TRY IT

How does MailUp infrastructure ensure GDPR compliance?

Information security and adequate data management policies are our priority, with continuous investments in technology.

In the event of any discrepancy or inconsistency between this version and the Italian original, the Italian version shall prevail: https://mailup.it/gdpr-infrastruttura/

  1. Data Protection Impact Analysis
  2. Data Center located in Europe
  3. Data Loss Prevention (DLP)
  4. Service Availability
  5. Mitigation techniques
  6. Encryption
  7. Threat Protection
  8. Multi-Factor Authentication and firewall
  9. Access Monitoring and control
  10. Vulnerability Assessment
  11. Incident Management
  12. Physical Security of Data Centers
  13. Availability and integrity of personal data
  14. Asset management
  15. Secure Development
  16. Training
  17. Background Check
  18. Data Classification
  19. Risk Assessment
  20. Supplier Management
  21. Hardware Tracking and Disposal
  22. Suppliers

    date of first issue: January 31, 2023

    update date: May 28, 2026

    For many sectors, the GDPR represents an important social innovation, as it clarifies and allows  individuals to manage their own privacy. TeamSystem boasts considerable experience in threat protection, privacy safeguarding and compliance with various regulations. We operate a transparency policy and aim to provide you with the information you need to feel secure when using the platform. Every day we renew our commitment to respect our principles of trust in the cloud, in data protection and security.

    • Contractual commitments: relationships with TeamSystem are supported by contractual commitments for our services, including security standards, support and timely notifications in compliance with the GDPR requirements.
    • Sharing our experience: we will share the information we collect through various data protection authorities and other reputable organizations, so that we can tailor what we have learned to help you create the best path for your organization.

    As provided by the regulation, our infrastructure and security policies have been subject to an assessment of their adequacy and preliminary impact on data protection impact assessment. These assessments will continue to be conducted regularly to maintain  the highest standards of data protection compliance standards.

  1. Data Protection Impact Analysis

    As required by regulations, our infrastructure and security policies have undergone an assessment to evaluate adequacy and the preliminary impact on data protection. These assessments will continue to be conducted regularly to maintain the highest data protection compliance standards.

  2. Data Center located in Europe

    To safeguard the confidentiality, integrity and availability of data, the MailUp platform uses in Cloud solutions on Azure (Microsoft) and on AWS (Amazon Web Services) located in the European Union.

  3. Data Loss Prevention (DLP)

    MailUp believes that data loss prevention functions are of critical importance as they prevent sensitive information from being shared without authorization. An organization’s data is fundamental to its success; it must be immediately available to enable decision-making, but at the same time it must be protected to prevent it from being shared with recipients not authorized to access it. For this reason, we have implemented a series of organizational and technical measures that allow us to guarantee our customers not only prevention from unauthorized access, but also adequate security – in relation to the classification of the data processed – for all authorized access.

  4. Service Availability

    TeamSystem commits to making the Platform MailUp® available with an uptime rate of 99% on an annual basis, meaning 24 hours a day and 365 days a year for each annual period of the Agreement.

    The security infrastructure protecting the web application relies on an enterprise-level firewall system, which not only provides traditional network traffic filtering functionality but also integrates advanced Intrusion Prevention System (IPS) capabilities. This component represents a critical element of TeamSystem’s multi-layered architecture. The system analyzes inbound and outbound traffic in real time, examining data packets to identify known attack patterns and potentially dangerous anomalous behaviors. The firewall’s IPS component is designed to neutralize various categories of cyber threats, including injection attempts, cross-site scripting attacks and others. The system is also effective in countering volumetric attacks such as Distributed Denial of Service (DDoS), limiting excessive traffic and blocking requests from IP addresses identified as malicious. Through periodic intelligence feeds, the IPS system regularly receives new attack signatures and compromise indicators, ensuring proactive and continuous protection over time.

    The firewall also operates as protection against data exfiltration, monitoring and blocking unauthorized attempts to extract sensitive information from the protected environment to potentially malicious external destinations.

  5. Mitigation techniques

    The infrastructure is designed to be resilient to DDoS (Distributed Denial of Service) attacks through DDoS mitigation systems capable of automatically detecting and filtering excess traffic by introducing scalability to handle unexpected traffic volumes using dedicated load balancers.

