Vectis Mail for enterprises.
Email infrastructure on your terms — your servers, your data, your audit trail.
Vectis Mail is self-hosted email infrastructure for enterprises that need data sovereignty, audit trails, multi-tenancy, and source-available code. Pro tier today covers the Vectis Mail platform. The dedicated Enterprise tier lands later in 2026, adding clustering, hardened multi-tenancy, audit-report packs, and SLA-backed support. We're transparent about what's in the box today and what's coming.
What enterprise IT teams get today
Six things in-box on Pro that matter to security, IT, and procurement teams.
1. Full data sovereignty
Vectis Mail runs on your VPS, your sovereign cloud, your on-prem cluster. Email content, metadata, and analytics live in your Postgres. You choose where the data resides (EU, UK, US, ANZ, GovCloud) and who has access. No vendor-side copy of customer email.
2. Source-available, auditable code
BSL 1.1 core. Your security team can read the source, run their own code review, instrument the build, verify what's running matches what's in GitHub. Closed-source vendors can't make that promise.
3. Multi-tenant from the database up
Tenants, domains, mailboxes, and API keys are isolated at the database row level. Pro adds per-domain analytics, advanced spam controls, and per-domain rate limiting. Suitable today for trusted-tenant scenarios: internal business units, managed customer brands.
4. Atomic updates with rollback
6-phase orchestrator: snapshot, migrate, pull, deploy, health-check, complete. Automatic rollback on any failure. Compose-backup + Postgres dump retained for the rollback window. Change-management trails the audit team can verify.
5. RBAC + MFA + OIDC SSO
Three-tier roles (super_admin, admin, domain_admin), TOTP multi-factor auth required, OIDC SSO with Google, Azure AD, and Keycloak. API keys with domain scoping + per-key rate limits. The access-control posture procurement asks about.
6. Observability built in
Prometheus-format metrics and health alerts built in; optional Grafana dashboards and Loki log aggregation (off by default), alertmanager rule templates. Your SRE / SOC team gets the visibility they expect, not "check the vendor dashboard" hand-waving.
What the Enterprise tier will add
Phase 4 roadmap, landing later in 2026. We're publishing the scope so you can plan against it.
Clustering + high availability
Multi-node Vectis Mail clusters with active/active or active/passive failover. Shared Postgres backend with replication, shared maildir on durable storage, distributed sender pool. Targets: 99.95%+ availability SLA, sub-minute failover, graceful node-drain for maintenance windows.
Hardened multi-tenancy isolation
Strict cross-tenant security guarantees suitable for mutually-distrustful tenants on shared infrastructure: namespace-level isolation for storage, per-tenant encryption-at-rest keys, audit-grade tenant-access logging. The level required for "run competing brands on one cluster" or "host customer email infrastructure as a service" use cases.
Audit-evidence packs
Pre-built evidence packs that slot into your SOC 2, HIPAA, or ISO 27001 audit work: configuration attestations, change-management logs, access logs, retention policies, encryption verification. Built for procurement teams that need to answer "prove your email infrastructure is compliant" without burning weeks of evidence gathering.
SLA-backed support
Guaranteed response times (P1 in 1 hour, P2 in 4 hours, etc.), named technical contacts, escalation paths, scheduled architecture reviews. The shape Enterprise procurement expects from infrastructure vendors.
Custom contract terms
Bespoke licensing, indemnification clauses, custom DPA, MSA negotiation. Pro is a click-through; Enterprise is a negotiated contract designed to slot into your procurement framework.
Compliance questions, answered
What procurement and security teams typically ask. Frank answers.
SOC 2 / HIPAA / ISO 27001 reports?
Not as a Vectis Mail vendor today. Self-hosted means you operate the controls and produce the evidence. The Enterprise tier will add evidence packs that slot into your audit work. If you need a vendor-side report on a procurement timeline, contact us and we can scope the path.
Data residency guarantees?
Absolute. Vectis Mail runs on your infrastructure; you choose the region, and that's where the data is. The only outbound dependency is the Pro licence verification call to api.validonx.com, which carries no customer data. For air-gapped requirements, talk to us about offline-licence operation modes.
DPA / GDPR alignment?
Standard DPA available for Pro customers. Because the data stays on your infrastructure, the GDPR controller / processor relationship is yours end-to-end. Vectis Mail is the software, not a data processor. Enterprise contracts add custom DPA negotiation.
Penetration test reports?
The BSL 1.1 source is on GitHub, so your security team can run their own static analysis, fuzzing, or manual review. Third-party pen-test reports as a vendor deliverable land with the Enterprise tier. Until then, we're transparent about the surface area: the architecture overview at /architecture/overview is the starting point.
