This document summarizes Mailjet's security policies and practices. It covers their data security architecture, including data encryption and privacy policies. It also discusses user authentication and access management for their web interface and API. The document outlines their secure development processes, technical infrastructure including hosting partners, and security monitoring. It provides an overview of Mailjet's security policies covering compliance, risk assessment, and access controls. It also discusses business continuity practices.

1. Mailjet Security
Speaker
Speaker

2. 01
02
03
Agenda
Application Security And
Architecture
Security Policy
Incident Supervision And Management
Premium SLA
04

3. Application
Security And
Architecture
01

4. Data Security Is Key For Email Sending01
Data Location
All Mailjet’s customer data is stored in Data Centers based within Europe (OVH in France, Google Cloud
Platform in Belgium), under European Directive 95/46/CE.
Data Storage
All data is copied in three nodes and backups are stored in separated Data Centers.
Data Encryption
• Data is natively encrypted in Google Cloud Platform.
• TLS connexion is used to send emails.
• Passwords are hashed and salted.
Data Privacy
Mailjet considers the privacy of its customers’ personal data with the utmost importance. For more
information, Public Privacy Policy: https://www.mailjet.com/privacy-policy.
4

5. Mailjet Access And Account Management01
User Authentication
Mailjet Web Interface:
• Authentication by login and password.
• Connections for the same IP or the same email locked after 5 attempts.
Mailjet API:
Authentication with an API key (username) and a API secret key (password).
API Key Management
• Possibility to create sub-API keys under a master API key.
• Allow to separate mailings across different API keys.
• Managed by administrators.
User Right Management
• Possibility to share access to an account.
• Access sharing can be limited to specific API keys and specific pages.
• Autonomy in the creation and deletion of shared accounts (managed by administrators).
5
Example of use:
Sub-API Key 1
Team 1
…
Team …
Sub-API Key n
Team n
Master API Key

6. A Safe Development Process01
Security Oriented Development Methods
Development Team awareness on typical vulnerabilities (SQL or JavaScript injection…).
Security Oriented Quality Procedures
• Systematised code review including security checks.
• Quality assurance tests in pre-production environment for all developments.
• Non-regression tests after each production release.
Developer Access
• Developers can only access development environments.
• No customer data is stored on development environments.
Release Management
• Documented release management process.
• Record and validation of all production releases before their deployment.
• Dedicated release slots.
6

7. Technical Production Infrastructure01
High Availability Infrastructure
• Data Centers with redundant power systems and environmental controls to prevent failures.
• Redundant infrastructure (services are distributed in several Data Centers).
Backup
• Daily backups with a retention of 7 days.
• Weekly backups with a retention of 4 weeks.
Hosting
• OVH - France - Certified ISO 27001, SOC 1 type II / SOC 2 type II & PCI DSS Level 1.
• Google Cloud Platform - Belgium - Certified ISO 27001, ISO 27017, ISO 27018, and annual audits for
SSAE16 / ISAE 3402 Type II (SOC 2 et SOC 3), and PCI DSS V3.0.
7

8. Environment Security01
8

9. Security
Policy
02

10. Security Policy - Global Overview (1/2)02
Scope
Security Policy applies to Mailjet Information Systems hosted in:
• Google Cloud Platform.
• OVH Platform.
All resources needed to create, process, store, disseminate or destroy information are in the scope.
Lifecycle
• Design - definition of security procedures and standards.
• Implementation - deployment of security procedures and standards.
• Monitoring and Control - control panels for IS security, security audits, and management reviews.
• Evolution - improvement of security procedures and standards when needed.
10

11. Security Policy - Global Overview (2/2)02
Fundamental Principles
• Compliance with legal obligations.
• Assessment and treatment of security risks which may impact IT application resources.
• Protected, nominative and minimum access to Mailjet Information Systems.
• Professional use of Mailjet Information Systems.
• Monitoring and treatment of security incidents.
11

12. Human Resources And Organization02
Contracts And Charters
• Confidentiality and non-concurrence clauses in employees contracts.
• IT charter and rules of procedures.
Roles And Responsibilities
Clearly defined and identified roles and responsibilities for information security (ops team,
development teams, users, managers…).
A Secure Selection Of Third-Parties Contractors
• Mutual NDA between Mailjet and third-parties companies.
• Full background check and review of security practices before contracting with a new vendor.
12

13. Security Procedures And Standards02
Security Procedures
• Access management.
• Incident management.
• Security risk assessment and treatment.
• Security management of subcontractors.
Security Standards
Definition of security standards related to:
• Operating systems (access through SSH network protocol using PGP smartcards…).
• Workstations (sessions protected by an individual and confidential password, disks encrypted…).
• Databases (data copied in three nodes, daily and weekly backups…).
• Network (firewalls on all the machines that filter incoming network traffic…).
• Hosting (Data Centers secured using barbed-wire fencing, cameras, security staff…).
Note: Some of these procedures and standards are currently being formalized
13

14. Business Continuity02
Architecture Reliability
• All Mailjet services are distributed in several Data Centers.
• Automatic switchover in case of Data Center failure.
• Data Centers have:
1. Redundant power systems and generators to provide enough emergency electrical power.
2. Cooling systems to maintain constant operating temperature.
3. Fire detection systems.
Backup Strategy
• Daily and weekly backups to prevent loss of data.
• Retention of 7 days for daily backups and 4 weeks for weekly backups.
Disaster Recovery Plan
All employees can remotely access Mailjet applications and their documents (as Mailjet is using SaaS
Office Applications). All employees can work remotely to ensure the continuity of operations.
14

15. Incident
Supervision And
Management
03

16. Supervision And Alerting03
Supervision
• Monitoring of logs, statistics and alerts.
• Real-time collection in a centralized console.
• Use of dedicated tools:
- Zabbix for events.
- PagerDuty for alerts.
- Kibana/Logstash for logs.
Alerting
• Run of daily security audits related to platform’s configurations (accesses...).
• Alerts are sent when security threats are detected.
• Common Vulnerabilities Exposure (CVE) alerts are also followed.
16

17. Security Alert And Incident Management03
Security Incident Treatment
Security Alerts and Security Incidents are managed by our IT team:
• Analysis and diagnosis of the alert/incident.
• Identification of the corrective actions.
• Treatment of the alert/incident.
• Tests to confirm the resolution.
Customer Communication
• Mailjet Status Page - mailjet.statuspage.io
• Email or phone if needed.
17

18. Premium
SLA
04

19. Premium SLA04
* This table should be read as follows: No penalties as long as at least 99.9% of the transactional emails processed within the past month have been
processed in less than 1 minute.
** Please note that the opening hours for the English language Technical Support are 24/7.
19
Indicator Measurement Period Target Values
Tolerance or reliability
index*
Maximum handling time
for transactional emails
Monthly 1 minute 99.9 %
Availability of the platform Monthly
Admin Access 99.9 %
API 99.9 %
SMTP in 99.9 %
Response time for a
Critical Fault
Monthly 2 hours** 98 %
Response time for a
Semi-Critical Fault
Monthly 4 hours** 98 %
Response time for a
Non-Critical Fault
Monthly 8 hours** 98 %

20. Thank You
<< Contact Name >>
<<contact>>@mailjet.com
+x xxx xxx xxx
@mailjet