Ember
Security
Effective date: June 12, 2026
Ember holds the most sensitive credential a sender has: access to their mailboxes. This page describes how we protect it — specifically and without marketing gloss — and how to reach us if you find a weakness.
Credentials
- Mailbox credentials are encrypted with AES-256-GCM before they are written to the database. The encryption key is held in the runtime environment, separate from the database — a database leak alone does not expose credentials.
- Credentials are never logged, never included in error reports, and never returned by any API. Once entered, they cannot be viewed again — only replaced or destroyed.
- Disconnecting a mailbox destroys its credentials immediately.
- We encourage app passwords over primary passwords wherever the provider supports them: they are scoped, revocable from the provider's side, and independent of your main account password.
In transit
- All web traffic is TLS-only, with HTTPS enforced at the edge.
- IMAP and SMTP connections to your providers use TLS (implicit TLS or STARTTLS, as the provider requires). Connections that cannot establish TLS fail the connect test rather than degrading silently.
Access and operations
- Least privilege: production access is restricted to the people who operate the service, scoped to what their role requires, behind MFA.
- Scheduled warmup jobs run behind a secret-guarded endpoint that fails closed — if the secret is missing or wrong, nothing runs.
- Our subprocessors (Neon, Vercel, Resend, Polar) are listed with regions in the DPA; each maintains its own audited security program.
What we don't have
Honest scope, stated plainly: we do not currently hold SOC 2 certification. SOC 2 Type II: in progress. We will update this page when that changes — and we won't claim a badge we haven't earned.
Reporting a vulnerability
Email support@1labs.ai with "SECURITY" in the subject line. Include steps to reproduce; please don't access other customers' data while demonstrating an issue. We acknowledge reports within 2 business days, keep you informed while we fix, and credit reporters who want credit. We do not pursue good-faith researchers who respect these boundaries.
Contact
support@1labs.ai · Contact page. Ember is a product of One Infinity Labs, Inc.