Last updated: April 18, 2026 · Short term + Mid-term E2E + Long-term certifications
What already protects your data today:
This access is currently necessary to operate webmail display, opt-in AI classification, full-text search, technical support, and backups. It is strictly governed by internal access rules and GDPR.
The AI Briefing, AI Replies, and AI Analysis features send your email content to Anthropic (USA) for processing. This is an explicit opt-in, disabled by default, and revocable at any time in Settings. Without opt-in, no content leaves our EU infrastructure.
Continuous technical improvements. Real-time verifiable status on our transparency & audits page.
DES/RC4/3DES/SHA1 excluded, AEAD-only (TLS 1.2+). Verifiable via internet.nl Mail.
HSTS max-age 2y + preload, CSP with base-uri/form-action/object-src/upgrade-insecure-requests, COOP/CORP same-origin, extended Permissions-Policy, server_tokens off, removed reverse proxy duplicates. Mozilla Observatory: 55 → 80.
MTA-STS policy published in enforce mode on mta-sts.ecosmail.fr. TLS-RPT reporting active.
DMARC in strict mode (rejection of spoofed emails). Fail2ban active on SMTP/IMAP services.
Published at /.well-known/security.txt. Allows security researchers to instantly find the right contact (security@ecosmail.fr) and disclosure policy. Expires 2027-04-18 (to renew).
DNSSEC activated via IONOS panel. DS 39605/RSASHA256 published at AFNIC, full chain root → .fr → ecosmail.fr. Strict validation confirmed (Verisign DNSSEC Analyzer + delv: fully validated).
The IONOS DNS panel does not support TLSA record type, preventing publication of the public-key hash required by DANE. Hash already generated and certbot --reuse-key active for stability. Migration of DNS management to a compatible operator (deSEC.io or equivalent European, non-profit) under review. Expected after migration: internet.nl Mail → 95%.
Migrate inline <script> blocks to external files to remove 'unsafe-inline'. Mozilla Observatory: 80 → 100.
Authenticated logo in Gmail, Apple Mail and Yahoo Mail. ~€1k/year for VMC at DigiCert/Entrust.
Submit ecosmail.fr to hstspreload.org. Forces HTTPS on all subdomains at browser level. Irreversible decision — to confirm only when sure all subdomains will be HTTPS forever.
IPv6 currently unavailable on our IONOS VPS. Once allocated: Postfix inet_protocols=all + AAAA mail.ecosmail.fr. Expected: internet.nl Mail +20pts.
Our goal: ensure the server never sees plaintext content. This is a multi-phase effort.
X25519/Ed25519 generation at signup, secure storage, push payload v2, infrastructure for encrypted server-to-mobile exchanges.
The EcosMail mobile app decrypts E2E payloads client-side. This is the main technical lock. Once shipped, push notifications become genuinely E2E between server operations and device.
All direct messages between EcosMail users are encrypted with the recipient's X25519 key. The server stores ciphertext only.
For exchanges with external contacts (Gmail, etc.), optional OpenPGP support via the Autocrypt standard. Compatible with Thunderbird, Proton, Mailvelope.
Three-tier trajectory, calibrated for a pragmatic European startup. Verifiable and auditable at each step.
Be able to say « we are serious » without lying. Everything is free, just time.
Provide audit-friendly proof verifiable by any B2B prospect.
Targeted app + infra audit by a recognized French firm (Almond, Synacktiv, Lexfo). Publishable remediation attestation (full report stays confidential).
Cloud Security Alliance STAR Registry, Level 1 (free self-attestation via CAIQ ~300 questions, ~3-5 days drafting). Usable badge + entry in public CSA registry.
European insurer (Stoik, Hiscox, Coalition). Cyber incident + breach notification coverage. Required by 80% of B2B prospects.
CASA audit via Securitum (Poland) or DEKRA (Germany) required to move gmail.readonly scope out of « Testing » mode (>100 users). To evaluate after traction.
Microsoft is much more permissive than Google. Free verification via Microsoft Partner Network.
Triggered when revenue / B2B clients justify it. Strategic choice between privacy-first (Europrivacy) or enterprise-ready (ISO 27001).
Comprehensive audit of E2E architecture by recognized firm (Quarkslab for crypto, Synacktiv generalist, Cure53 for crypto/web). Public report. Trigger: Phase 2 delivery.
Europrivacy (€10-20k, 4-8 months): only certification formally recognized as GDPR-compliant (Article 42). Audience: French DPOs, public sector, HR/health. EU bodies: Bureau Veritas, AFNOR Cert, ECCP.
ISO 27001:2022 (€25-40k, 6-12 months): global enterprise standard, asked by large IT departments. EU bodies: Bureau Veritas, LRQA, DEKRA, AFNOR. Extension ISO 27701 (+€10-15k) adds privacy scope.
Free ANSSI dossier + qualified provider audit to assemble it. French marketing differentiator. ANSSI decision ~6 months.
| Term | Meaning |
|---|---|
| Encryption at rest | Data stored on disk is encrypted. Accessible to the running server. |
| Encryption in transit | Data protected during network transport (TLS). |
| E2E (end-to-end) | Client-side encryption: only sender and recipient have access to plaintext. The server only sees ciphertext. |
| X25519 | Asymmetric key exchange algorithm (Diffie-Hellman on elliptic curve). |
| Ed25519 | Digital signature algorithm. Used to prove identity. |
| AES-256-GCM | Symmetric AES 256-bit encryption with GCM (authenticated) mode. Military-grade standard. |
| Autocrypt | OpenPGP key exchange standard via email. Enables E2E with Gmail, Proton, etc. |
→ Transparency & external audits — all our security scores measured by public open-source tools (internet.nl, SSL Labs, Hardenize, etc.) with direct verification links.
Questions, reports, suggestions: security@ecosmail.fr
This page is intentionally detailed. If anything seems inaccurate or misleading, tell us — we will fix it.