  6. Encryption

    • At the physical level we protect our data through a methodology that, in case of theft of physical storage media, does not allow the extraction of sensitive data. The technology used for storing data on physical media is designed to increase performance, make the system resilient to the loss of one or more disks, and allow media replacement without interrupting the service.
    • At the application level, we secure all the data stored in customer databases using encryption at rest.
    • The MailUp infrastructure databases apply encryption at rest, enabled by default. Protocols for connecting to the web interface, FTP folders and APIs are always encrypted (https with TLS 1.2 or higher, sFTP). Connections to the  inbound SMTP servers support encryption via STARTTLS,  It’s then up to the caller (client) to decide whether or not to use this feature.
    • We use TLS / SSL cryptographic protocols that use symmetric encryption based on a shared key to provide communication security ensuring data integrity over the network.
    • For even greater security we use within TLS / SSL a block cipher algorithm called AES-256 (Advanced Encryption Standard) which replaces DES (Data Encryption Standard) and RSA 2048 public key encryption technology.

  7. Threat Protection

    • We employ advanced systems for detecting viruses in email (both inbound and outbound), spoofing (use of spoofed senders) and we have a clear anti-spam policy.
    • Anti-phishing analysis tools and advanced protection against advanced threats such as spear phishing.
    • Identification and blocking of malicious files in our internal network through the use of antivirus systems and proxy systems.
    • Threat defense relies on anti-malware and anti-phishing solutions that, through the use of machine learning-based technologies, are able to detect and neutralize threats in real time.
    • To support this strategy, DDos mitigation solutions have been implemented to ensure business continuity even during volumetric attacks.
    • We regularly and automatically check that all our servers are updated and have the latest security patches installed.
    • We have introduced a remote monitoring and management tool that allows a far more efficient supervision of all user workstations, as well as automated antimalware scans and specific reports.
    • We have introduced a Security Operations Center (SOC) to improve the detection and management of cyber attacks.

  8. Multi-Factor Authentication and firewall

    The corporate infrastructure is protected by web application firewalls and IDS (Intrusion Detection System) devices used for monitoring IT resources (patterns). Thanks to timely data traffic analysis performed by our highly specialized personnel, it is possible to detect attacks on the network or computers where Intrusion Detection Systems act as “anti-theft” systems.

    There are also multi-factor authentication measures, i.e. an authentication system that requires more than one verification method and which adds at least a second level of security for user access and transactions. This method is used by system administrators and on the Cloud.

    The firewall infrastructure is implemented in a high-availability configuration and is continuously maintained and updated.

  9. Access Monitoring and control

    • Advanced visibility on API calls.
    • Log aggregation options to optimize investigations and compliance reporting.
    • Definition, implementation and management of user access policies across all services.
    • Monitoring of suspicious access allows detection of possible intrusions through robust machine learning functions.
    • Programmable alert notifications in case of threshold exceeding or event detection.
    • The rights and access levels of employees are based on their job duties and roles, using the “least-privilege” and “need-to-know” principles, in accordance with the responsibilities defined for the employee.
    • Requests for additional access follow a formal process that requires approval by the data or system owner or by managers or other executives, depending on the established security criteria.
    • Implementation of Group Policies per Windows Active Directory that allow for greater security controls by automating a standard configuration for the user and device working environment.

  10. Vulnerability Assessment

    • Vulnerability tests (WAPT – Web Application Penetration Testing) are performed by third-party providers on an annual basis across the entire TeamSystem perimeter of critical applications.
    • Testing involves high-level server penetration testing, in-depth testing for vulnerabilities within the application, and social engineering exercises.
    • Finally, upon request, it is possible to authorize a vulnerability assessment by third parties.

  11. Incident Management

    • We have a rigorous incident management process for security events that may affect the confidentiality, integrity or availability of systems or data.
    • MailUp uses scanning and monitoring tools (EDR, SIEM, SOC) that enable the detection, reporting and response to threats.
      If an incident occurs, the security team records and prioritizes it based on severity. Events that have a direct impact on customers have the highest priority.
    • Monitoring and control are implemented through centralized log management systems that record in detail every activity performed on the platforms and APIs, enabling forensic analysis and periodic audits. These systems are tightly integrated with automatic alert mechanisms that, in case of anomalies or suspicious behavior, immediately activate the incident response procedures coordinated by the Security Operations Center (SOC).

  12. Physical Security of Data Centers

    Our services are hosted on cloud infrastructure provided by Microsoft Azure e Amazon Web Services (AWS), which guarantee enterprise-level physical and environmental security . The facilities are designed to protect data and resources from unauthorized access and physical events.

