Threat Model

When it comes to security, there's no such thing as mission accomplished. Here's where we currently stand.

What we consider out of scope

Compromised End Points

Compromised End Points

If an intruder has physical or remote access to your computer, they will be able to execute the necessary attacks to access your data (which is decrypted client-side), and encryption keys.

You are in charge of end point security, and while we can recommend actions that you may take to improve it, we cannot perform them on your behalf.

Man-in-the-Middle Attacks

Man-in-the-Middle Attacks

We operate under the assumption that someone is always listening in, or modifying communications. However, there is a non-zero possibility of a targetted attack that can compromise your data.

Even though all communication is relayed using TLS, state-level actors and network providers have been known to overcome such measures.


Mailyard is designed to be resilient primarily against passive threats, and is continuously evolved to mitigate against active threats.

The IT Guy
The IT Guy

Awkwardly enough, that's us, but that's alright. We don't want to be saddled with all your private data anyway.

The encryption keys that protect your data are not accessible to Mailyard, whether they are encrypted with your password-derived key, or stored fully isolated with the Lanyard browser extension.
Malicious Code
Malicious Code

Some attacks go straight for the source code, and insert backdoors at various stages of the software delivery life cycle.

Our code is run through static code analyzers during build time, and monitored during run time. Where possible we will limit app distribution to channels that enforce code signing.

More on Security

Where we stand on security

Compliance & Certification Status

Work with us to fix security issues

Vulnerability Disclosure Policy
Sqreen | Runtime Application Protection
Mailyard, by Tinkerbox Studios Pte Ltd © 2019