We take the security of our user's data very seriously. As such, we want to make you aware of some of the measures we take to secure your project, account, credit card, and other personal data.
Credit Card Data
Your credit card data is protected at all times during the purchase process by modern encryption and the use of credit card tokenization. Payment forms that ask for credit card information are served to the customer over a secure HTTPS connection (TLS 1.2, strong cipher suites only, perfect forward secrecy enabled) from servers housed in a secure, monitored data center facility with restricted physical access. You can inspect the TLS server certificate at any time by clicking the lock icon that appears in the top-right corner of the window that contains the payment form.
Your credit card data is never transmitted to or saved on our servers. In fact, cardholder data is not saved on any servers connected to the Internet. e3 Software uses Braintree to process and store credit card data. Braintree, a subsidiary of PayPal, is a validated Level 1 PCI DSS compliant service provider with strict privacy and security controls. Recurring billing and the "Remember my card for next time" feature in Direct Mail are facilitated by the use of credit card tokens, which reveal no information about the cardholder or card itself.
The Direct Mail application itself stores no credit card data locally on your machine.
Versions of Direct Mail downloaded from the Mac App Store do not request, transmit, or store credit card data. All payment transactions are handled by the App Store.
If you have not moved your Direct Mail project into the cloud, then data relating to your messages, mailing lists, campaign reports, etc. is stored locally on your Mac (or wherever you have saved the project file). This means that the security of your project data is primarily up to you. If you are concerned about unauthorized access to your Mac, we recommend choosing a strong password for your macOS account, disabling automatic login, and enabling the FileVault features in macOS.
If your Direct Mail project has been moved to the cloud, then all data relating to your project is stored securely on servers controlled by e3 Software. All communication between your Mac and our servers is always encrypted using HTTPS (TLS 1.2, strong cipher suites only, perfect forward secrecy enabled). e3 Software servers are physically located in a secure, monitored data center facility with restricted physical access. Data backups are performed continuously.
When you sync a Direct Mail project saved in the cloud to your Mac, a copy of that project is saved to your Mac for better performance and offline access (in ~/Library/Application Support/Direct Mail/Cloud or ~/Library/Containers/com.ernieware.directmail/Data/Library/Application Support/Direct Mail/Cloud). The copy on your Mac is deleted when you sign out of your Direct Mail account, or when the owner of the project stops sharing it with you.
If you use e3 Delivery Service, email tracking features, design tests, or subscribe forms, then data related to each of these services is transmitted between our servers and your Mac over an encrypted connection.
All account settings (including your password) are sent over an encrypted connection (see the Credit Card Data section above for details). You can inspect the SSL/TLS server certificate at any time by choosing Direct Mail > Direct Mail Account from the menu bar and clicking the lock icon that appears in the top-right corner of the window.
A bcrypt hash of your password is stored on our servers for authentication purposes. Using a hash of your password allows us to know if the password you entered is correct or not without actually storing your original password at all. If you forget your password, we cannot retrieve it, but instead will reset it to something new. Your passwords are never saved on our servers.
When you sign in to Direct Mail, you have the option of remembering your password in your keychain. If you use this option, your password will be encrypted and stored locally on your Mac (i.e. it will not be sent to our servers). You can use the Keychain Access application (in the Applications > Utilities folder) to view, edit, or delete your saved passwords.
You may also secure your Direct Mail account using two-factor authentication. If you enable two-factor authentication, you will need to enter both your password and a rotating, time-limited code when signing in to your account. The special code can be generated by any TOTP-compatible smartphone app. For details, and to enable two-factor authentication, open your Direct Mail account control panel and click on the “Password & Security” section.
If you think you have discovered a security vulnerability in Direct Mail, please email firstname.lastname@example.org using our PGP public key. Note that this email address is only for security issues. Please visit our support page for general issues.