    • Physical Protection and Controlled Access
      Azure and AWS data centers are monitored 24/7 with video surveillance systems, biometric controls and security badges. Only authorized personnel from the service provider can access the facilities, following rigorous verification procedures.
    • Environmental and Fire Safety Systems
      Both providers use advanced cooling and redundancy systems to maintain optimal operating conditions. Fire detection and suppression devices are in place, with alarms and automatic response systems to prevent equipment damage.
    • Certifications and Compliance
      Microsoft Azure and AWS comply with international security and privacy standards, including ISO 27001, SOC 1/2/3 and other industry frameworks. Further details are available in the official Microsoft Azure and AWS documentation.

  13. Availability and integrity of personal data

    To ensure data availability in case of hardware malfunctions, for the most critical servers, backup copies are scheduled with a minimum daily frequency and with secure retention of copies for one week on backup vaults that provide protection guarantees even in case of ransomware (e.g. cryptolocker). Such backups are periodically verified, organized in a manner that ensures data separation for each customer and securely encrypted to ensure maximum data confidentiality.

  14. Asset management

    All physical and logical assets are continuously monitored. The organization applies stringent corporate policies and operating procedures in the field of asset management, in order to verify their correctness and efficiency in the use and functionality along the entire life cycle of the resource. This life cycle begins with its acquisition, followed by the installation and control of applications software (strictly updated and approved), until its decommissioning and eventual destruction.

    It should also be noted that remote monitoring and management tools are used to more efficiently oversee all user workstations, while also implementing automated antimalware scans and generating specific reports.

  15. Secure Development

    All applications developed by MailUp follow OWASP guidelines for secure coding and Data Protection by Design. The software development process adopted by MailUp includes an extensive testing phase that must be successfully completed before the software can be released to the production environment. Our highly specialized professionals design tests taking into account not only identified use cases but also abuse cases, in order to verify proper functioning in both legitimate and malicious interactions. MailUp utilizes cutting-edge tools to ensure the integrity and security of its services; in fact, every change to the source code is analyzed using static code analysis tools. Changes to the source code also undergo a code review phase prior to approval. All our staff involved in every phase of development and deployment receive ongoing training and updates on best practices derived from the leading international standards in the field.

  16. Training

    At MailUp we believe that continuous training is the only way to keep pace with the state of the art, improve and innovate. MailUp provides all its employees with the tools necessary for their professional growth. Every year, specific training plans are also scheduled for each company department.

  17. Background Check

    All our professionals have been hired after rigorous screening in terms of competencies and abilities. A background check of candidates is performed before hiring to verify security requirements, career path and motivation. The organization has established corporate policies and procedures to ensure that the entire lifecycle of the employee is governed to guarantee labor rights and the security of assigned resources.

  18. Data Classification

    All data and information processed by the organization is classified in relation to its criticality in terms of confidentiality, availability, traceability and integrity.

  19. Risk Assessment

    Specific corporate policies and procedures are in place for risk assessment against the main cyber threats. The implementation of our technical and organizational security measures is the result of continuous and constant evaluation in terms of likelihood and impact on the confidentiality, availability and integrity of the data and information we process, our own and those of our customers. The organization pursues a risk-based approach in every area of its activities and for the implementation of its technical-organizational models, as provided by the regulations that are part of the data protection and cybersecurity frameworks.

  20. Supplier Management

    Our suppliers and third parties are continuously monitored. A risk assessment and verification of their technical and organizational measures is performed. This verification is carried out in compliance with Article 28 of the GDPR in case of processing of personal data by a supplier appointed as Data Processor. Agreements with all our suppliers are continuously monitored and controlled in order to verify service levels (SLA).

  21. Hardware Tracking and Disposal

    The control starts from acquisition, follows installation, until decommissioning and possible destruction.
    For hardware disposal, we carry out disk destruction and data elimination according to a well-defined internal procedure.

  22. Suppliers

    Where applicable, we use service suppliers only after verifying that they can provide an adequate level of security, privacy and precise guarantees on the ability to manage data processing entirely in Europe.
    Among which:

    • Amazon Inc. for the provision of support network services and storage of images uploaded by customers, including CDN (Content Delivery Network) and Web proxy services;
    • Microsoft Ireland Operations, Ltd. with registered office at South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland for the storage and hosting of personal data on cloud servers within the European region.

    For information on general policies regarding data processing and security of other TeamSystem products, you can refer to this page: https://www.teamsystem.com/dpa/