System status.

Data protection

Outbound messages & templates

Subject, HTML body, and text body are wrapped at rest with a per-tenant AES-256-GCM data key. Each organization gets its own key, so revoking one org's key destroys their data cryptographically without touching anyone else.

Inbound mail

Inbound messages are wrapped with AES-256-GCM at the Go SMTP server's storage layer before hitting the SQLite BLOB. Every organization gets its own 32-byte data encryption key; the Go server fetches the right key at ingress time via a private internal API back to Laravel and caches it in-memory for a short TTL. Two orgs on the same host cannot read each other's mail, and a raw database snapshot is cryptographically useless on its own.

Transit

STARTTLS is negotiated on every outbound hop when the remote MX advertises it. Packet falls back to plaintext only when the remote refuses TLS, which is RFC-compliant opportunistic TLS.

Keys & secrets

SMTP credentials, mailbox passwords, and DNS provider tokens are encrypted at rest. Webhook signing secrets are stored in plaintext — rotate them from Settings → Webhooks if leaked.

Packet is not end-to-end encrypted. Packet operators with Laravel process access can decrypt org mail — the trust model is per-tenant key separation plus operational controls, not cryptographic opacity to the service.