This is document is the starting point to investigate any IT security concerns when using SecureMailMerge.
Summary
It's important to note that SecureMailMerge works completely on your computer. The permissions you grant to SecureMailMerge are only used on your computer and never transferred to any server for processing.
The only server we operate for SecureMailMerge if to check if you have purchased a commercial license. For this we send your own (the user of SecureMailMerge) email address to our server to check. We store the email address of the licensed user (i.e. your own) on that server if as long as you have an active license. Never are any email addresses (or any other data) in your campaigns sent to our servers.
Introduction
SecureMailMerge was designed to allow for a minimal trust operation. This means the plugin was implemented in such a way that all primary functionality is provided on the user's computer without the need for processing on a server. This allows the security tokens necessary for interacting with the user's Microsoft 365 account to only ever be transmitted between the user's computer and Microsoft's servers but never sent to any other servers.
The only server side component involved is our licensing server which provides a license check and license purchasing capability. Access is granted through Microsoft 365 account with the only minimum set of permissions necessary to verify your identity. No confidential payment data is stored on our servers, they are only stored the payment provider's server you choose on checkout. Only your email and transaction identifiers are stored on our servers.
We have published the necessary minimal firewall requirements to allow SecureMailMerge to communicate with our licensing server. All other communication between the plugin and any of our other servers can be restricted.
We have also provided aPublisher Attestation for SecureMailMerge with Microsoft.
Operating Environment / Hosting
The SecureMailMerge infrastructure is split into two areas. The website and plugin are statically deployed and do not store any user data. The licensing server stores user licensing information.
SecureMailMerge is a Microsoft 365 Add-In for Outlook using the Modern Web Add-In Architecture. This means plugins run in a sandboxed browser environment within the Outlook host (Windows, Web or Mac).
Access to Microsoft 365 data is provided through the Microsoft Graph API which each user has to consent to. The token to access this data is stored securely on your computer and only ever transmitted to Microsoft Graph servers, but never to any other (and specifically never to any of our) servers.
For all services used to host the SecureMailMerge infrastructure mentioned here in this section 2FA (Two Factor Authentication) is enabled on all production accounts.
Website and Plugin
The website and plugin are hosted securely and globally by Vercel, a SOC 2 Type 2 and ISO 27001 certified company. Our assets are deployed to Vercel as static sites and no customer data is stored on Vercel's servers.
Vulnerability scanning and patch management of the hosting environment is provided by Vercel.
Vercel's security documenation can be found here.
Licensing Server
The licensing server is hosted on European servers in Microsoft Azure data centers (the same ones Microsoft 365 uses). Microsoft 365 Authentication is used to grant access to this server to our staff.
Vulnerability scanning and patch management of the hosting environment is provided by Microsoft. Your licensing data is stored on database services managed by Microsoft to the highest industry levels by Microsoft. We have a point-in-time and long-term backup strategy in order to recover any licensing data if required. All our databases are encrypted at rest. Direct access to production and to the the database (incl. any security tokens) is restricted to only the managing director.
Microsoft's data center security documenation can be found here.
Source Code
Our Source Code is held in a private repository on Github. Access to the repository and rights to deploy code is granted only to the lead developer.
Github's security documenation can be found here.
Payments
Payments are provided through two Merchant of Record Resellers depending on your choice at checkout: Paddle and Microsoft 365 (Appsource).
Paddle's security documenation can be found here.
Microsoft 365's security documenation can be found here.
Staff, Development and Customer Support
Only our lead developer has access to our source code and hosting environment and has multiple years of experience in the IT security industry and in Secure Software Development.
All developers employ OWASP secure software lifecycle best practices (including security-by-design, deny-by-default and basic threat modelling). No production data is ever used in a non-production environment. Our lead developer approves all code changes that go into production.
No member of staff has access to your campaign data or your Microsoft 365 account security tokens. This information is never transmitted to our servers.
Members of staff providing customer support have access only to the information you provide. This information is held confidentially and securely in our Helpdesk System (Helpscout), never shared with any other third parties.
Documents
We provide a number of more detailled documents on specific topics: