Beta testing is now live. We are looking for beta testers - use the contact form to sign up.
DMARCHubDMARCHub

Security at DMARCHub

You are giving us metadata about your mail flows. Here is how we look after it.

Where your data lives

DMARCHub is hosted in Microsoft Azure UK South. All customer data - DMARC reports, account information, payment metadata - stays in the UK. We do not transfer customer data outside the UK or EEA.

Encryption

All data is encrypted at rest using AES-256 (managed by Azure Storage). All traffic between you and DMARCHub is over TLS 1.2 or higher. Traffic between our worker and Microsoft Graph (for mailbox access) is over TLS 1.3.

Authentication

Sign-in goes through Microsoft Entra (OAuth 2.0). DMARCHub never sees, stores, or processes your password. We support any Entra tenant: your existing identity provider and conditional access policies apply.

Card data and PCI compliance

Card details go straight to Stripe via their hosted Checkout. DMARCHub never sees raw card data, which keeps us SAQ A (the lightest PCI compliance bracket). Stripe is PCI DSS Level 1 certified.

Cyber Essentials Plus

Inside Technology Ltd is aligned to the Cyber Essentials Plus control set. We are scheduled for formal certification ahead of public launch. The controls cover network configuration, secure configuration, user access, malware protection, and patch management.

Admin access controls

DMARCHub administrative access is restricted to staff on the office network (allowlisted IP ranges) and gated on a corporate email domain check. Every admin action is recorded in an immutable audit log.

Dependency security

We scan our own dependencies daily against the OSV vulnerability database. New vulnerabilities are triaged in the morning. Critical vulnerabilities trigger an out-of-hours email to the on-call engineer.

Data retention

Parsed DMARC reports (aggregate and forensic) are physically retained for 3 years so you can review year-on-year trends. How far back you can view in the portal depends on your plan: Free shows 3 months, Starter 12, Pro the full 3 years. Upgrading reveals older history instantly - it was never deleted, only hidden. Forensic reports have personally identifying information scrubbed at the point of ingest. Summary statistics (used by the dashboard) are kept for 5 years. Raw report files (XML/zip attachments) are kept for 30 days. Email audit logs are kept for 36 months. Account data is kept while your account is active.

Account deletion

Closed accounts are soft-deleted for 30 days (recoverable on request) and then hard-deleted. Hard deletion removes all DMARC reports, mailbox data, and personally identifying information. Invoices are retained indefinitely as required by HMRC.

Status and uptime

Operational status, scheduled maintenance, and incident history are published on our status page at status.dmarchub.io. We commit to publishing every incident within 30 minutes of detection.

Questions, due diligence requests, or a vulnerability disclosure?

Get in touch →