Security Policy


Our host is an enterprise-level SaaS based web-application that combines messaging campaign management and deployment across multiple digital channels including email, SMS, mobile app messaging, and social media.

The application is offered as a “hosted rich internet application”. Users require a modern browser, for example IE 7+, Firefox, Chrome, or Safari, to access it. The browser sessions use a 128-bit encrypted SSL connection. The servers are hosted in a secure facility with 24/7 monitoring, redundant power, nightly and real-time backups complying with international standards for data security and management.

Application Security

Our host has powerful client security controls, including those that allow clients to do the following:

Implement User-level and Organizational-level IP address restrictions. Our platform can bind campaign sends to specific and dedicated IP addresses.

Limit each user’s access to specific functional areas within the application and which actions can be performed within those areas.

Limit visibility to assets within each functional area by use of permissions-based folders.

Restrict 3rd-party API access rights to specific method classes and to specific commands.

Restrict database access rights and secure file transfer site access rights.


Secure Architecture

The hosts enterprise network uses primarily Cisco networking equipment. Networking equipment is configured consistent with the manufacturers’ best practices for operational stability and security. All servers and the networking equipment is owned by Maropost and operated by a 3rd-party hosting provider.

Security Policy

Secure Transmissions and Sessions

Connection to the hosts environment is via SSL 2.0/TLS 1.2 ensuring that our users have a secure connection from their browsers to our service. Individual user sessions are identified and re-verified with each transaction, using a unique token created at login required for all communications with hosts data centers. Maropost hosts a secure FTP server with 128-bit encryption for manual and automated file transfers.

Network Protection

Perimeter CISCO firewalls block unused protocols. Intrusion prevention and detection sensors report events to a security event management system for logging, alerts, and reports and internal access control lists segregate traffic between the application and database tiers.


Our Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.

Data Centers

Our service is collocated in dedicated spaces at top-tier data centers maintained dedicatedly by our 3rd-party hosting provider. Images used in emails are uploaded to and served by our 3rd-party content delivery network provider.

Disaster Recovery

Maropost performs cross data center replication for disaster recovery. Data is transmitted across encrypted links and disaster recovery tests verify our projected recovery times and the integrity of client data.


All data is backed up to disk at each data center on a rotating schedule of incremental and full backups. Data is replicated to other data centers via an encrypted tunnel.

Regulatory Compliance

Maropost’s data center hosting provider is ISO/IEC 27001 certified. Both Maropost and its hosting provider maintain PCI-compliant policies and procedures. Maropost’s SaaS platform includes built-in governance that comply with requirements specified by CAN-SPAM, TCPPA, CASL, and PIPEDA. Maropost aggressively enforces its requirement that each of its clients comply with these regulatory specifications. Clients failing to comply will receive a written warning. If practices remain uncorrected, they will have their contract immediately terminated and all access privileges revoked.