Security

Last updated: 2026-05-10

Security is foundational to email verification — we handle email lists at scale and probe production mail servers. This page summarises how we protect data and infrastructure.

Encryption

• In transit: TLS 1.2+ on every public endpoint. HSTS enforced. Certificates auto-renewed via Let's Encrypt.
• At rest: production databases encrypted at the disk level. Sensitive columns (API keys, OAuth tokens) hashed or encrypted application-side.
• SMTP probes: outgoing SMTP uses STARTTLS where the recipient server supports it.

Access control

• Production access is limited to named operators via SSH key-based auth. Passwords are not used.
• The dashboard supports role-based access (admin / support / regular user). Admin actions are logged to the activity ledger.
• API keys are hashed in the database. The raw key is shown only once at creation.
• Internal services (Redis, Postgres, the verification engine) bind to loopback or private network only — no public exposure.

Network & perimeter

• Cloudflare in front of the marketing site for DDoS mitigation, bot detection, and WAF.
• fail2ban on the SSH layer with progressive bans on brute-force attempts.
• Rate limiting at the application layer per API key, per user, and per IP.
• Cloudflare Turnstile on the public demo widget and signup form.

Application security

• Webhook payloads from the verification engine are HMAC-SHA256 signed and verified before processing.
• Idempotency on credit and webhook events via unique idempotency_key constraints — replays do not double-charge.
• Anti-abuse signal stack on signup: IP duplicate check, IPQS proxy/datacenter detection, disposable-domain check, Turnstile, signup-speed honeypot.
• Free-tier rate limiting (1 verify per 60 seconds) bypassed only for paying customers.

Backups

• Postgres point-in-time recovery via WAL archiving, retained 7 days.
• Daily off-site database snapshots, retained 30 days.
• Restore drills run quarterly.

Vulnerability management

• Dependabot enabled on our public repository.
• Composer and npm advisories monitored; patches applied within 72 hours for high/critical severity.
• Engine and worker images rebuilt on every deploy with the latest base OS packages.

Incident response

If we detect a security incident affecting customer data, we will notify affected customers by email within 72 hours of confirmation, in line with GDPR Article 33. Subscribe to our status updates for non-incident operational notices.

Reporting a vulnerability

We welcome responsible disclosure. Email [email protected] with reproduction steps. Please give us 90 days to remediate before public disclosure. We do not currently offer a paid bug bounty but will publicly credit researchers who request it.

Compliance

• GDPR — see our GDPR page
• SCCs in place for international data transfers
• SOC 2 — not yet certified; targeted for 2027

---

Questions? Contact [email protected].