How Exclaimer delivers reliability and security at scale

Published

Updated

Image Placeholder

TL;DR

  • No email content is stored. Emails pass through Exclaimer in transit to apply the correct email signature, then return to your mail flow. No message content, attachments, or subject lines are stored.

  • Azure-hosted with regional data residency. All processing runs in Microsoft Azure. Customer data stays within the customer's designated region to support GDPR, CCPA, HIPAA, and other data sovereignty requirements.

  • Encrypted in transit and at rest. Data between Exclaimer and Microsoft 365 or Google Workspace is protected using RSA-2048-bit asymmetric encryption combined with an AES symmetric session key.

  • Independently certified. Exclaimer holds SOC 2 Type II, ISO 27001, ISO 27018, and Microsoft 365 Certification, and is rated 100/100 on SecurityScorecard.

  • 99.99% uptime, active-active failover. Paired Azure datacenters in each region handle the full workload independently, with automatic failover and continuous tenant data synchronization. Real-time status at status.exclaimer.com.

  • Exclaimer Trust Center. The full certificate listing, audit reports, and answers to 350+ security and compliance questions are available at trust.exclaimer.com.

Before adding any tool to your email environment, IT teams need to know how it handles data, where it runs, and what happens when something goes wrong. This article covers all three.

Exclaimer applies email signatures automatically during mail flow, without storing message content or acting as a delivery dependency. That's the design choice that shapes both the reliability and security story, and it's what IT teams most often dig into during evaluation.

Trusted by 80,000+ organizations worldwide, the platform is built and operated to meet the demands of enterprise email at scale. The sections below walk through how it's architected, how data flows through it, what independent certifications verify, and how the service behaves during an outage.

For the full credentials listing, audit reports, and answers to over 350 security and compliance questions, visit the Exclaimer Trust Center.


Security/reliability area

Exclaimer claim

Evidence

Email content handling

Email content is processed transiently and not stored — no message bodies, attachments, or subject lines are retained

Trust Center

Hosting

Microsoft Azure — 14 datacenters in regional primary/secondary pairs

Azure architecture

Availability

Active-active high-availability design; 99.99% uptime target

Status page

Certifications

SOC 2 Type II, ISO 27001, ISO 27018, Microsoft 365 Certification; 100/100 SecurityScorecard

Security accreditations

Privacy/data residency

EU/EEA data processed in European datacenters; no UK–EU/EEA transfers

Data residency

Service monitoring

Real-time service health and incident updates published publicly

status.exclaimer.com

To see all of our security accreditations, visit the Exclaimer Trust Center. It includes summaries, certificates, reports, policy documents, and answers to over 350 security and compliance questions.

Does Exclaimer store email content?

No. Exclaimer doesn’t store or retain email content. Emails pass through Exclaimer briefly so the correct signature can be applied. Once stamped, the message returns to the mail flow. No content is stored, archived, or accessible to Exclaimer.

This design’s intentional. It limits risk, reduces exposure, and avoids creating a second system of record.

How email processing works

When an email is sent, Exclaimer:

  • Checks which signature applies

  • Adds the signature to the message

  • Immediately returns the email to the mail flow

At no point does Exclaimer store message content, attachments, or conversation history.

Transient processing: The email is handled only for the duration required to apply the email signature and is not stored as retained message content.

What data is retained, and why

To support performance and troubleshooting, Exclaimer logs limited metadata for a short time:

  • Sender and recipient addresses

  • Signature ID applied

This metadata is retained for up to seven days, then automatically purged. It doesn't include content, subject lines, or attachments.

Why this matters for IT and compliance teams

Processing emails in memory, with no content retention, means:

  • Lower risk in the event of a breach

  • Smaller compliance scope

  • No additional data repository

  • Alignment with GDPR and other data minimization requirements

For IT and compliance teams, this approach provides centralized email signature control without creating a new data repository or complicating your existing governance model.

How is Exclaimer built for reliability at scale?

Azure is a platform widely trusted by IT teams for running mission-critical services. Exclaimer is designed to operate fully within the Microsoft Cloud environment, allowing emails to be processed securely and consistently without leaving Azure's network.

exclaimer microsoft azure datacenter locations

Optimized for Microsoft Azure from the ground up

Exclaimer's service is architected specifically for Azure, rather than being retrofitted onto a generic cloud platform. That design enables:

  • Regional deployment aligned to customer location

  • Built-in scalability to handle growth in users and email volume

  • Consistent performance across global environments

Microsoft Azure’s own compliance framework underpins this infrastructure, supporting regulatory requirements across regions and industries. Exclaimer builds on those controls with additional service-level safeguards.

