Security

EU-hosted. EU-routed. Period.

BLUN · Mailing's security posture in plain language: encryption in transit and at rest, role-based access with hardware-key MFA, a published sub-processor list, and full GDPR rigor — Art. 28 DPA, Art. 33 breach notice, Art. 17 erasure, all of it. No US replication in the default flow.

EU-hosted Germany TLS 1.3 + LUKS GDPR Art. 28 DPA 72h breach notice

Four pillars.

Encryption, access control, sub-processors, compliance. The boring foundations done properly.

Encryption

Data is protected end-to-end across the request path, on disk, and in every uploaded asset.

  • TLS 1.3 in transit, HSTS preload, Modern Mozilla cipher suite only.
  • LUKS-encrypted volumes at rest on every EU-hosted node, AES-256-XTS.
  • EXIF-stripped uploads — every image rewritten on receive, GPS removed.
  • Per-tenant keys for sensitive fields (API tokens, OAuth refresh, list contacts).

Access control

Roles, MFA, audit log. The principle is least privilege, the practice is hardware keys.

  • RBAC at workspace, list, and template level — Owner, Admin, Editor, Analyst.
  • MFA enforced for all admin roles. WebAuthn / hardware keys preferred over TOTP.
  • Audit log for every privileged action — login, export, send, key rotation, role change.
  • SAML SSO for Business+ tier — Enterprise plan adds SCIM provisioning.

Sub-processors

Short list. Published. EU-first. Anyone touching user data is here, by name and by purpose.

  • Tier-IV EU data centers (DE) — primary hosting, storage, network. ISO 27001.
  • Stripe Payments Europe (IE) — billing only. No campaign data flows there.
  • Apple / Google / Expo push — opt-in only, used for the BLUN · Mailing mobile app alerts.
  • BLUN AI internal models — content suggestions; runs in-house on EU GPUs.

Compliance

The legal scaffolding behind the keys and the cipher suites.

  • GDPR Art. 28 DPA available for every paying workspace, signed online.
  • ISO 27001 at the hosting layer (DE-NUE-A1, DE-FAL-B2).
  • SOC 2 Type 2 targeted Q3 2026 — observation period in progress now.
  • Pen-tests every 6 months by an independent EU firm; summary report available on request.

Where your data lives.

Two data centres, both in Germany, both yours. No replicas in the United States — by design, not by toggle.

Two German DCs, zero US transfer.

BLUN · Mailing runs primary out of EU-hosted Nuremberg with synchronous failover to Falkenstein. Backups are encrypted at rest and stored in the same EU region. There is no default replication path that crosses the Atlantic.

  • DE-NUE-A1
    EU-hosted Nuremberg, Germany
    Primary
  • DE-FAL-B2
    EU-hosted Falkenstein, Germany
    Failover
Nuremberg Primary · DE-NUE-A1 Falkenstein Failover · DE-FAL-B2 DE

Incident response.

If something goes wrong, here's exactly what happens. Four steps, written down before they're needed.

1
Detect

Anomaly detection on auth, send-rate, and admin actions. On-call paged within 60 seconds, internal channel notified, clock starts.

2
Contain

Affected surface taken offline or quarantined. Credentials rotated. Audit log frozen for forensic capture, blast radius mapped.

3
Notify

Affected users emailed within 72h under GDPR Art. 33. Data Protection Authority notified where required. Status page updated.

4
Postmortem

Public, blameless postmortem within 14 days. Root cause, timeline, mitigation, follow-up actions, all written and shared.

Bug bounty.

Found a vulnerability? Let us know. Responsible disclosure is paid disclosure.

security@blun.ai · responsible disclosure within 30 days.

Email a clear writeup with reproduction steps. We acknowledge within 24 hours, triage within 5 working days, and patch critical issues within 30 days. Eligible reports are paid in EUR; we publicly credit reporters who want it.

security@blun.ai
Scope
send.blun.ai · *.blun.ai · BLUN · Mailing mobile app
Out of scope
3rd-party (Stripe, EU-hosted)
Triage
5 working days
Patch SLA
Critical: 30d · High: 60d
Reward
EUR 100 – 4,000 by severity
Safe harbour
Yes — no legal action against good-faith research

Security FAQ.

Five questions we get every week from security and procurement teams.

Where does BLUN · Mailing data live?

All sending and storage runs on EU-hosted servers in Germany. Primary in Nuremberg (DE-NUE-A1), failover in Falkenstein (DE-FAL-B2). Backups stay in the same EU region. There is no US replication in the default flow, and no toggle that quietly enables it.

Who has access to my data?

Production access is gated by RBAC, hardware-key MFA, and a per-action audit log. The list of humans with production credentials is short — currently the founder and a small named on-call rotation. Every privileged action is logged with timestamp, IP, role, and reason.

What happens in a breach?

Detect, contain, notify within 72 hours under GDPR Art. 33, then publish a blameless postmortem within 14 days. Affected users get a direct email naming the scope, the data involved, our containment steps, and a written follow-up of remediation actions.

Are there third-party audits?

EU-hosted is ISO 27001 certified at the hosting layer. BLUN · Mailing itself targets SOC 2 Type 2 in Q3 2026 — observation period is running now. We commission an external pen-test every six months from an independent EU firm; the executive summary is available under NDA.

How do I exercise GDPR Art. 17 erasure?

Email blun.ai.app@gmail.com from the address on file, or use the in-app erasure flow under Settings → Privacy. Hard delete from production completes within 30 days; backup expiry within 35 days. We confirm in writing once the cycle is done.

Send with peace of mind.

EU-hosted, GDPR-native, audit-logged. Start free, upgrade when the volume justifies it.