We take the security of our user's data very seriously. As such, we want to make you aware of some of the measures we take to secure your project, account, and credit card data.
Project Data
All of your messages, mailing lists, and campaign reports are stored locally on your Mac. As such, the security of this data is up to you. If you are concerned about unauthorized access to your Mac, we recommend turning off Mac OS X's File Sharing feature and enabling FileVault.
If you use e3 Delivery Service, email tracking features, or subscribe forms, then data related to each of these services is transmitted between our servers and your Mac over a secure connection (TLS 1.0 with a 4096-bit RSA key and 256-bit cipher suite). Our web service and email servers are housed in various data centers across the United States, each of which employ physical security measures and 24/7 monitoring. All e3 Delivery Service, email tracking, and subscribe form data is regularly backed up in case of loss or corruption.
Credit Card Data
Your credit card data is protected both during transmission from your computer to our servers, and while saved on the server. Credit card data is sent over a PCI-compliant encrypted connection to our servers (TLS 1.0 with a 4096-bit RSA key and a 256-bit cipher suite), which are housed in a secure, monitored data center facility with restricted physical access. You can inspect the SSL/TLS server certificate at any time by choosing Direct Mail > Direct Mail Account from the menu bar and clicking the lock icon that appears in the top-right corner of the window.
Your credit card data is never saved on our servers. In fact, cardholder data is not saved on any servers connected to the Internet. e3 Software uses Braintree, Inc. to process and store credit card data. Braintree is a validated Level 1 PCI DSS compliant service provider with strict privacy and security controls. Monthly subscription billing and the "Remember my card for next time" feature in Direct Mail are facilitated by the use of credit card tokens, which reveal no information about the cardholder or card itself.
The Direct Mail application itself stores no credit card data locally on your machine.
Versions of Direct Mail downloaded from the Mac App Store do not request, transmit, or store credit card data. All transactions are handled by the operating system via the App Store.
Account Data
All account settings (including your password) are sent over an encrypted connection (see the Credit Cards section above for details). You can inspect the SSL/TLS server certificate at any time by choosing Direct Mail > Direct Mail Account from the menu bar and clicking the lock icon that appears in the top-right corner of the window.
A salted hash of your password is stored on our servers for authentication purposes. Using a hash of your password allows us to know if the password you entered is correct or not without actually storing your original password at all. If you forget your password, we cannot retrieve it, but instead will reset it to something new. Passwords are never saved (plain text or encrypted).
Reporting Issues
If you think you have discovered a security vulnerability in Direct Mail, please email security@e3software.com using our PGP public key. Note that this email address is only for security issues. Please visit our support page for general issues.