High availability and uninterrupted mail flow

Email flow reliability is a non-negotiable requirement for IT teams. Exclaimer addresses this with an active-active High Availability Cluster (HAC) model.

When the service is operating normally:

  • Emails are processed by paired Azure datacenters within the same region

  • Traffic is distributed using automated load balancing

  • Each datacenter can handle the full regional load if required

If an issue affects one Azure datacenter, Exclaimer automatically switches processing to the alternate datacenter. This happens without manual intervention and without interrupting email delivery.

Load balancing and fault handling

Exclaimer uses Azure-native load balancing to reduce risk and maintain service continuity. Key elements include:

  • Automated traffic distribution across regional datacenters

  • Continuous synchronization of tenant data within the region

  • The ability to remove a datacenter from rotation automatically or manually if needed

This approach minimizes single points of failure and supports Exclaimer's 99.99% service availability. Real-time and historical status available at status.exclaimer.com.

Data handling within regional clusters

All data required to operate an Exclaimer subscription is hosted securely in Microsoft Azure. Data is stored within a High Availability Cluster in the customer's designated region, which means:

  • Data residency is maintained by design

  • Customer data isn't stored outside the assigned geography

  • Requirements under GDPR, CCPA, and similar regulations are supported

This includes configuration data, email signature templates, and directory attributes. Email message content isn't stored as part of this process.

Secure connections and service hardening

All connections to and within the Exclaimer service are secured using SSL certificates and TLS encryption. These connections are continuously monitored to meet current cloud security standards.

Before any updates are deployed:

  • Changes are built and tested by Exclaimer's development and QA teams

  • Services are stress-tested beyond normal usage levels

  • Code is scanned for malware and verified using native Azure antimalware tools

Updates are rolled out out of hours for each region to minimize operational impact.

Global availability by design

Exclaimer operates across 14 Microsoft Azure datacenters worldwide, arranged in regional pairs. This global footprint allows Exclaimer to keep customer data within geographic boundaries, deliver consistent performance across regions, and protect against local Azure infrastructure issues. Each regional datacenter pair is designed so that either location can support the full workload if required.

Region

Primary Datacenter

Secondary Datacenter

USA

East US — Virginia

West US — California

Canada

Canada Central — Quebec

Canada East — Toronto

Europe

West Europe — Netherlands

North Europe — Ireland

UK

UK South — London

UK West — Cardiff

Germany

Germany W Central — Frankfurt

Germany North — Berlin

Australia

Australia East — NSW

Australia Southeast — Victoria

Middle East/East Asia

UAE North — Dubai

UAE North — Dubai

IT teams can check system status anytime via Exclaimer’s Service Health page, which offers real-time performance and incident updates.

What security certifications and compliance standards does Exclaimer meet?

Exclaimer is independently audited and certified against globally recognized security and privacy standards, including SOC 2 Type II, ISO 27001, ISO 27018, and Microsoft 365 Certification.

soc 2 and iso 27001 logos

These certifications validate how Exclaimer is built, operated, and governed. They provide external assurance that security, availability, confidentiality, and privacy controls are not only defined but consistently followed in practice.

SOC 2 Type II

Exclaimer holds a SOC 2 Type II attestation, confirming that its systems meet the Trust Services Criteria: security, availability, and confidentiality.

A SOC 2 Type II report evaluates how controls operate over an extended period rather than at a single point in time. This demonstrates that Exclaimer's safeguards are consistently applied during day-to-day service delivery, not just defined on paper.

Within the email signature management category, Exclaimer is currently the only provider publicly attested to SOC 2 Type II.

For customers operating under regulated environments — including HIPAA — this attestation provides independent assurance that controls supporting data protection, access management, and service availability are effective.

ISO/IEC 27001

Exclaimer has been certified to ISO/IEC 27001 by the British Standards Institution (BSI) since 2016. This international standard defines how to establish, operate, monitor, and continually improve an Information Security Management System (ISMS) covering people, processes, and technology. Certification means Exclaimer undergoes regular independent audits to confirm ongoing compliance with internationally accepted security controls.

ISO/IEC 27018

Exclaimer is also certified to ISO/IEC 27018, an extension of ISO 27001 focused on privacy protections for personally identifiable information (PII) in cloud services. This standard introduces additional controls for secure PII handling, transparency around data use, and rights related to the use of personal data.

