Mailman is developed with great care to be as secure and private as possible.
Mailman is Cloud Application Security Assessment (CASA) Tier 2 Verified by the App Defense Alliance (a part of the Linux Foundation). CASA requirements test all assurance levels of the OWASP Application Security Verification Standard (ASVS).
The OWASP ASVS provides a basis for testing web application technical security controls, and also provides a list of requirements for secure development.
Mailman's CASA verification is conducted annually by PwC.
All data is encrypted at rest with a symmetric key encryption algorithm such as AES-256-GCM. Individual fields containing Personally Identifiable Information (PII) are encrypted again at the application layer.
All data is encrypted in transit with TLS 1.3, and enforced with HTTP Strict Transport Security (HSTS).
Application secrets and credentials are stored in environment variables and not in source code.
Mailman is developed using a continuous integration (CI) and continuous deployment (CD) methodology. All code is automatically tested and deployed to production after being merged into the main branch.
Mailman is developed using a secure development lifecycle (SDLC) methodology. All code is scanned for vulnerabilities before being merged into the main branch.
Mailman is developed using a secure-by-default methodology. For example, all features always begin disabled/default-to-secure, and must be enabled by the user.
Mailman is developed using a least privilege methodology. All actors are given the least privileges necessary to perform their function.
Mailman is developed using a zero trust methodology. All actors are authenticated and authorized before being granted access to resources.
Mailman regularly tests and deploys patches for vulnerabilities in software packages and has an automated alerting system for when new security patches are available.
All data is stored in the United States.