Skip to content
Mumara

Security & Trust

Built secure, on infrastructure we own.

Operating since 2012. 21,000+ businesses send through Mumara today. This page is the single reference for how we protect your data, your sender reputation, and your customers' privacy.

Request security overview Legal documents

Trust pillars

Four commitments behind every Mumara product.

Owned infrastructure

Mumara's production application runs on infrastructure we own and operate. Owned servers, owned IPs, our own colocation and cloud — not on a third-party public cloud. Less moving parts, fewer hops, full control.

Privacy by design

We don't use your AI prompts or generated outputs to train any model exposed outside your account. We don't sell or share customer data. Tracking on our marketing site is opt-in.

Compliance-aware

GDPR, UK GDPR, Swiss revFADP, CCPA / CPRA, LGPD, CAN-SPAM, CASL, PECR, and TCPA built into how the product behaves and how our team responds.

Operational maturity

Operating since 2012. 21,000+ businesses sending through Mumara today. Incident response, audit logging, vendor due diligence, and documented runbooks behind every product surface.

Infrastructure security

The hardware that runs Mumara is ours.

The application that processes your campaigns and Contacts is not hosted on a third-party public cloud. We deliberately built this way so that, for the data most of you care about, there is no upstream cloud-hosting sub-processor in the chain.

  • Owned servers and IPs

    Production runs on our own hardware in our colocation and cloud. Sending IPs are owned and operated directly by Mumara — your sender reputation is built on infrastructure we control.

  • Network segregation

    Production, staging, and corporate networks are isolated. Production access requires VPN + multi-factor authentication; default-deny firewalls; least-privilege ACLs.

  • Edge protection

    Mumara's marketing surfaces are fronted by Cloudflare for DDoS mitigation, bot management, and TLS termination. The application itself enforces its own rate limits independently.

  • Resiliency

    Redundant power, networking, and storage. Production data is replicated and backed up; backups are encrypted and tested. Disaster-recovery runbooks are exercised periodically.

  • Hardware lifecycle

    Decommissioned drives are wiped and destroyed in line with NIST 800-88 guidance. No production drive leaves our facilities intact.

Application & data security

Encryption, access control, and a secure SDLC.

  • Encryption in transit

    TLS 1.2+ on every public-facing endpoint with modern cipher suites. HSTS in force on the marketing site.

  • Encryption at rest

    Production databases, backups, and stored credentials (e.g. Bridge connection secrets) are encrypted with industry-standard algorithms (AES-256 or equivalent).

  • Authentication

    Passwords are hashed and salted using a memory-hard algorithm. Two-factor authentication is available on all accounts. SSO available on enterprise plans.

  • Authorization

    Role-based access control with least-privilege defaults. Customer data access by Mumara personnel is gated, time-bound, and audited.

  • Secure development lifecycle

    Peer code review for every change. Dependency scanning. Static and dynamic analysis. Secrets are kept out of source code; configuration secrets rotate on a schedule.

  • Sender authentication

    SPF, DKIM, DMARC, and BIMI workflows built into the product so customers can authenticate every domain they send from. Auto DNS addon automates the records on supported registrars.

Operational security

Detection, response, and the people behind the platform.

  • Audit logging

    Administrative actions, sign-ins, configuration changes, and data exports are logged centrally with anomaly detection. Logs are immutable and retained per policy.

  • Monitoring & alerting

    Production health, latency, error rates, queue depth, deliverability metrics, and abuse signals are monitored 24/7. Alerts page on-call.

  • Incident response

    Documented playbook covering detection, containment, eradication, recovery, and post-incident review. Customers affected by a personal-data breach are notified per our DPA timelines.

  • Abuse & deliverability

    Automated abuse scoring throttles, queues, or pauses sending when patterns suggest compromise or non-compliant use — protecting deliverability for the wider customer base.

  • Personnel

    Background screening proportionate to role. Confidentiality obligations in employment terms. Security awareness training. Access revoked on role change or departure.

  • Vendor management

    Sub-processors pass a documented due-diligence review (security posture, privacy program, attestations) before they handle personal data. Material changes are notified to Members 30 days in advance.

Privacy by design

The data minimisation that runs through the product.

Mumara AI: no training on your data

Mumara does not use your AI prompts or generated outputs to train any model exposed outside your account. Mumara AI does not consume your full subscriber lists, behavioural data, or full campaign archives — only the prompt content you generate.

No sale, no cross-context sharing

We do not sell personal information for money. We do not "share" personal information for cross-context behavioural advertising as those terms are defined under the CPRA. We do not rent Member or Contact data.

Marketing-site tracking is opt-in

Cookies on this site are off by default. Analytics, marketing pixels, and live chat load only after you opt in. Third-party scripts are offloaded to a web worker so they cannot block page rendering.

Compliance & legal

Built for the rules your recipients live under.

Compliance is not a checkbox; it is how the product behaves and how our team responds.

Customer security responsibilities

Security is shared. Here is your half.

Mumara secures the platform; you secure your account, your sender domains, and the consent behind every campaign.

  • Lock down your account

    Use a strong, unique password. Turn on two-factor authentication. Review team-member access regularly. Revoke unused API tokens.

  • Authenticate every domain

    Publish SPF, DKIM, and DMARC for every sending domain. Consider BIMI when ready. Use our Auto DNS addon to automate the records on supported registrars.

  • Earn and prove consent

    Capture explicit consent at sign-up and store the proof. Honour unsubscribes promptly. Don't reuse old lists for new programs without re-consenting.

  • Protect your customers' data

    Tell your subscribers what you do with their data via a current privacy notice. Sign our DPA. Respond to data-subject requests.

Trust documents

Open documents and what's available on request.

Coordinated vulnerability disclosure

Found something? Tell us — we'll work it.

We welcome reports from security researchers, customers, and the public. Send your report via the contact form with subject line "Security report". Include a clear description, reproduction steps, affected URLs or endpoints, and any proof-of-concept.

01

We acknowledge in 1 business day

A real human from our security team confirms receipt and starts triage.

02

We investigate and fix

We keep you posted on progress. Severe issues are handled out of hours; lower-severity issues follow our normal release cadence.

03

Recognition

Researchers who follow coordinated disclosure get our public thanks. We do not pursue legal action against good-faith research that respects this process.

Out of scope

  • Denial-of-service testing or load testing.
  • Social-engineering of Mumara staff or customers.
  • Physical attacks against our offices or facilities.
  • Reports generated solely by automated scanners with no manual verification.
  • Vulnerabilities in third-party services we integrate with — please report those to the third party directly.

Need a deeper look before you sign?

Enterprise prospects: we'll send our full security overview, sample DPA, and answer your security questionnaire under NDA.

Request security overview Start free trial