ThePost.Space was built with security as a foundation, not an afterthought. End-to-end encryption, zero-knowledge architecture, and full regulatory compliance — so your data stays yours, always.
Every aspect of ThePost.Space is engineered around your security. From the code we write to the infrastructure we run.
Every message is encrypted on your device before transmission. We use AES-256 combined with RSA-4096 key exchange — the same standard trusted by governments and financial institutions.
We never have access to your encryption keys. Your private key is generated on your device and never leaves it. Even our engineers cannot read your messages — this is a technical guarantee, not a policy.
Our servers run in ISO 27001-certified data centres with physical access controls, network segmentation, and 24/7 intrusion detection. All data is replicated across geographically separated regions.
Our AI-powered filters block spam, phishing links, and malware attachments with 99.7% accuracy — before they ever reach your inbox. Threat models are updated continuously in real time.
Multi-factor authentication, hardware security key support (FIDO2/WebAuthn), session management, and granular team permission controls. You decide exactly who sees what.
Every login, file access, and administrative action is recorded in tamper-proof audit logs. Exportable for compliance reviews, SIEM integration, and forensic investigations.
From the moment you hit send, your message is encrypted on-device. Our servers only ever see ciphertext — mathematically impossible to read without the recipient's private key. Not even a court order changes that.
New encryption keys generated for every session. Past messages stay secure even if keys are ever compromised.
We use battle-tested, open-source cryptographic primitives. No proprietary algorithms — our implementation is auditable by anyone.
Our cryptographic implementation is independently audited annually by third-party security firms. Full reports are publicly available.
We don't just claim compliance — we prove it with independent audits and public documentation.
Independently audited by a Big Four firm. Covers security, availability, processing integrity, confidentiality, and privacy of customer data. Re-audited annually.
Full compliance with the EU General Data Protection Regulation. Data processing agreements available. EU users' data stays within the EU by default. DPA available on request.
Full compliance with the California Consumer Privacy Act. California residents have the right to access, delete, and opt out of the sale of their personal information. Always honoured.
Our information security management system is certified to ISO/IEC 27001:2022 — the international gold standard for information security. Covers our entire product and infrastructure.
Our multi-layered threat intelligence system analyses billions of data points daily. Every suspicious pattern is blocked in real time — with zero false positive impact on legitimate mail.
AI-powered analysis of sender reputation, domain age, link patterns, and content to catch even the most sophisticated phishing attempts.
Every attachment is scanned in a sandboxed environment using multiple antivirus engines before delivery. Macros and executables are blocked by default.
Rate limiting, geo-based anomaly detection, and automatic DDoS mitigation ensure your service stays online even under heavy attack conditions.
Transparency is part of our security model. Here are the questions we get asked most.
No — technically impossible. Your private key never leaves your device. Our servers only store ciphertext. Even with full database access, no employee can decrypt your messages.
We provide secure, encrypted key backup during setup — protected by your master password. You can also store a recovery key in an external password manager. Without a backup, past messages cannot be recovered, which is intentional.
Messages to external email addresses are secured with TLS in transit (preventing third-party interception), but cannot use end-to-end encryption as the external server controls the destination keys. We clearly label this distinction in the interface.
We publish a transparency report. Even if we receive a legally valid request, the only data we can provide is metadata — we have no ability to hand over message content since we don't possess the keys to decrypt it.
EU user data is stored exclusively in ISO 27001-certified data centres within the EU (Frankfurt and Amsterdam). Users can choose their preferred region. Data is never transferred outside your chosen jurisdiction without explicit consent.