Microsoft 365 Certification

Exclaimer is a Microsoft 365 Certified application, following a detailed security review and audit conducted by Microsoft. This certification verifies that the application integrates securely with Microsoft 365, data handling aligns with Microsoft's security requirements, and the service meets Microsoft's standards for cloud applications.

GDPR and global data privacy regulations

Exclaimer supports GDPR requirements through regional data processing, documented data processing terms, security certifications, and privacy controls. Exclaimer is regularly audited to confirm ongoing adherence. Full compliance documentation, including the DPA, is available at the Exclaimer Trust Center.

For customers in the EU and EEA, personal data is processed within European datacenters — specifically Germany, the Netherlands, and Ireland. No data transfers occur between the UK and EU/EEA environments.

Exclaimer also aligns with other global privacy frameworks, including:

Cyber Essentials

Exclaimer is certified under the UK government-backed Cyber Essentials scheme, managed by the National Cyber Security Centre (NCSC). Cyber Essentials demonstrates that essential cyber hygiene practices are in place to protect systems from common internet-based threats.

Cloud Security Alliance (CSA)

Exclaimer's cloud security controls are independently assessed under the Cloud Security Alliance (CSA) STAR program. This reinforces transparency around cloud security posture and aligns with industry expectations for secure SaaS offerings.

PCI DSS and payment security

Exclaimer is tested quarterly against PCI DSS requirements to validate secure handling of payment-related processes.

  • Exclaimer does not store credit or debit card details.

  • Payment transactions are handled separately via a PCI-compliant payment portal secured with high-grade SSL encryption.

Continuous protection and monitoring

Security and data protection are embedded into Exclaimer’s operations, including:

  • Regular third-party penetration testing and vulnerability scanning

  • Internal security training for teams

  • Independent audits and compliance assessments

  • A 100/100 rating on SecurityScorecard, reflecting a strong external security posture and low vulnerability risk.

Control

Details

Frequency

Evidence

Service monitoring

24/7/365 automated monitoring; real-time alerts and predefined escalation chains

Continuous

status.exclaimer.com

Penetration testing

Third-party security testing

Regular

Penetration test report

Vulnerability scanning

Continuous scanning

Continuous

Vulnerability and change management

Security training

Internal program for all teams

Continuous

Employee security and awareness

Code scanning

Native Azure antimalware scanning on every build; verified before deployment

Every build

Azure antimalware tooling

Change deployment

Built, QA-tested, stress-tested beyond peak load; staged regional rollout out of hours

Every release

Release notes

What happens if Exclaimer experiences an outage?

The short answer is that email continues to flow. Exclaimer's designed so that a service disruption does not stop or block email delivery.

Reliability is critical for any system involved in email infrastructure. Exclaimer avoids single points of failure and handles faults transparently, without requiring action from IT teams or end users.

Continuous monitoring and automated response

Exclaimer’s service is monitored 24/7/365. Automated monitoring detects service alerts in real time and triggers predefined escalation chains. The primary objective is to maintain uninterrupted mail flow for all customers.

If an issue is detected at one regional datacenter, processing automatically shifts to the alternate location. Tenant data is continuously synchronized, so continuity is maintained without manual intervention. Once the issue is resolved, the service continues operating as normal.

No impact on mail delivery

Exclaimer applies email signatures during message processing. However, it doesn't act as a mail transfer agent (MTA) and doesn't replace native Microsoft 365 or Google Workspace mail delivery. This means:

  • Emails aren't queued or blocked by Exclaimer

  • Mail continues to be delivered by the underlying email platform

  • Email signature application resumes automatically when the service is fully available

This prevents Exclaimer from becoming a single point of failure in email delivery.

Failure scenario

Mail delivery impact

Email signature impact

Recovery

Exclaimer processing unavailable

Delivery continues through Microsoft 365 or Google Workspace — Exclaimer is not the MTA

Email signature may not be applied until service resumes or fails over

Automatic failover to paired regional datacenter

Azure regional issue

Traffic fails over to paired datacenter automatically; no manual intervention required

Email signature processing continues or resumes after failover

Architecture/SLA

Planned maintenance

No impact on mail delivery

Defined per maintenance notice

status.exclaimer.com

Keeping pace with the Azure platform

Exclaimer’s development and QA teams continuously update the service to align with changes in Microsoft Azure. All updates are built, tested, and validated before deployment, including stress testing beyond normal usage to prevent upstream issues.

How does Exclaimer process emails?

Emails are processed in memory, encrypted in transit, and never stored permanently. When an email reaches the Exclaimer service, it's inspected only to determine whether a signature should be applied and where it should be placed.

