GDPR: Acumbamail infrastructure

Learn how Acumbamail's infrastructure is GDPR compliant.

The EU has updated its data-protection regulations. This new law, the General Data Protection Regulation (GDPR), applies to entities of all kinds, from public authorities to small and medium-sized companies, regardless of whether the processing takes place within or outside of the EU, as long as it affects European citizens. For Acumbamail, the security of your data is of the utmost importance and, as such, we put all our experience in the protection against threats and in the protection of privacy at your service

Our infrastructure and security policies have passed ongoing assessments for compliance. Acumbamail's infrastructure and security policies are regularly audited and tested for compliance with data protection regulations.

Data center located in Europe

All our infrastructure is hosted in Spain, so it is guaranteed that there are no international data transfers. We also have the necessary security measures for the level of security that corresponds to the data we handle, in accordance with the guidelines of the Spanish Agency for Data Protection and the GDPR

Data Loss Prevention (DLP)

At Acumbamail, Data Loss Prevention (DLP) policies are essential and ensure that the most sensitive data and information cannot be shared without permission.

Data must be accessible to our clients in a fast and efficient way so that they can consult it, but at the same time this data must also be protected so that it cannot be shared with unauthorised persons.

For this, Acumbamail has implemented a series of technical and organisational measures to prevent unauthorised access to our customers' data and to provide adequate security.


Our data center has the following certifications: ISO 9001, ISO 27001 and ISO 22301.

Physical security in the data processing center (CPD)

Our data processing center has the following physical security measures:

Recording of access areas and server areas by CCTV circuit.

Register of all visitors with personal data.

Fingerprint access to facilities.

Network security

Our network has the following security measures:

Isolation of critical resources in private networks, without public access and access control through dedicated gateways in perimeter networks.

All infrastructure management services are located on private networks accessible by the support and administration team via a VPN.

Use of 2FA for system management and administration user authentication.

Session time control and activity time monitoring.

Intrusion Prevention System (IPS). Controls access to the system through a perimeter network including automatic exclusion rules.

Intrusion Detection System (IDS). Establishes integrity checks and monitoring of active processes.

Mitigating the impact of attacks through Zero-Day vulnerabilities by establishing minimum privilege policies for users, processes and running services.

Encryption of incoming and outgoing communications using TLS.

Ongoing monitoring

Our systems are continuously monitored:

Offsite, centralised and isolated logging and storage of machine resource usage, process status and active sessions.

System for automatic analysis and diagnostics of stored logs related to machine resource usage, process status and active sessions.

High availability

The average annual availability (SLA) of our systems is 99%.

Network redundancy. All machines are connected to two 10G links each (2x10G).

Fault-tolerant networked storage with non-disruptive maintenance and upgrades. Each disk group is configured in dual redundant RAID. Data loss could only occur in the event of a concurrent failure of 3 disks in less time than it takes to replace them (about 5 hours)..

Although the probability of data loss is absolutely rare given the storage redundancy, hourly synchronised mirror copies of each physical volume are established on storage external to the main storage, so that production operation can be restored in a very short time. In addition, snapshots of all virtual volumes are taken every 6 hours with a retention of 4 days.

Multimedia content is distributed via CDN (Content Delivery Network), which allows for maximum latency reduction.

Life cycle of storage media

Replacement of physical media by secure deletion of the media. In the event of replacement due to media failure, physical destruction of the media is carried out by an authorised supplier and a certificate of destruction is issued after the process.

Life cycle of storage media

Early warning of incidents through real-time monitoring and diagnosis tools.