Security
Last updated July 7, 2026
Architecture
Everway is designed so that the blast radius of any single trip is small. You never hand over mailbox credentials — there is no OAuth grant to your email provider and no inbox sync. Each trip gets its own receiving address, and mail sent to it is processed in isolation.
Data protection
- All traffic is encrypted in transit with TLS 1.2+.
- Emails, attachments, and trip records are encrypted at rest on AWS (S3 and DynamoDB).
- Attachment downloads are authorized per request and limited to trip owners.
- Stripe handles all payment data; card numbers never touch Everway servers.
Access control
Sign-in uses single-use email codes that expire after ten minutes — there are no passwords to leak. Trip access is enforced server-side on every request: owners can edit, invited guests can only view, and nobody else can see a trip at all. Emails arriving from unrecognized senders are held for your explicit approval before they are processed.
Operations
Infrastructure is defined as code and deployed to AWS with least-privilege IAM roles per component. Secrets are managed through the deployment platform, never committed to source control. Production access is limited to the small set of people who operate the service.
Reporting a vulnerability
If you believe you have found a security issue, email security@everway.ai. We read every report, respond within two business days, and will not take legal action against good-faith research.