Account Security
How Velum protects your account and what you can do to stay secure.
Password best practices
- •Use at least 12 characters with a mix of letters, numbers, and symbols.
- •Never reuse passwords from other services.
- •Consider using a password manager like 1Password, Bitwarden, or Apple Keychain.
- •Velum stores passwords using bcrypt with per-user salts — we never store plaintext passwords.
What data we encrypt
- •All data in transit is encrypted using TLS 1.3.
- •Email content and metadata are encrypted at rest using AES-256.
- •IMAP credentials are encrypted at rest and never stored in plaintext.
- •Database backups are encrypted before being written to storage.
Session management
- •Sessions expire automatically after a period of inactivity.
- •You can sign out from all devices in Settings → Account.
- •Each session is bound to a secure, HTTP-only cookie that cannot be accessed by JavaScript.
- •Suspicious login attempts trigger additional verification.
How to export your data
- •Go to Settings → Account after signing in.
- •Click "Export My Data" to request a full data export.
- •You'll receive a downloadable archive containing your emails, settings, and account information.
- •Exports are generated within 24 hours and available for 7 days.
How to delete your account
- •Navigate to Settings → Account after signing in.
- •Scroll to "Danger Zone" and click "Delete Account."
- •Confirm the deletion — this action is permanent and cannot be undone.
- •All your data, including emails and credentials, will be permanently erased within 30 days.
Want to learn more about our security practices?
Visit our Security page for a comprehensive overview, or read our Privacy Policy to understand how we handle your data.