How we keep your mail private — and what we'd do if asked to hand it over

What we protect, in plain terms

Email is fundamentally a 1980s protocol grafted onto the modern internet. Some parts of a message can be encrypted in ways that even we can't read; other parts (subjects, recipients, timing) can't, because the email system itself needs them in cleartext to route. We're honest about which parts are which.

Encrypted so even we can't read it

• Mailbox storage. Every message in your account is encrypted at rest with AES-256-GCM using a key derived from your password. We don't store your password, only an Argon2id hash. Without your sign-in, nobody — including us — can decrypt your mail.
• Mailcedar-to-Mailcedar mail. If both ends are Mailcedar accounts, the message body, attachments, and subject are encrypted in transit between our servers and at rest on both sides.
• OpenPGP. Optional and supported for mail to or from any other provider. Bring your own keys; we never see the private half.

Visible to us if we look hard, and to anyone with a court order

• The fact that an account named jordan.lee@mailcedar.com exists.
• Account login times and the IP addresses you signed in from (kept 7 days then erased).
• SMTP envelope metadata for mail in flight — sender, recipient, timestamp.
• Subject lines and sender/recipient addresses of mail sent to or from non-Mailcedar accounts, because that mail traverses the broader internet in cleartext to/from the other provider.

We never store

• Plaintext passwords.
• Recovery questions or anything you can social-engineer.
• Marketing or behavior data. We don't track which messages you opened, when you clicked things, or what you searched for.

Where the servers live

Mailcedar runs on bare-metal servers we own and rack ourselves, hosted by iWeb in Montréal, Québec. We chose Canadian data centres specifically because Canadian privacy law (PIPEDA) is reasonably consumer-protective and the data stays under one jurisdiction.

We don't use Amazon, Google, or Microsoft for the mail path. That means we're slower than them at adopting fancy ML features and faster at fixing things ourselves when they break.

Standards we implement

SPF, DKIM, DMARC	Required for inbound; configured for all outbound. DMARC reports published quarterly.
MTA-STS & TLS-RPT	Both published; our policies are enforce.
DANE TLSA	Published for inbound MX.
TLS	1.3 preferred, 1.2 minimum. ECDSA P-256 + RSA-2048 dual-stack.
WebAuthn / FIDO2	Supported for sign-in and step-up.
OpenPGP	Web Key Directory publishing. PGP key discovery for outbound.
JMAP	Read-only public API. Modern alternative to IMAP for developers.

Independent review

We engage Cure53 for an annual web app and protocol audit. The most recent report (October 2025) is available to enterprise customers under NDA. Summary findings are published as a blog post six weeks after each audit cycle.

We don't claim SOC 2 because we don't believe a certificate from a paid auditor tells you what you actually want to know about a small mail company. We'd rather you read the audit reports.

Government requests

We comply with valid Canadian legal process. We push back on overbroad orders, gag orders that prevent notifying you, and any request from a foreign jurisdiction that doesn't come through MLAT.

Our position:

• We do not voluntarily share customer data with any party.
• We notify affected users of legal requests as soon as we're legally permitted to.
• We publish a transparency report in January and July each year, with the number of requests received, the number we complied with, and the categories of data turned over.
• If we are ever compelled to silently install a wiretap on a specific account, we will close the company instead. This is sometimes called a "warrant canary" — see below.

Warrant canary

As of the most recent quarterly statement (signed and timestamped on April 1, 2026), Mailcedar has not:

• Received any National Security Letter under the Canadian CSIS Act or equivalent.
• Received any FISA warrant from any U.S. authority.
• Been compelled to install backdoor access, bulk surveillance, or persistent monitoring on any customer account.
• Handed over any encryption keys to any agency.

The next signed canary is published on July 1, 2026. The PGP-signed statement and our public key live at /canary.txt on this domain.

Found a security bug?

Email security@mailcedar.com with details. PGP key at /security-pgp.asc. We respond within two business days. Bounty range $200–$15,000 depending on severity; we publish our scope and out-of-scope list at /.well-known/security.txt.

Account closure and data deletion

If you close your account, we permanently delete all your mail within 30 days. Backups age out within 60 more days. After 90 days from closure there is nothing left of your account on our systems — not the username, not the metadata, not the encrypted blobs. We tested this. We can prove it.