Security

Your inbox does not become our infrastructure.

10Alert Mail reduces attack surface through direct provider connections and on-device secret storage.

Last updated: 18 July 2026

Security principles

Authorization protection

Desktop flows use Authorization Code with PKCE S256, random state and a dynamic 127.0.0.1 loopback callback. Additional Gmail tokens and IMAP credentials are encrypted using Windows DPAPI or AES-GCM with a user-only local key on macOS/Linux.

Content protection

The interface renders controlled text and does not directly inject raw email HTML. Remote images are disabled by default to reduce tracking pixels. Attachments are not downloaded automatically.

Public website

This landing page is a fully static Astro build on Cloudflare Pages. It has no authentication, database, form, analytics or endpoint receiving extension data.

Distribution

Public distribution is prepared for the Chrome Web Store and separate companion packages. Binary signing and artifact verification remain release gates; an unsigned build is not represented as the final public release.

Responsible disclosure

Use the contact address listed in Terms of Use with subject “10Alert Mail security report”. Include reproduction steps and impact, but never include real messages, passwords, tokens or personal data. Test only systems you are authorized to test.

Accurate limitations

No product can guarantee absolute security. Account security also depends on Chrome, the operating system, the email provider and user practices. Keep software updated and enable multi-factor authentication.