Xtremepush only allows data to be transmitted over secure protocols, for example HTTPS, SFTP. This covers all access points to Xtremepush, including the user interface, file uploads, scheduled imports, Xtremepush's external API, third party APIs, and recipient responses.
Xtremepush supports the following protocols:
- TLS 1.3
- TLS 1.2
Xtremepush uses a range of ciphers, to which new ones are added as they are made available, and old ones are removed when they are no longer required.
Xtremepush undertakes to remove protocols and ciphers with known vulnerabilities unless we have active mitigation in place, so that we can give a longer timeframe for any clients and end-user devices that may still be using it.
Notice of changes that would affect clients will be communicated in advance.
As an exception to the Data Transfer rule above, outbound email from Xtremepush to third-party mail servers (ie. during the delivery of email campaigns and system notifications) may not be encrypted if the receiving Inbox Service Provider ("ISP"; for example Gmail, Office365, corporate mail servers) does not support encryption.
Xtremepush will use TLS by default, falling back to unencrypted if the ISP does not announce their support for encryption during the standard SMTP protocol connection, or the TLS connection fails when attempted. This ensures delivery of emails to recipients.
As of April 2022 we send <2% of emails without encryption. TLS v1.3 accounts for 83% of all email communication, with TLS v1.2 covering the remaining.
All data is encrypted at rest, using AES-256 system-level encryption.
Where necessary to store data securely (eg. credentials for Xtremepush to automatically connect to an SFTP site), this is done using AES-256, using independently verified encryption mechanisms.
Updated about 1 year ago