Last updated: July 2025
This threat model outlines what [@fuck.it] protects you from - and what we don’t. We believe in honesty, not false promises.
1. What We Protect Against
- Email interception via insecure protocols (we use TLS)
- Unauthorized access to your inbox (we enforce strong login security)
- Spam, phishing and account abuse (through Open-Xchange’s (OX) advanced filtering and our internal abuse response systems)
- Server-side attacks (we harden our infrastructure)
- Metadata collection by advertisers (we don’t use ads or trackers)
- Unauthorized access to stored files in OX Drive
- Disruptions from regional outages (via geo-redundant hosting across data centers)
2. What We Don't Protect Against
- Stupid passwords (use a password manager, please)
- Local malware or keyloggers on your device
- Your friend peeking over your shoulder
- Governments with access to your unlocked device
- The consequences of emails you send
3. End-to-End Encryption
On supported plans, we offer optional end-to-end encryption via OX Guard, covering emails, attachments and cloud storage. Users can activate and manage encryption settings as needed. Outside of that, data is still encrypted in transit (TLS) and at rest, with no access by unauthorized personnel.
That said, end-to-end encryption is not enabled by default and must be actively used for each message. Without it, your data is encrypted in transit and at rest, but remains accessible to authorized staff if legally required. If privacy is paramount, we strongly encourage the use of OX Guard or compatible third-party tools in your local environment.
Note: As the underlying platform, OX may retain temporarily recoverable message states for disaster recovery or undelete functionality. While deleted messages are generally removed, edge cases exist where partial recovery is technically possible within short timeframes.
4. Legal Access
We comply with valid legal requests. If we’re allowed, we’ll notify you. We do not build backdoors or offer mass access to anyone.
5. Third-Party Services
We work with a hosting company and payment provider. These services only have the data needed to do their jobs. We vet their security but can’t guarantee perfection.
We use Open-Xchange (OX) as our core infrastructure provider. They are GDPR-compliant, ISO-certified and operate under strict access controls. For more, see our Privacy Policy.
6. What You Can Do
- Use a strong password (and don’t reuse it)
- Enable any optional security features
- Encrypt sensitive messages manually
- Log out on shared devices
- Enable two-factor authentication if we offer it
7. Security Philosophy
Security isn’t a product - it’s a posture. We do our part. You do yours. Together, it works.
No bullshit.
No guarantees.
Just good security sense.