SECURITY
Security at ZeroDrop
Last updated: June 20, 2026
Our security posture
ZeroDrop is built on security-first infrastructure. We use industry-standard providers with their own security certifications and follow secure development practices throughout our stack. While we are not ISO-27001 or SOC 2 certified at this stage, we take security seriously and have implemented strong protections across all layers of the product.
Transport security
All data in transit is encrypted using TLS 1.3. This applies to every connection between your browser, the ZeroDrop dashboard, our API, and our backend infrastructure. We enforce HTTPS-only access — HTTP requests are automatically redirected.
DDoS and network protection
ZeroDrop runs behind Cloudflare, which provides enterprise-grade DDoS mitigation, WAF (Web Application Firewall), and bot protection on all endpoints. Our email-catching infrastructure runs on Cloudflare Workers at the edge — distributed across 300+ data centers globally.
Data storage and encryption
Emails are stored in Upstash Redis with encryption at rest. All inboxes are automatically deleted after 30 minutes via a TTL process — no manual intervention required. API keys for Workspaces subscribers are stored encrypted at rest. We do not store payment card data — all payments are handled by Dodo Payments, which is PCI DSS compliant.
Data isolation
Each disposable inbox is isolated by a unique random identifier generated client-side. There is no authentication on the free tier by design — inbox names are the access control. Workspaces subscribers get dedicated API keys and domain isolation. No data from one inbox is ever accessible via another.
What we don't collect
Free tier users are fully anonymous. We generate inbox names in the browser using localStorage — we never see your IP address tied to an inbox, your real email address, or any personally identifying information. We do not use third-party analytics trackers, fingerprinting, or cookies on the free tier.
Spam filtering
All inbound emails pass through a Llama 3.1-powered spam filter running on Cloudflare Workers. This prevents ZeroDrop inboxes from being used for spam delivery while maintaining sub-second latency for legitimate test emails.
Infrastructure providers
Our infrastructure stack: — Cloudflare (Email Routing, Workers, DDoS) — ISO 27001, SOC 2 Type II certified — Upstash Redis (email storage) — SOC 2 Type II certified — Vercel (dashboard hosting) — SOC 2 Type II certified — Dodo Payments (payment processing) — PCI DSS compliant We inherit the security posture of these providers for their respective components.
Responsible disclosure
If you discover a security vulnerability in ZeroDrop, please report it responsibly to [email protected]. Please include a description of the vulnerability, steps to reproduce it, and your assessment of the potential impact. We will respond within 48 hours and work to address confirmed vulnerabilities promptly. We ask that you do not publicly disclose the vulnerability until we have had the opportunity to investigate and remediate it.
Security updates
We monitor our dependencies for known vulnerabilities and apply security patches promptly. Our infrastructure providers handle operating system and runtime security updates on their respective platforms.
Contact
Security concerns: [email protected]
General support: [email protected]
Privacy questions: [email protected]