Security and Role-Based Access Control
MailAdx uses a granular RBAC system to control what each user can see and do within your account.
Account roles
Every MailAdx account has five built-in roles. Roles are assigned per user and can be scoped to specific resources (newsletters, advertisers, or networks).
| Role | Capabilities |
|---|---|
| Account Owner | Full access. Billing, user management, and all configurations. |
| Admin | All configurations except billing and user role changes. |
| Publisher Manager | Create/edit placements, deals, and view publisher reports. |
| Advertiser Manager | Create/edit orders, creatives, and view advertiser reports. |
| Read Only | View all configured resources and reports. No create/edit access. |
API key scoping
API keys can be created with scoped permissions — a read-only key for reporting integrations, a write key for optional custom pipeline integrations, or a scoped key for specific newsletters only. Each key has a human-readable name and an audit log of all requests made with it. Rotate API keys from Dashboard → Settings → API Keys at any time; the previous key continues to work for 24 hours to allow zero-downtime rotation.
IP allowlisting
Enterprise accounts can configure IP allowlists for the optional Decision API. Requests from IPs not on the allowlist receive a 403 response. This is recommended for custom send pipelines where the calling IP is stable. Configure IP allowlists under Dashboard → Settings → Security.
Data encryption
All data in transit is encrypted via TLS 1.3. Data at rest in the MailAdx database is encrypted using AES-256. Email addresses stored for frequency capping and audience matching are stored exclusively as SHA-256 hashes — the plaintext email address is never persisted after the initial hash is computed.
Audit logs
All configuration changes are recorded in the audit log with user, timestamp, and before/after values. Audit logs are retained for 90 days on all plans and 365 days on Enterprise. Access them at Dashboard → Settings → Audit Log.