Skip to content
PostMTA Hosted
StatusSign inOpen panelRequest access
Open menu

Trust

Incident response

We-operate customers receive contractual notification timelines. Customer-VPC operators run the same five-step playbook on their own stack (see operator playbook).

  1. Detectaudit_events, smoke-prod gates, operator alerts, fbl_events.
  2. Triage — severity classification within 4 business hours (we-operate).
  3. Contain — revoke API keys, pause send, isolate Kumo admin.
  4. Notify — customer security contact per the signed DPA.
  5. Recover — policy re-apply, epoch bump, matrix re-run.

SLA matrix (we-operate)

TierAcknowledgePostmortem
Sev-130 minutes5 business days
Sev-24 hours10 business days
Sev-3next business daynext sprint

Disclosure intake

Security disclosures: security@postmta.com · Privacy:privacy@postmta.com. We honour co-ordinated disclosure and do not pursue legal action against good-faith researchers.

Customer-VPC ops

Operators using PostMTA Hosted in their own VPC run the same playbook against audit_events, run bash scripts/restore-appliance-drill.sh --check, and reach us via support. We operate the smoke matrix, not their incident timeline.

← Trust center