Disaster recovery posture?
Scheduled backups with AES-256-GCM encryption, off-site replication via standard tooling (rclone, rsync, S3), atomic rollback during updates. Your DR plan slots in cleanly: Vectis Mail is one Compose stack, one Postgres, and one maildir tree, all standard formats.
Pricing for enterprise volume?
Pro at $29 USD/tenant/month covers the platform today. Enterprise tier pricing is custom, sized by deployment (number of clusters, SLA tier, support depth, custom terms). Talk to us with your environment details; we'll scope a quote.
Gaps we'll close
What we don't yet do, but you might need.
Vendor-side SOC 2 report
Not available today. The Enterprise tier adds compliance evidence packs that slot into your own audit work. If a vendor-side SOC 2 is a hard procurement gate today, factor in the Phase 4 timeline.
Cluster mode + HA failover
Today's deployment is single-node. For 99.95%+ uptime targets you'd architect with a hot-standby pattern (replicated Postgres + duplicate Vectis Mail install on a secondary host) until the Phase 4 native clustering ships.
Strict cross-tenant isolation
Today's tenancy isolation is suitable for trusted-tenant scenarios. For mutually-distrustful tenant pairs on shared infrastructure, the safe answer today is one Vectis install per tenant boundary. Enterprise tier ships hardened isolation for shared-tenancy use cases.
Calendar / contacts (CalDAV / CardDAV)
Not yet; Phase 4 roadmap. If you need Exchange-replacement scope (mail + calendar + contacts in one stack), Vectis Mail covers mail today and the rest later. Pairing with a separate CalDAV/CardDAV server in the interim is workable.
Frequently asked questions
What's available today vs the planned Enterprise tier?
Today, Vectis Mail ships Starter (free) and Pro ($29 USD/tenant/month). Both are fully self-hosted on your infrastructure with BSL 1.1 source available. Pro adds unlimited domains, per-domain analytics, advanced spam controls, OIDC SSO, and priority support. The dedicated Enterprise tier (gated on Phase 4 work) will add clustering for HA, stronger multi-tenancy isolation guarantees, audit-report packs (SOC 2 evidence, compliance evidence), and dedicated support SLAs. Enterprise tier launches later in 2026; the timeline depends on multi-tenancy hardening shipping properly first.
Can I run Vectis Mail on-premise or in an air-gapped environment?
Yes. Vectis Mail is a Docker Compose stack that runs on any Linux host you
control: your own data centre, sovereign cloud, air-gapped network. The Pro
licence verification call (the only outbound dependency) calls
api.validonx.com once per licence refresh; that's the only
network requirement. For fully air-gapped deployments, contact us
about offline licence operation modes.
Do you offer SOC 2 / HIPAA / ISO 27001 reports?
Not as a Vectis Mail vendor today. Because Vectis Mail is self-hosted, the compliance posture is yours: you operate the controls, you produce the evidence. The Enterprise tier will add audit-evidence packs (logs, configuration attestations, change-management trails) designed to slot into your own SOC 2 / HIPAA / ISO 27001 audit work. If you have a procurement timeline requiring a vendor-side SOC 2 report, talk to us. We can scope the right path for you.
Do you offer enterprise support / SLAs?
Pro includes priority email support today. Dedicated SLA-backed support ( guaranteed response times, named contacts, escalation paths) lands with the Enterprise tier. If you need that earlier, get in touch . We can put together a custom support agreement until the Enterprise tier lands.
How does Vectis Mail handle multi-tenancy at enterprise scale?
Vectis Mail is multi-tenant from the database up: tenants, domains, mailboxes, and API keys are isolated at the database row level. Today's isolation is suitable for trusted-tenant scenarios (multiple internal business units, multiple managed customer brands under one operator). Strict cross-tenant security isolation guarantees (the level you'd want before running mutually-distrustful tenants on shared infrastructure) land with the Enterprise tier. Until then, the safe answer for security-sensitive tenant pairs is one install per tenant boundary.
How do I get started with a pilot or proof of concept?
Two paths. (1) Self-serve: install Vectis Mail on a sandbox VPS, evaluate Pro features for free (the Pro upgrade unlocks a 30-day grace period before billing kicks in). (2) Guided: contact us with your environment details, compliance requirements, and timelines; we'll scope a pilot that addresses your specific procurement gates. Some enterprise teams prefer to validate the architecture first, then layer compliance work on top.
Let's talk about your environment
Enterprise procurement isn't self-serve. Tell us what you need; we'll scope the right path: pilot, Pro evaluation, or Enterprise tier scoping for Phase 4.