We often talk about features: Instant aliases, anonymous replies, EU hosting. But how does it all work under the hood? This article pulls back the curtain and shows you how FAE protects your data — technically, transparently, comprehensibly.
The Core Principle: Separation as Security Strategy
The central idea behind FAE is separation. Not obfuscation, not encryption as an alibi — real, architectural separation of your identities.
- Own inbox per alias
- Own incoming queue and metadata
- No connection to other aliases
- No connection to your real identity
If an alias is compromised, the maximum damage is limited to that one alias. This isn't a feature decision — this is Security by Design.
EU Hosting: Why Location Matters
FAE runs exclusively on servers in Ireland, EU. Why?
Legal certainty: GDPR applies throughout. No CLOUD Act issues, no data transfer to US authorities without court order.
Technical control: We know exactly where our servers are. We have physical access, we know the data center, we trust the provider.
Encryption: AES-256-GCM for Everything
All emails are stored with AES-256-GCM encryption. This is the same standard that governments and military use for classified documents.
How it works:
- Email arrives on our server
- Content is encrypted with a unique key
- Only the app can derive the key with your authentication token
- Even with a complete database leak, the emails would be unreadable
The Reply-Only System: Security Through Restriction
Our most controversial feature is also our most secure: You can only reply, not actively send.
- Spam prevention: Spammers can't use FAE as a launch base
- Trustworthiness: Email providers trust reply-only domains more
- Focus: FAE is designed for receiving and occasional replies
We don't read your emails. We don't analyze them. We don't sell anything. Our only source of revenue is your subscription.
No Tracking, No Analytics
This sounds like marketing speak, but it's a technical reality:
- No analytics tools: No Google Analytics, no Mixpanel
- No advertising cookies — only essential session cookies
- No behavior analysis and no sharing of your data
Authentication and Access Control
Passwords: We don't store plaintext passwords. Only bcrypt hashes with salt. Even with a database leak, your passwords couldn't be reconstructed.
Two-factor authentication: Optionally available via TOTP (Time-based One-Time Password). Compatible with Google Authenticator, Authy, 1Password, and others.
Incident Response: What Happens in Case of an Incident?
Security isn't just prevention — reaction counts too. Our incident response plan:
- Detection: Automated monitoring systems report anomalies
- Containment: Immediate isolation of affected systems
- Investigation: Forensic analysis of the incident
- Notification: Within 72 hours to affected users (GDPR-compliant)
- Follow-up: Measures to prevent similar incidents
Conclusion
Security isn't a product you buy. It's a process you live. At FAE, it permeates every aspect of our architecture:
- Separation instead of centralization
- Encryption as standard
- Restriction as feature
- Transparency as principle