Security Policy

ice.email is committed to protecting the confidentiality, integrity, and availability of all information assets. Our Information Security Management System (ISMS), certified to ISO 27001:2022, provides the framework for managing security risks and ensuring continuous improvement. All employees, contractors, and third parties with access to ice.email systems are required to adhere to this policy.

Access to ice.email systems is granted on a need-to-know and least-privilege basis. All administrative access requires multi-factor authentication (MFA). User accounts are reviewed quarterly and deactivated promptly upon role changes or termination. Privileged access is logged and monitored. Password policies enforce minimum complexity requirements and regular rotation.

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption. Email content, subscriber data, and backups are all encrypted. Encryption keys are managed through a secure key management system with regular key rotation. We do not store encryption keys alongside encrypted data.

ice.email maintains a documented incident response plan that is tested regularly. Security incidents are classified by severity (low, medium, high, critical) and escalated accordingly. Personal data breaches are reported to affected parties and relevant supervisory authorities within 72 hours as required by GDPR. All incidents undergo post-incident review to identify root causes and prevent recurrence.

Our infrastructure is designed for high availability with redundant components at every level. Automated backups are performed daily and stored in geographically separate locations. Disaster recovery procedures are documented and tested at least annually. Our Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 1 hour for critical services.

All employees undergo background checks prior to employment. Security awareness training is mandatory during onboarding and refreshed annually. Employees sign confidentiality and acceptable use agreements. Access rights are adjusted immediately upon role changes. Disciplinary procedures are in place for security policy violations.

ice.email servers are hosted in Hetzner data centers in Germany, which maintain ISO 27001 certification and SOC 2 compliance. Data centers feature 24/7 security personnel, biometric access controls, CCTV surveillance, redundant power supplies, and fire suppression systems. All data is processed and stored within the European Union.

ice.email complies with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and applicable national data protection laws. We maintain ISO 27001:2022 certification audited by Bureau Veritas. Regular internal audits and management reviews ensure ongoing compliance and continuous improvement of our security posture.