Data and security compliance in EmailEngine
Understand exactly what EmailEngine stores, how it encrypts secrets, and how to wipe data when a customer asks for it.

TL;DR
EmailEngine only keeps the minimum metadata it needs to sync mail—nothing leaves your infrastructure, and you can wipe everything with a single Redis command.
Why it matters
Moving email through your SaaS means you’re touching PII and potentially regulated content (GDPR, HIPAA, etc.). Storing less data—and encrypting what you must keep—shrinks your compliance surface and calms security auditors.
🛠️ Self‑hosted reassurance – EmailEngine processes email entirely inside your infrastructure; no data leaves your network.
What EmailEngine stores (and when)
EmailEngine tracks state in Redis so it can answer questions like “Has message 123 changed since the last webhook?” The exact data set depends on the backend.
🗒️ Note – EmailEngine stores message metadata only for IMAP accounts. Gmail API and Microsoft Graph accounts rely on provider‑side change tracking, so EmailEngine keeps no local index for them. Likewise, if you enable the fast indexer for IMAP (see Supported account types), EmailEngine skips the per‑message index altogether.
1. Account data
- Name – free‑form label you provide.
- Username – often the mailbox address.
- Secrets – IMAP/SMTP password or OAuth2 tokens, encrypted at rest.
2. Folder‑level data
Field | Purpose |
---|---|
Path name | Primary identifier in IMAP |
UIDVALIDITY , HIGHESTMODSEQ , UIDNEXT |
Detect additions, deletions and flag changes |
3. Message‑level data (IMAP only)
Field | Example | Why it’s stored |
---|---|---|
UID |
4521 |
Stable per‑folder identifier |
MODSEQ |
1245567 |
Incremented on flag/body change |
Global ID | X‑GM‑MSGID / EMAILID |
Cross‑folder deduping |
Flags | \Seen , \Flagged |
Webhook diffing |
Labels (Gmail over IMAP) | Inbox , Important |
Multi‑folder storage |
Bounce info | 550 5.1.1 No such user |
Deliverability analytics |
If a field never changes—or reveals sensitive content (e.g. Subject)—EmailEngine fetches it live from the mail server instead of caching it.
Encryption
Field‑level (secrets)
EmailEngine encrypts every value marked as secret with AES‑256‑GCM. Provide the key via EENGINE_SECRET
.
Disk‑level
EmailEngine never touches disk directly; Redis does. Use encrypted volumes (LUKS, EBS‑encrypted, etc.) for your Redis data dir if regulatory rules require it.
In transit
- REST API – bind EmailEngine to
localhost
and terminate TLS at your reverse proxy. - Redis – use
rediss://
or an SSH tunnel for clusters. - IMAP/SMTP – EmailEngine always attempts
STARTTLS
or TLS. Most modern providers refuse plaintext logins anyway.
Deleting data
Removing an account via DELETE /v1/accounts/:id
wipes every related key in Redis. Legacy instances (< 2.0) may leave a pathname list behind—you can purge it manually:
$ redis-cli DEL iah:<accountId>
Backups
Because all state is Redis, your backups are Redis RDB/AOF snapshots. Decide—together with your Data Protection Officer—whether a GDPR “right to be forgotten” request affects historical RDB/AOF files.