About our Security

How we keep your data safe in mmunicMail

Looking for other security information?

This information covers how we protect your data when you use our email marketing platform, mmunicMail. For more information about how we protect your data for other services, please see our Privacy & Cookies Policy.

The security of your data matters to us

Our customers depend on us for security of their data and reliability of access to it. It’s something we take very seriously and we believe it’s important you know how we keep your data safe and access to mmunicMail secure.

Data centres

Your data is kept safe in patrolled, tier 4 data centres based in the UK. Only authorized personnel are granted access to the data centres.

The data centres used to hold your data have onsite security teams, who are resident 24 hours a day, 365 days a year to protect against unauthorised access and physical security breaches.

Security on the web

When you access mmunicMail through your web browser, and when requests are made through our API to your database, these are protected by SSL Labs Grade A 256-bit SSL encryption.

You can click the padlock icon next to the browser address to check this and verify that you’re not connected to, or communicating with, a phishing site impersonating mmunicMail. This is how you know that your data is secure in transit.


It’s just as important that you’re able to access mmunicMail when you need to as it is that we keep your data secure. mmunicMail uses high-level importance servers, which benefit from full redundancy of power supplies and internet connections that ensure mmunicMail stays online even in the rare event that multiple servers fail.

mmunicMail also employs enterprise level firewalls to ensure that the platform and your data reside securely within the data centres’ infrastructure, with no direct public access.

Coding practices & releases

mmunicMail is coded using the principles of OWASP to ensure the most secure practices of code are used at all times when developing the platform. This also includes when new releases are planned and developed. Our developers also conduct a Data Protection Impact Assessment (DPIA) for each major release of the mmunicMail platform on the development roadmap.

From our penetration tests and vulnerability detection approaches, security patches are released for mmunicMail – which are then tested again to ensure ongoing security. Security patches are also released on-demand, using the up-to-date knowledge that our development team continues to build about contemporary security threats.

Importantly, your data is not used in any of mmunicMail’s development, testing or analytics environments – only on the live, production version of the platform.

Penetration testing & vulnerability detection

The servers we use within the data centres that host your data are scanned for vulnerabilities multiple times each year. This comprehensive range of tests performed on our servers are deployed both from external Internet servers and also from inside the network.

Additionally, the mmunicMail application is also subject to an annual penetration test on both the application itself as well as its perimeter to ensure the ongoing security of the platform.

From our penetration tests and vulnerability detection approaches, security patches are released for mmunicMail – which are then tested again to ensure ongoing security. Security patches are also released on-demand, using the up-to-date knowledge that our development team continues to build about contemporary security threats.

Mail servers

mmunicMail only uses mail servers that run Port25 PowerMTS software that implements TLS (Transport Layer Security) to deliver secure and encrypted emails.

On top of this, all emails sent out through mmunicMail are signed with 1024 bit DKIM keys to protect against forgery while in transit.

Both mmunicMail’s default sending domain (mailer.mmunic.email) and any custom domains you set up using our DNS Authentication guide also have SPF (Sender Policy Framework) protection to publish authorised ranges of sending IP addresses.

Logins & lockouts

When any user tries to log in to mmunicMail, the platform is protected by both Google ReCAPTCHA and brute force detection.

We limit the number of log in attempts as part of these measures anyway and impose a 1 hour lockout if this threshold is met; however, in the event that any aggressive or hostile logon attempts (such as those from bots or hackers) are detected, brute force detection automatically kicks in faster.

Once authorised users are logged in, we also use auto-timeout features that automatically log you out after a period of inactivity.

We also retain an audit log of all account activity that we monitor for unusual events (which we then disclose to you if required). These cannot be edited or amended in anyway, meaning we have an accurate record of all account activity across mmunicMail. Our audit logs are retained for 18 months.

Data deletion & retention

It’s important that mmunicMail holds only data that is relevant to your business. As such, mmunicMail automatically deletes any customer or list user data after 18 months of inactivity. This means that if you don’t send an email out to a user for 18 months, they will automatically be removed from the platform and any lists the user is on.

If you have a shorter data retention policy, just let us know – we can customise this setting for you!

Storage & backups

mmunicMail is backed up using the very latest hardware technologies to ensure your data is processed and protected in a fast and efficient manner. We have three real-time mirrors of your live data, and within our backup data centre, we maintain another three real-time mirrors. We also have a failover servers which take a snapshot of the mmunicMail database every 3 hours for extra protection.

Only your images are stored in the ‘cloud’ – your data itself is stored and backed up on tier 4 data centres based in the UK.

No hardware is infallible, but the approach used to backup mmunicMail and your data means that multiple layers of backup are available in the event of catastrophic hardware failure, disaster recovery plan instigation and even for everyday business continuity and reliability requirements.

Disclosure of breaches & security vulnerabilities

In the event of a potential or actual security breach being discovered by anyone involved in the maintenance or management of mmunicMail, we make every effort to discover and resolve the issue within as shorter timeframe as possible.

Importantly, we are also committed to disclosing any vulnerabilities exploited to our affected customers. To do this, we follow the approach for managing and disclosing security breaches as set out by the Information Commissioner’s Office (ICO) guidelines on the matter.

How you can help to keep your mmunicMail account secure

While a huge amount of work goes into keeping mmunicMail a secure email marketing platform behind the scenes, you can also help protect your mmunicMail account – and the security of our platform as a whole – with the following simple tips and tricks:

  • Use an up-to-date web browser
    Exploiting vulnerabilities of out-of-date web browsers is one of the easiest ways for phishers, hackers and other malicious parties to gain access to your information and browsing data. It’s important that you keep your browser up to date wherever possible to make the most of the provider’s latest security patches. Officially, we only support use of mmunicMail on the current and one previous version of the major releases of Google Chrome, Mozilla Firefox, Safari and Microsoft Edge browsers.
  • Never share your login
    Sharing your unique login to mmunicMail – even to another party that you trust – is an easy way to compromise your account. We don’t charge extra for additional users on your account, so if you’re the authorised account holder for your business, feel free to ask us to set a new user account up for you anytime and keep your account safe!
  • Log out every time
    Although mmunicMail has an auto-timeout feature that will automatically log you out when your account is not in use, you can guarantee extra security by logging yourself out when you’re finishing working in the platform. This way, no one will be able to access your account even in those short moments when you’re popping out for a quick break or your attention is elsewhere.