fae.

Security is not a feature. It is our architecture.

Privacy was not bolted on as an afterthought. This is how FAE was built from the ground up.

AES-256-GCMEU-onlyReply-OnlyGDPR-compliant
01 / Architecture

How emails flowthrough FAE

FAE operates as a proxy between the internet and you. No email provider is replaced, none is bypassed. Your real email address exists exclusively in our auth system — it is never exposed to any sender or recipient.

The entire mail flow runs through AWS SES (Simple Email Service) with EU infrastructure. Every incoming message passes through the following stages:

Inbound Email Flow

What happens when someone emails your alias

Sendere.g. Netflix
SMTP
MX Recordfae-mail.com
TLS 1.2+
AWS SESReceiving
Encrypted
S3 + DBAES-256-GCM
Push
FAE AppYour Device

Reply Flow (reversed)

FAE AppYour Reply
Validated
ValidationInbound Check
TLS 1.2+
AWS SESSending
SMTP
RecipientSees Only Alias

Your real email appears nowhere in the flow.

Neither the original sender nor the recipient of your reply ever sees your real address. It exists exclusively in our encrypted auth system.

02 / Reply-Only Constraint

Replies only.No spam. By design.

FAE users cannot compose new emails or send to arbitrary addresses. The only outbound path is replying to an already received message. This is not a limitation — it is a deliberate architectural decision.

Every outgoing message is programmatically validated against the corresponding incoming message. Without a valid inbound original, there is no outbound. This makes FAE systemically incapable of being abused as a spam tool.

The reply-only principle makes FAE a privacy tool — not a spam platform.

What the reply-only principle guarantees

  • Users cannot send to arbitrary addresses
  • Every outgoing message is bound to an inbound original
  • Validation is server-side — not bypassable in the client
  • Rate limiting on replies per alias per hour
  • Mass emails are architecturally impossible
03 / Encryption

AES-256-GCM at rest.TLS 1.2+ in transit.

Every email stored in FAE is encrypted with AES-256-GCM — the same standard used by financial institutions and governments worldwide. In transit, TLS 1.2+ secures every connection. There is no point in the entire data flow where content exists unencrypted.

AspectStandardDetails
Storage (at rest)AES-256-GCMAll email content, metadata, and attachments in S3 and database
Transmission (in transit)TLS 1.2+All connections: SES receiving, API communication, app sync
Auth databcrypt + saltPasswords are never stored in plaintext
API communicationHTTPS onlyNo unencrypted HTTP traffic — strict HSTS
Push notificationsAPNs (TLS)Apple Push Notification Service with encrypted connection

We don't read your emails. We don't analyze them. We don't sell anything. Our only source of revenue is your subscription.

04 / GDPR Compliance

GDPR is not a feature.It is the foundation.

All data is stored in the European Union — AWS eu-west-1 (Ireland). No data transfers to the US, no Cloud Act, no compromises. GDPR rights under Articles 15-20 are built directly into the app — no support ticket needed.

Right of Access

See what data we store about you at any time — accessible directly in the app.

GDPR Art. 15

Rectification

Correct inaccurate data yourself at any time through your profile.

GDPR Art. 16

Right to Erasure

Delete your account and all data — immediately and irreversibly. One tap.

GDPR Art. 17

Data Portability

Export all your data in a machine-readable format.

GDPR Art. 20
RequirementStatusImplementation
EU data storageActiveExclusively AWS eu-west-1 (Ireland)
Data Protection OfficerContactprivacy@fae-mail.com
DPA (Data Processing Agreement)AvailableOn request for B2B customers at /dpa
Privacy by DesignImplementedMinimal data collection, purpose limitation, alias isolation
Consent managementImplementedOpt-in for marketing, granular push settings
05 / Infrastructure

Who processesyour data?

Transparency is non-negotiable. Every service involved in processing your data — visualized with data flow, purpose, and location.

EU Data Space

Email Pipeline

EU
AWS SES

Email receiving & sending

MX ReceivingSMTP SendingTLS 1.2+
eu-west-1 (Ireland)
EU
AWS S3

Email storage

AES-256-GCMEncrypted at rest
eu-west-1 (Ireland)
EU
AWS Lambda

Serverless logic

ValidationRoutingReply Check
eu-west-1 (Ireland)

Database & Auth

N
EU
Neon

Database & authentication

PostgreSQLAuth (JWT)Serverless
EU (Frankfurt)
V
EU
Vercel

Website hosting

Static/SSGCDN
EU (fra1)
Outside EU

Payments & Distribution

R
Limited
RevenueCat

Subscription management

Subscription statusTransaction IDs
US

No email content, no PII. Only subscription metadata.

Global
Apple

Push & distribution

APNsApp Store
Global (Apple infrastructure)

Device token + app metadata. No email content.

Your Device

FAE App · iOS · Encrypted connection

All email data stays in the EU.

The entire email pipeline — receiving, storage, processing, sending — runs exclusively on EU infrastructure (AWS eu-west-1, Ireland). Services outside the EU receive no email content and no personal data.

06 / Report Abuse

Zero tolerancefor abuse.

FAE is a privacy tool — not a vehicle for spam, harassment, or illegal activity. We take every abuse report seriously and act quickly.

Report abuse from a @fae-mail.com address

If you have received unwanted emails from a @fae-mail.com address, report it to us:

abuse@fae-mail.com

Please include the following information:

  1. 1The full email headers of the unwanted message
  2. 2The @fae-mail.com address the message came from
  3. 3A brief description of the issue
  4. 4Your contact details for follow-up (optional)

We respond to all abuse reports within 24 hours. Violations of our terms of service result in immediate account suspension.

More questions about security?

Our team is happy to help.

security@fae-mail.comRead Privacy Policy
Security — Architecture & GDPR at FAE | FAE