This page provides an overview of the security practices put in place to run Missive. For any question, please contact us at

Our security.txt can be found here.


Our service is built on Amazon Web Services and Heroku. These providers offer strong security measures and are compliant with most certifications. Feel free to read more about the security practices of each:

Data encryption

Encryption in transit

All connections between Missive apps and our servers are encrypted using the Transport Layer Security standard (TLS). This also applies to connections between our servers and third-party providers such as Gmail, Office 365, Twilio, Facebook, Twitter, Asana, Pipedrive, Trello, and others.

Here are links to SSL quality reports for our main application domains:

Encryption at rest

All data stored in our database and cloud storage is encrypted at rest.

Responsible disclosure

We encourage people to report vulnerabilities found in our websites and apps directly to us. Do not disclose any information regarding vulnerabilities until we fix them. Rewards are offered at our discretion based on how critical each vulnerability is.

To report vulnerabilities, contact us at with a detailed description to help us understand and fix the vulnerability as quickly as possible.

Out-of-scope exclusions

The following vulnerability classes are excluded from the program. No reward will be offered for reports related to these.

  • Denial of Service attacks
  • DMARC, SPF and DKIM email policy on Missive domains
  • Email enumeration through signup form
  • EXIF metadata not stripped from uploaded images
  • Lack of DNSSEC
  • Stored XSS on non-authenticated hosts (eg. CDN)
  • Password complexity requirements


Missive is compliant with the General Data Protection Regulation (GDPR). See our dedicated GDPR page for more information.

External audit

To assess the quality of our security practices, we successfully went through the security audit required by Google as part of their OAuth API Verification.

This security assessment is mandatory for any service that connects to Gmail / G Suite accounts and stores data on their servers or cloud storage. It is an extensive process put in place by Google to ensure providers such as Missive can guarantee a high level of security and privacy when processing and storing user-provided data. You can read more about this security assessment on Google’s FAQ here.

The letter of assessment provided by the Google-mandated external auditor can be obtained by emailing us at

Payment information

All payments made through our services are processed by Stripe which is certified as a PCI Level 1 Service Provider. We do not collect or store payment information in our infrastructure.

Last updated on May 26, 2020.