We take the security of our user's data very seriously. As such, we want to make you aware of some of the measures we take to secure your project, account, and credit card data.
Credit Card Data
Your credit card data is protected both during transmission from your computer to our servers, and while saved on the server. Credit card data is sent over a PCI-compliant encrypted connection to our servers (TLS 1.2, strong cipher suites only, perfect forward secrecy enabled), which are housed in a secure, monitored data center facility with restricted physical access. You can inspect the SSL/TLS server certificate at any time by choosing Direct Mail > Direct Mail Account from the menu bar and clicking the lock icon that appears in the top-right corner of the window.
Your credit card data is never saved on our servers. In fact, cardholder data is not saved on any servers connected to the Internet. e3 Software uses Braintree, Inc. to process and store credit card data. Braintree is a validated Level 1 PCI DSS compliant service provider with strict privacy and security controls. Monthly subscription billing and the "Remember my card for next time" feature in Direct Mail are facilitated by the use of credit card tokens, which reveal no information about the cardholder or card itself.
The Direct Mail application itself stores no credit card data locally on your machine.
Versions of Direct Mail downloaded from the Mac App Store do not request, transmit, or store credit card data. All payment transactions are handled by the App Store.
If you have not moved your Direct Mail project into the cloud, then data relating to your messages, mailing lists, campaign reports, etc. is stored locally on your Mac (or wherever you have saved the project file). This means that the security of your project data is primarily up to you. If you are concerned about unauthorized access to your Mac, we recommend choosing a strong password for your macOS account, disabling automatic login, and enabling the FileVault features in macOS.
If your Direct Mail project has been moved to the cloud, then all data relating to your project is stored securely on servers controlled by e3 Software. All communication between your Mac and our servers is always encrypted using HTTPS (TLS 1.2, strong cipher suites only, perfect forward secrecy enabled). e3 Software servers are physically located in a secure, monitored data center facility with restricted physical access. Data backups are performed continuously.
When you sync a Direct Mail project saved in the cloud to your Mac, a copy of that project is saved to your Mac for better performance and offline access (in ~/Library/Application Support/Direct Mail/Cloud or ~/Library/Containers/com.ernieware.directmail/Data/Library/Application Support/Direct Mail/Cloud). The copy on your Mac is deleted when you sign out of your Direct Mail account, or when the owner of the project stops sharing it with you.
If you use e3 Delivery Service, email tracking features, design tests, or subscribe forms, then data related to each of these services is transmitted between our servers and your Mac over an encrypted connection.
All account settings (including your password) are sent over an encrypted connection (see the Credit Cards section above for details). You can inspect the SSL/TLS server certificate at any time by choosing Direct Mail > Direct Mail Account from the menu bar and clicking the lock icon that appears in the top-right corner of the window.
A bcrypt hash of your password is stored on our servers for authentication purposes. Using a hash of your password allows us to know if the password you entered is correct or not without actually storing your original password at all. If you forget your password, we cannot retrieve it, but instead will reset it to something new. Your passwords are never saved on our servers.
When you sign in to Direct Mail, you have the option of remembering your password in your keychain. If you use this option, your password will be encrypted and stored locally on your Mac (i.e. it will not be sent to our servers). You can use the Keychain Access application (in the Applications > Utilities folder) to view, edit, or delete your saved passwords.
If you think you have discovered a security vulnerability in Direct Mail, please email firstname.lastname@example.org using our PGP public key. Note that this email address is only for security issues. Please visit our support page for general issues.