Trust center
Security & compliance trust center
Evidence-backed architecture for PE, VC, hedge funds, and compliance officers — designed for diligence, not slogans.
Self-serve vs Enterprise program
Professional and Team are fully self-serve on this site. Enterprise covers regulated rollouts that need a dedicated compliance workspace and contractual scope.
Professional & Team (self-serve)
- Privacy gateway, Secure Share, and Shield AI on Pro
- Team collaboration sidebar — Assigned to me / Assigned by me on Team
- Mail assignment, shared drafts, and composer approval on Team
- 2FA, session-gated API, and rate limits on all plans
Enterprise program (email inquiry)
- Compliance Officer workspace with CSV export
- Legal Hold and immutable hash-chain verification
- BYO Key — Azure OpenAI / Gemini (no platform AI cap)
- Dedicated vendor diligence support for Enterprise contracts
For 50+ seats, Legal Hold programs, or regulated institution rollouts: Enterprise inquiry
Data residency & entity isolation
Shanghai R&D holds engineering assets and source repositories. Hong Kong offshore entity operates commercial contracts and customer-facing support. Production data and physical servers are hosted in a US Virginia compliant datacenter.
- The Shanghai R&D entity holds engineering assets only; R&D environments do not store production database credentials, HttpOnly session secrets, or IMAP decryption keys. Access to US-hosted production infrastructure is limited to designated operational roles under least-privilege policy, MFA, and audit logging — routine engineering does not require production mailbox access.
- Data processing is designed for dual jurisdictional alignment: US CCPA and Hong Kong PDPO (Personal Data Privacy Ordinance) obligations.
- Mail bodies remain on Dovecot IMAP; the Finmail database stores index metadata and compliance artifacts only — bodies are not persisted as the system of record in SQL.
Immutable compliance audit chain
On Enterprise, the Compliance Officer workspace records material mail actions — open, download, forward, secure-link send — into an append-only audit log. Team and Pro log key events (reads, secure links) for operational review; the full console and Legal Hold require the Enterprise program.
Each entry receives a monotonic sequence number (assigned only on the server), a link to the previous hash, and an entry hash computed with SHA-256 over canonical row data. Concurrent writes retry safely on conflict.
Platform administrators cannot alter history without breaking chain verification. Damaged chains are repaired only through a controlled, audited repair procedure — never silent edits.
Technical diagram (text)
compliance_audit_logs (append-only) ┌─────────┬──────────────┬──────────────────────────────────────┐ │ seq (n) │ previousHash │ entryHash = SHA-256( canonical row ) │ ├─────────┼──────────────┼──────────────────────────────────────┤ │ 1 │ (genesis) │ H₁ │ │ 2 │ H₁ │ H₂ = f(row₂ ∥ H₁) │ │ 3 │ H₂ │ H₃ = f(row₃ ∥ H₂) │ │ … │ … │ tamper → verifyAuditLogChain FAIL │ └─────────┴──────────────┴──────────────────────────────────────┘ • sequence: BIGINT, strictly monotonic (server-only assignment) • Actions: read, download, forward, mail.send.secure_link, … • Client may verify; cannot forge chain head or rewrite history
Privacy gateway & Shield aliases
The Privacy Enhancement Gateway reduces metadata leakage on outbound and inbound paths:
- Header scrubbing removes sensitive MIME headers (client IP traces, device fingerprints, unnecessary Received hops) before relay.
- Read-mode HTML sanitization blocks passive tracking pixels where configured, with blocked events counted for review.
- Shield shadow aliases let outbound mail send from a relay address, masking the analyst's real address from external recipients while preserving deliverability.
HttpOnly session & encrypted Vault
Mail bodies are not stored in the SQL database. At login, your mailbox password is sealed in HttpOnly session cookies and decrypted only in-process for IMAP and SMTP — never exposed to the browser or reused as plaintext in user profile fields.
Cross-device preferences and encrypted mail cache snapshots upload as Vault ciphertext. Keys are derived from your local master password; Finmail servers store only encrypted blobs — no platform-side decryption.
AI processing & egress controls
When AI features are enabled (summaries, Ask Finmail, pre-send checks):
- Processing is scoped to provide the Service for the authenticated account only.
- External AI egress may apply PII masking per tenant settings.
- Finmail does not use mailbox content to train or improve generalized LLMs.
- Usage is metered via ai_usage_logs with monthly quotas and daily safety valves.
Customers must independently verify AI outputs before regulatory or tax filings.
Transport authentication & Edge boundary
Gateway features complement — but do not replace — MTA-grade TLS and identity authentication:
- SPF, DKIM, and DMARC alignment for institutional deliverability — outcomes from real RFC822 headers, not placeholder badges.
- Dovecot IMAP and Postfix SMTP with TLS-required transport on production paths.
- Edge proxy (proxy.ts) performs JWT/Cookie gating only — no database or IMAP connections in Edge Runtime.
- Corporate domain onboarding generates tenant DKIM keys with guided MX/SPF/DMARC DNS setup.
Attachment security
Inbound attachments pass production scanning and sandbox controls before preview:
- ClamAV integration for malware scanning with scheduled scan jobs on upload.
- Sandbox preview and redaction gates before inline display of untrusted content.
- Link Shield and spoof detection warn on suspicious URLs and sender identity mismatches.
- Outbound DLP scanning on sensitive content before send.
Innovation & intellectual property
Finmail holds granted patents in the United States and Japan. Marketing and product pages reference the US grant; the full portfolio is listed here for diligence reviewers.
Patent specifications describe email-native value transfer and remittance-mail cluster systems among other innovations. Not every claim maps to a shipped Finmail Webmail feature — for example, Pay-To remittance is not offered today. Inbox indexing, privacy gateway, and team workflows on this page reflect the current product, not the full patent scope.
| Patent | Jurisdiction | Granted | Summary |
|---|---|---|---|
| US12542755B2 | United States | February 3, 2026 | Email-based value transfer and remittance-mail cluster system — payment address inquiry via e-mail servers, SMTP/DNS, and cross-domain remittance operations. View on Google Patents |
| JP7308496B2 | Japan | July 14, 2023 | Earlier family filing for secure digital communication in email-native workflows (cited as prior art in the US grant). View on Google Patents |
Security & transport controls
Finmail does not yet publish a SOC 2 Type II attestation report. Engineering aligns with a Trust Services Criteria roadmap for future Enterprise rollouts. Implemented controls on production paths include:
- Append-only compliance audit and archive policy
- Mandatory 2FA (TOTP and backup codes)
- Authenticated API access for all mail and settings routes
- Rate limits on sign-in and sensitive routes
- TLS-required SMTP and Postfix transport encryption
- Documented audit log repair runbook
- PII masking on external AI requests
- Secure Share burn-after-read with watermark
Operational transparency · Live system status
Architecture evidence on this page describes how Finmail is designed. The public status dashboard reports live production probes — Dovecot IMAP, Postfix SMTP, AI platform health, and the privacy relay — with 90-day uptime history and incident disclosures.
Subscribe on the status page for P1 incident and maintenance notifications. Probes do not call mail or compliance APIs.
View live system status →Download the Finmail security whitepaper
Architecture deep-dive — data residency, audit chain, privacy gateway relay, and AI egress controls.
Further reading
Architecture evidence on this page complements operational guides and product updates:
