天狗TenguMailBack to Home

Security Overview

Last updated: 2025-01-24

Security is not an afterthought at TenguMail. We handle sensitive data — your emails, your credentials, your conversations — and we take that responsibility seriously. Here is how we protect your data.

Encryption

Data in transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS on all connections. Older, insecure protocols are disabled.

Data at rest

Sensitive data stored in our database is encrypted using AES-256-GCM. This includes:

  • Your email credentials (IMAP/SMTP passwords)
  • Your API keys for AI providers
  • Your storage credentials (S3, SFTP, OAuth tokens)
  • Webhook authentication secrets

Per-user encryption keys

Each user has a unique encryption salt. Your credentials are encrypted with a key derived specifically for your account using HKDF-SHA256. This means even if someone accessed our database, they could not decrypt credentials belonging to other users without also obtaining the master key.

Passwords

Your TenguMail account password is never stored. We store only a bcrypt hash with a cost factor of 12.

Infrastructure

  • Database: PostgreSQL with encrypted connections and daily automated backups stored in Cloud Storage (S3-compatible).
  • Queue: Redis with authentication required. Email processing data is transient — processed within seconds and then removed.
  • Hosting: We use reputable cloud providers with SOC 2 compliance.
  • Monitoring: We monitor for unusual activity and security events.

Access controls

  • Only authorized personnel can access production systems.
  • We use audit logging to track administrative actions.
  • Your data is accessible only to you (and our support team when you request help).
  • We implement browser fingerprinting to detect suspicious login attempts and prevent ban evasion.

Third-party services

When you use TenguMail, your data may be processed by third-party services:

  • AI Providers: The AI provider you select (OpenAI, Anthropic, Google, etc.) receives your email content for processing. See our Terms of Service for details.
  • Payment: LemonSqueezy processes payments. We never see or store your credit card number.
  • Your email server: We connect to your IMAP/SMTP server using credentials you provide.
  • Your storage: If you connect cloud storage (S3, Google Drive, etc.), files are transferred directly between your email and your storage.

We carefully vet third-party services and only work with providers who maintain strong security practices.

Incident response

In the unlikely event of a security incident affecting your data:

  1. We will notify affected users within 72 hours of discovering the breach.
  2. We will provide details about what data was affected.
  3. We will explain what we are doing to address the incident.
  4. We will report to relevant authorities as required by law (including GDPR).

Security recommendations

You can help keep your account secure:

  • Use a strong, unique password for your TenguMail account.
  • Use app-specific passwords for email accounts when possible (Gmail, Outlook, etc.).
  • Test your AI pipelines in "draft" or "testing" mode before activating them.
  • Review pipeline execution logs regularly.
  • Revoke access to email accounts you no longer use.

Report a vulnerability

If you discover a security vulnerability in TenguMail, please report it to security@treetank.net. We appreciate responsible disclosure and will:

  • Acknowledge your report within 48 hours.
  • Keep you informed of our progress.
  • Credit you (if desired) when we fix the issue.
  • Not take legal action against good-faith security researchers.

Related policies

Adapted from Basecamp's open-source policies, used under CC BY 4.0.