Security & privacy

Your mail is personal. Your controls should be, too.

You're trusting us with tax documents, legal notices, medical statements, and personal letters. We designed the whole service around that responsibility — trustworthy before anything else.

You decide what is opened, scanned, forwarded, stored, shredded, or returned. Nothing sensitive happens without your authorization.

Physical mailroom Identity verification Role-based access Encryption Audit history Your authorization

Layered protection

Protection at every step, from the loading dock to your screen.

  1. 01

    Physical mailroom

    Mail is handled in a controlled facility with segregation between customers, defined procedures, and chain-of-custody tracking from arrival onward.

  2. 02

    Identity verification

    Every customer is verified before an address is active — protecting you from someone else claiming your mail, and keeping the service legitimate.

  3. 03

    Role-based access

    Staff can see and do only what their role requires. There is no blanket admin access, and internal actions are recorded.

  4. 04

    Encryption

    Your documents and images are encrypted in transit and at rest, stored in private storage behind access controls.

  5. 05

    Audit history

    Sensitive actions are written to an append-only history — who did what, and when — that you can review for your own account.

  6. 06

    Your authorization

    The final control is you. Opening, scanning, forwarding, and shredding all wait for your instruction.

What you control

The decisions stay with you.

  • Authorize each opening

    No piece is opened or scanned until you request it. There are no default openings.

  • See your activity

    A timestamped history of everything that happened to your mail is yours to review any time.

  • Ask before destruction

    Shredding requires your authorization, warns that it can't be undone, and can include a waiting period on eligible plans.

  • Control your data

    Request an export of your data or its deletion, and manage who in your household or business can see what.

Account security

Keeping your account yours.

  • Passwordless & MFA

    Sign in with a one-time email code, and add multi-factor authentication with recovery codes for stronger protection.

  • Session & device controls

    See active sessions and device history, and sign out sessions you don't recognize.

  • Login alerts

    Get notified of unusual logins and account changes, so you notice anything out of place.

  • Anomaly monitoring

    Unusual access patterns are monitored to help catch problems early.

How your data is handled

We keep less, guard more, and delete responsibly.

  • Data minimization

    We collect what the service needs and avoid what it doesn't. Sensitive fields are kept out of error logs.

  • Restricted mail intelligence

    Automated reading runs only on mail you've authorized, within a controlled pipeline, under a provider privacy configuration you can be told about.

  • No mail contents in analytics

    We don't put your document contents or personal mail into analytics. Usage measurement never captures sensitive content.

  • Secure deletion & retention

    Data is kept according to clear retention rules and deleted securely when its time is up or when you ask.

What we do — and don't — claim

Straight talk about certifications and approvals.

Plenty of services borrow trust with impressive-sounding badges. We'd rather tell you exactly where we stand.

  • Designed around security best practices

    Our controls follow recognized security practices, and we're transparent about what's implemented today versus planned.

  • Certifications are a roadmap, not a claim

    We do not claim SOC 2, HIPAA, or PCI compliance. Independent certifications are on our roadmap, and we'll say so plainly when any are achieved — not before.

  • No inflated labels

    We don't describe our security with phrases like bank-grade or military-grade. We describe what we actually do: encryption, access controls, audit trails, and customer authorization.

  • CMRA registration in progress

    MyEverAddress operates as a Commercial Mail Receiving Agency; USPS CMRA registration is in progress. We do not claim USPS approval or any government endorsement.

This section intentionally names common certifications only to be clear about what we have not obtained.

Found something?

Report a security concern.

If you believe you've found a security or privacy issue, we want to hear from you. Reach our security contact through the contact page and we'll respond as quickly as we're able.

Contact security

Trust is easier to feel than to read about.

See how much control you actually have — open the demo and watch it ask before it does anything sensitive.