Your data, your
control — always
Posthawk is built with security at its core. Self-host for complete control, or use our cloud with enterprise-grade isolation. Full control over your email infrastructure.
In Transit
At Rest
API Keys
Optional
Security by default
Encryption at Rest & In Transit
Database storage is AES-256 encrypted at rest by Postgres. Connections to the database, the worker, and AWS SES negotiate TLS 1.2 or higher. API keys are bcrypt-hashed before storage — never stored in plaintext.
Row-Level Security
Every database query is scoped to your workspace using Supabase RLS policies. Data isolation is enforced at the database level, not just the application layer.
Minimal Content Retention
Email content is stored only for debugging and can be disabled. Metadata like timestamps, recipients, and delivery status are kept for your records. Self-hosted users control retention policies entirely.
MFA & API Key Isolation
Accounts are protected with optional TOTP-based two-factor authentication. Each API key is bcrypt-hashed and scoped to a single workspace. Keys can be rotated or revoked instantly.
No Phone-Home
The Posthawk web dashboard and worker ship without third-party telemetry, error trackers, or product analytics. Self-hosted instances run entirely inside your own perimeter — no remote heartbeats, no usage pings.
Self-Hosted by Design
Deploy on your own servers with full control over your data, network, and encryption keys. No vendor lock-in, no data leaving your perimeter.
What powers Posthawk
Battle-tested stack
Posthawk is built on PostgreSQL, Redis, and AWS SES — proven technologies trusted by millions of applications. Supabase provides row-level security and encrypted vault storage out of the box. No custom crypto, no experimental databases.
Every component is containerized and stateless, making it simple to deploy behind your existing firewall, VPN, or private network. Your email infrastructure stays within your security perimeter.
Security Stack
Your data, handled right
Data Residency
Self-hosted deployments keep all data in your chosen region. Cloud users benefit from EU-based infrastructure with configurable SES regions.
Credential Management
API keys are bcrypt-hashed and shown to you exactly once at creation. Webhook secrets and verification tokens live behind Postgres-level AES-256 disk encryption with row-level security. Workspace-scoped third-party API keys (e.g. ZeroBounce) are stored in Supabase Vault.
Audit Trail
Every email event — sent, delivered, bounced, complained — is logged with timestamps. Full visibility into your email pipeline for compliance needs.
Self-Host for Sovereignty
Self-hosting puts every byte under your roof — your DPA, your retention policies, your encryption keys. Useful when GDPR, internal infosec policies, or regulated workloads require no third-party data processors.
Full control, by design
Your infrastructure, your control
Posthawk is designed to run on your own servers. Every component is containerized and stateless, giving your team full visibility into the email pipeline.
No hidden dependencies, no phone-home behavior. Deploy behind your firewall, VPN, or private network with complete control over your data flow.
Deploy with confidence
Self-host on your own infrastructure in minutes. Docker Compose deployment with full control over configuration, networking, and data.
Self-Hosting GuideReady to take control?
Deploy Posthawk on your own infrastructure in minutes. Full control over your email data, no compromises.