Security Features

Epistle has three main features designed to help missionaries maintain privacy in their communication:

• Private posts - this allows missionaries to post updates that are visible only to ministry partners.
• Invisible mode - this makes a missionary’s Epistle site visible only to ministry partners, otherwise it requires a login.
• Secure emails - this prevents Epistle from sending any update content to ministry partners and instead sends a notification email about updates.

Security Recommendations

Below are some recommendations for using Epistle (and the internet in general) safely:

• VPN - Epistle recommends that you use a VPN for all communication, especially if you are serving in a sensitive region. VPNs are used to encrypt all traffic between your computer and a server in another (ideally friendly) location.
• Pseudonyms - Whenever you're communicating something sensitive, we recommend that you use pseudonyms for people, places, etc.

Epistle in High-risk Contexts

Please consider the following to determine if Epistle is appropriate for your context:

1. Epistle provides many security enhancements over using email services like Mailchimp for ministry partner updates. We do not, however, recommend that you use Epistle to send updates which, if leaked, would put you, your team, or those you serve in harm's way.
2. There are some contexts where you can be negatively impacted if it is discovered that you use Epistle at all. Although it is very difficult (or even impossible) to know that you are an Epistle user if you use a VPN, we don't recommend that you use Epistle in these contexts because of the risk of a leak, for example, forgetting to turn on your VPN in a hostile region where your internet traffic is being monitored.

If points 1 or 2 above apply to you, we recommend that you do not use Epistle and that you consult a security professional for a comprehensive strategy that applies to all of your communication and online activities. Because of the risk and complexity of communicating from these contexts, we do not recommend that you develop a communication strategy on your own.

Technical Notes

• Epistle is hosted with a major cloud provider in the United States.
• Epistle servers and data stores are only accessible on our private network.
• 100% of emails sent from Epistle are encrypted in transport (TLS) and are properly authenticated (DKIM, SPF, DMARC).
• Epistle data is accessible only to specific Epistle employees and data access is logged for auditing, where possible.
• Epistle data is encrypted at rest.
• Epistle data is encrypted in transport between client and server (TLS).
• Service accounts use multi-factor authentication (MFA), where possible.
• Service accounts use IP whitelisting for access only from our private network, where possible.