Message inspection and signature application

During processing, Exclaimer:

  • Checks the sender, recipient, and subject line

  • Determines whether an email signature should be added or excluded

  • Decodes the message format (MIME or TNEF) to identify the correct placement

If an email is sent in Rich Text or Plain Text, it's converted to HTML so a complete HTML email signature can be applied consistently.

Sender information is retrieved from cached directory data (Microsoft Entra ID or Google Workspace Directory) and any approved custom attributes. These details are inserted into the assigned email signature design, and the email is returned to the Microsoft 365 or Google Workspace tenant.

Encryption and data protection

All data in transit between Exclaimer and Microsoft 365 or Google Workspace is encrypted using RSA-2048-bit asymmetric encryption combined with a one-time AES (Rijndael) symmetric session key. AES is the Advanced Encryption Standard selected by the U.S. National Institute of Standards and Technology (NIST) and is widely used to protect sensitive data in transit. Encryption keys are issued and managed through certificates, with separate keys used specifically for encryption and decryption.

No permanent storage of email content

Exclaimer doesn't permanently store emails. Messages are processed in memory and encrypted at rest only for the time required to apply the email signature. For support and troubleshooting purposes, Exclaimer temporarily logs a minimal set of metadata for up to seven days:

  • Sender address

  • Recipient address

  • Applied email signature ID

Message content, subject lines, and attachments aren't stored.

Encrypted messages and bypass behavior

If an email is already encrypted before reaching Exclaimer — such as with S/MIME, Microsoft OME, or IRM — the imprinting service can't modify it. In these cases, the message bypasses email signature processing and is delivered unchanged. Encryption and privacy are fully preserved.

How does Exclaimer handle client confidentiality and PHI?

Exclaimer processes signature metadata — sender name, role, and contact details — and the email envelope required to apply an email signature. It doesn't store the email body or attachments. Protected Health Information (PHI) in the email body is never persisted by Exclaimer.

For organizations in regulated industries, that distinction matters. Healthcare teams operating under HIPAA and financial organizations subject to client confidentiality requirements need a clear account of what Exclaimer touches, what it does not, and how data in transit is protected.

What Exclaimer processes and doesn't store:

  • Processes: Sender address, recipient address, and the email header required to match and apply a Signature Rule

  • Processes: Directory attributes used to personalize the email signature — name, job title, phone number, department

  • Does not store: Email body text

  • Does not store: Email attachments

  • Does not store: Subject lines

  • Temporarily retains (up to seven days, for support purposes only): Sender address, recipient address, and the applied Signature Rule ID. This does not include message content.

Data in transit between Exclaimer and Microsoft 365 or Google Workspace is encrypted using Transport Layer Security (TLS) 1.2 or higher, combined with RSA-2048-bit asymmetric encryption and an AES symmetric session key. Data at rest is encrypted using AES during the brief window required to apply the email signature.

For PHI specifically: the email body — where Protected Health Information (PHI) would typically appear under 45 CFR § 164.312 — is never read beyond what is necessary to determine email signature placement, and is never written to disk. Exclaimer is HIPAA-compliant, and a Business Associate Agreement (BAA) is available upon request.

Exclaimer's data processing activities are governed by its Data Processing Agreement (DPA).



Why reliability and security matter for IT teams evaluating Exclaimer

For IT teams, email signatures are part of how an organization controls outbound communications at scale.

Exclaimer is built to support that responsibility without adding risk. Reliability keeps mail flowing under all conditions. Governance applies branding, disclaimers, and identity under policy. Security keeps the service operating safely within Microsoft 365 or Google Workspace.

Exclaimer has clear boundaries. It doesn't detect or block threats and doesn't replace your existing governance stack. Instead, it acts as a governed layer for standardizing email signatures — without storing message content or creating a delivery dependency.

For teams assessing vendor risk, this reduces the evaluation scope:

  • Email remains under your mail platform's control

  • Email signatures are managed centrally under defined policy

  • Security practices are independently audited and verifiable

For the full credentials listing, certification reports, and the complete security and compliance FAQ, visit the Exclaimer Trust Center.

Centralize email signature governance

Try Exclaimer free and see how centralized signature management works at scale—without storing email content or disrupting delivery.

Hero Image

Frequently asked questions

Does Exclaimer store email content?

No. Exclaimer processes emails transiently to apply the correct email signature, then returns them to the Microsoft 365 or Google Workspace mail flow. Message bodies, attachments, subject lines, and conversation history are not stored. Exclaimer temporarily retains limited metadata — sender address, recipient address, and applied signature ID — for up to seven days for support purposes only.