Security: how member data is protected
Community groups trust us with their member lists, which are personal data. This page describes how that data is protected, in specific terms rather than assurances.
The data we hold, and why
For each community we hold: the member list (names where provided, email addresses, subscription status), the announcements sent, delivery outcomes, and the records that let a group demonstrate compliance (consent attestations for imports, unsubscribe events, an append-only log of administrative actions). We hold what the service needs to function and what your group needs as its record. Member data is used to deliver your group's mail and for nothing else: it is never sold, shared for advertising, or used to market to your members.
Access
Members never have accounts, which removes an entire class of risk: there are no member passwords to steal. Members interact through signed, single-purpose links (unsubscribe, RSVP, ballot, attachment access), each cryptographically tied to one person and one action, so a link cannot be altered to act as someone else or to do something different. Organiser access is limited to the communities they administer, and only senders a community has approved can send to its list; every unauthorised attempt is refused and logged.
Storage and transmission
All data is encrypted in transit (TLS) and at rest. Files attached to announcements are stored privately and reached only through short-lived signed URLs generated per access: attachment links in an email do not expose a public file location, and every access is logged. Attachments are scanned for malware before delivery links are issued. Infrastructure runs on Microsoft Azure in the East US and East US 2 regions; mail is delivered through Postmark; DNS and related services through Cloudflare. A current list of subprocessors is maintained on request.
Records without surveillance
The audit log that lets a committee prove "the notice went out on the 14th" is append-only: entries cannot be edited or deleted, by anyone, including us. At the same time, the system is built to avoid holding what it does not need: IP addresses in access records are stored as one-way hashes, sufficient to detect abuse, insufficient to profile members. Secret ballots take this further: who voted and how they voted are stored separately, by design, such that no query, and no administrator, can join the two.
Roles under data protection law
For member data, your group is the data controller and GetCommunityMail acts as processor, on the terms in our data processing agreement. Deletion requests, exports and the rest of a controller's obligations are supported: when a member is removed, or a group leaves the service, the data goes with them on the schedule the DPA sets out.
Reporting a vulnerability
If you believe you have found a security issue, email security@getcommunitymail.com. We acknowledge reports promptly, keep reporters informed, and do not pursue good-faith research.