between 7 and 14 days after deletion.

Destruction of backup and search index data

The backup copies of email and search indexes are pruned on an “as-needed” basis based on the ratio of space that would be saved by re-compacting them. At the moment there is no guarantee that a particular message will be purged on a timeline, however our support can perform an immediate prune for a particular account on request.

Destruction of data after account closure

After an account is terminated, data and backups are purged within a timeframe of between 37 days to 1 year after closure depending on how long the account was active for, and whether the account was explicitly closed or lapsed due to lack of payment.

16: Ensuring accountability

Internal policies

Fastmail develops, internally distributes, and adheres to internal policies with clear allocation of responsibilities, and enforce all the security measures detailed within this document.

Vendor contracts

Fastmail holds our vendors accountable by ensuring they commit to the same level of security and privacy that we do though contracts and Data Protection Agreements.

17: Allowing data portability and ensuring erasure

Self-service data export

Fastmail ensures data portability through the ability to download and export a copy of all of your data and content in your Fastmail account if you want to back it up or use it with a service outside of Fastmail.

Self Service Account Closure

Fastmail allows users to erase their data through self-service account closure. This will remove your account as well as any backups of your account.

18: Data transfer to third parties

Transfer of confidential data with third parties

Fastmail’s value proposition is “service in exchange for money”. We don’t ever sell or monetize confidential data, or aggregate customer data.

As part of our commitment to open source, we do sometimes share statistical data (for example the average size of emails, or the percentage of email traffic which is encrypted or written in particular languages) which is useful in the broader email community to help drive software design.

We also share reports of spam, including spam false positives and false negatives with our partner organisations who provide us with spam prevention feeds.

We use third-party hosted services for bug tracking, support, exception alerting, and communications. While we don’t send bulk data through any of these services, small pieces of your data may wind up in core dumps, in support ticket updates, inside bug descriptions (we obfuscate where possible, but sometimes the raw data is needed) or in chat messages where colleagues work together to solve problems.

Onward Transfer

Onward transfer, simply put, is passing on data entrusted to us.

While Fastmail always notifies our users of services that may receive your data, even in those cases Fastmail will not engage in any onward transfer, or suspend ongoing transfers, unless those parties can demonstrate the same level of protection of your Personal Data that we provide.

We make sure that these third parties give us more than their word, and these protections are typically enforced by contracts, which may also include Data Protection Agreements (DPAs), so you can be assured that we will never transfer as aspect of your data to anyone who does not take your privacy as seriously as we do.

19: Additional information for Fastmail users

Limitations to email encryption

While communication between your computer and our servers is encrypted, any email that you send to another server may have to pass over the internet in an unencrypted form if the destination server doesn’t accept encrypted communications. (We encrypt it wherever possible).

The only way to ensure end-to-end security with email is to use email encryption software such as Pretty Good Privacy (PGP) or Secure/Multipurpose Internet mail Extensions (S/MIME). Both of these systems require the creation of certificates, run on your computer, and are attached to your email client to encrypt/decrypt messages.

Providing secure end-to-end encryption via webmail is impossible. There are basically two options, both flawed:

1. Keep a private key on the server and encrypt email on the server

Although all traffic between the server and client may be encrypted via TLS, and then the email itself is encrypted on the server before being sent to the world, the unencrypted email is still available on the server between the TLS and encryption stages.

2. Use Java or JavaScript to encrypt email in the browser

This method can’t prevent someone using malicious scripts to send encrypted messages back to the server, as well as the encryption key, for the server to decrypt.

Since the JavaScript client is sourced from our servers, any in-browser code has the same security profile as code running on our servers.