Security you can verify
grommunio is secure by default, European by origin, and 100% open source — so you never have to take our word for it. Inspect the code, run it in your own jurisdiction, and keep full control of your data.
- 100%
- Open Source & auditable
- EU
- European jurisdiction
- S/MIME
- End-to-end encryption
- SSO + MFA
- Strong authentication
Hardened at every layer
Security is foundational to grommunio, not a bolt-on. Independent, layered controls span transport, application, storage and identity — with fully transparent, open-source code anyone can inspect.
Secure by default
TLS everywhere, modern ciphers and hardened defaults out of the box — no insecure legacy modes to switch off.
Defense in depth
Independent, layered controls across transport, application, storage and identity, so no single failure is ever fatal.
Least privilege
Granular role-based access control and delegated administration — every user and admin gets only what they need.
End-to-end encryption
S/MIME signing and encryption for message authenticity, integrity and confidentiality.
Spam & malware defense
grommunio-antispam (powered by Rspamd) and ClamAV screen every message with rule-based, statistical and signature analysis.
Strong authentication
Multi-factor authentication with OIDC and SAML enforces modern, federated, policy-driven access.
Transparent & auditable
100% open source on GitHub and Codeberg — the code is there for anyone to inspect, audit and verify. No black boxes.
Continuous hardening
Rapid security updates, coordinated CVE response and a responsible-disclosure process.
Sovereign & compliant
Run on infrastructure you control, in your own jurisdiction — GDPR-aligned by design.
Trust, because you can verify it
Open source isn't a marketing word here — it's the security model. You can read every line, run it anywhere, and never depend on a vendor's promise.
- Fully transparent The entire platform — from the gromox core to the web applications — is open source and auditable on GitHub and Codeberg.
- European by origin grommunio is engineered in Europe by grommunio GmbH (Vienna, Austria), squarely within EU data-protection law.
- Your data, your jurisdiction Self-host on-premises, in your private cloud, or with a certified European partner. grommunio itself stores none of your data.
- No vendor lock-in Open standards and native Exchange protocols mean you can integrate, migrate and leave entirely on your own terms.
- GDPR-oriented architecture Designed to enable GDPR-compliant deployments — actual compliance depends on your hosting model and organizational measures.
- You control the updates Patch and upgrade on your own schedule, with predictable, professionally-supported release cycles.
Report a vulnerability
Found a security issue? We want to hear from you. grommunio follows a coordinated vulnerability-disclosure process: report it privately, give us a reasonable window to investigate and ship a fix, and we'll keep you informed and credit your work.
How to report: email [email protected] with the details — affected component and version, reproduction steps, and impact. Please don't disclose the issue publicly until a fix is available.
What happens next: we acknowledge your report, investigate and reproduce the issue, develop and release a fix, request a CVE where appropriate, and coordinate public disclosure with you. Security fixes are delivered through the regular update channels for supported releases.
Security — frequently asked questions
Is grommunio really open source and auditable?
Yes. grommunio is 100% open source — the gromox core and the surrounding components are published under open-source licenses on GitHub (github.com/grommunio) and Codeberg (codeberg.org/grommunio). Anyone can read, audit and verify the code; there are no proprietary black boxes.
Where is my data stored?
Wherever you choose to run grommunio — on-premises, in your private cloud, or with a European hosting partner. Your data stays in your own infrastructure and jurisdiction; grommunio itself does not store customer data.
Is grommunio GDPR compliant?
grommunio is designed as European open-source software that enables GDPR-compliant deployments. Actual compliance depends on the specific implementation, hosting model and organizational measures you put in place.
How are vulnerabilities and CVEs handled?
Through a coordinated responsible-disclosure process: report privately to [email protected], we investigate and develop a fix, request a CVE where appropriate, and ship the fix through the regular update channels for supported releases while coordinating public disclosure with the reporter.
What authentication and encryption does grommunio support?
TLS everywhere by default, S/MIME for end-to-end message signing and encryption, and strong authentication via multi-factor authentication, OpenID Connect (OIDC), SAML 2.0, and LDAP / Active Directory.
How is spam and malware handled?
Every message is screened by grommunio-antispam (powered by Rspamd) and ClamAV, combining rule-based, statistical and signature-based analysis at the mail edge.