Security

All data is encrypted at every stage of its lifecycle, using industry-standard cryptographic algorithms that meet or exceed regulatory requirements.

• TLS 1.3 encryption for all data in transit between your browser and our servers
• AES-256 encryption at rest for all stored data
• API keys are cryptographically hashed before storage and cannot be retrieved after creation
• Passwords are salted and hashed using industry-standard algorithms, making brute-force attacks computationally infeasible
• DMARC report payloads are integrity-verified on ingestion
• All database connections are encrypted end-to-end

Workspace isolation is enforced at the database level using PostgreSQL Row Level Security (RLS), ensuring that no application-layer bug can ever expose another tenant's data.

• Row Level Security policies are applied to every tenant-scoped table in the database
• Workspace scoping is enforced at the database level on every query
• No cross-tenant data access is possible, regardless of application logic
• Separate policies are defined for each database operation type
• Workspace membership is verified on every request before data is returned

Multiple authentication methods and a granular role-based access control system ensure that only authorized users can access your workspace and its data.

• Email/password and magic link authentication
• 4-tier role-based access control: owner, admin, member, and viewer
• Session tokens with automatic refresh and encrypted cookie storage
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Strong password requirements with complexity rules
• Common password blocklist to prevent use of known compromised passwords

Every significant action is captured in an immutable audit trail, providing full visibility into who did what and when across your workspace.

• Immutable audit trail for all significant operations (domain changes, team modifications, billing events, exports)
• Tamper-proof: no UPDATE or DELETE operations are permitted on audit tables
• Each record captures: action type, actor, target resource, IP address, user agent, and timestamp
• Retention by plan tier: 60 days (Starter), 180 days (Growth), 365 days (Agency)
• Audit logs are available for export in standard formats for compliance reviews

Inbox Insignia runs on enterprise-grade, certified cloud infrastructure from industry-leading providers with proven security track records.

• Vercel hosting — SOC 2 Type 2 and ISO 27001 certified
• Supabase database — SOC 2 Type 2 certified PostgreSQL
• Stripe payment processing — PCI DSS Level 1 compliant
• Automated daily backups with point-in-time recovery
• Global edge network with built-in DDoS protection
• Zero-downtime deployments via rolling updates

Defense-in-depth principles are applied throughout the application layer, with multiple overlapping controls to prevent common web vulnerabilities.

• Strict input validation on all API endpoints and server actions
• SSRF prevention to block internal network access from user input
• Cryptographic webhook verification to prevent replay and tampering attacks
• Comprehensive security headers including HSTS, Content-Security-Policy, and frame protection
• XXE prevention in XML parsing
• CSRF protection via secure cookie policies and origin validation

Your data is managed with strict lifecycle controls, ensuring it is retained only as long as needed and deleted securely when no longer required.

• Configurable data retention policies per workspace and plan tier
• Automated data cleanup via scheduled background jobs
• Cascading deletion on workspace removal — all associated data is permanently erased
• Payment card data never touches our servers (handled entirely by Stripe within their PCI scope)
• Data export available in CSV, PDF, and JSON formats for portability
• Right to erasure supported — request complete account and data deletion at any time

We maintain a formal incident response plan with defined severity levels, response timelines, and communication procedures to handle security events swiftly.

• 72-hour breach notification commitment, aligned with GDPR Article 33
• Post-incident reports provided within 5 business days of resolution
• Internal severity classification with defined response timelines for each priority level
• Affected customers are notified directly with details of the incident, impact assessment, and remediation steps
• Dedicated security contact: security@inboxinsignia.com

We welcome responsible security research and provide safe harbor for good-faith vulnerability reports that help us improve our security posture.

• Responsible disclosure policy with safe harbor for good-faith security researchers
• 48-hour acknowledgment of all vulnerability reports
• 5 business day triage and severity assessment
• Defined scope covering our domains, API endpoints, and authentication flows
• Social engineering, DoS/DDoS attacks, and third-party services are out of scope
• Report vulnerabilities to: security@inboxinsignia.com

Inbox Insignia is designed to meet the requirements of major international data protection regulations and maintains compliance through our certified infrastructure partners.

• GDPR (EU/EEA), CCPA/CPRA (California), PIPEDA (Canada), UK GDPR, and Australian Privacy Act compliance
• Infrastructure partners maintain SOC 2 Type 2 and ISO 27001 certifications
• PCI DSS compliance through Stripe — card data is never processed or stored by us
• Data Processing Agreement available at /dpa
• Subprocessor list available at /subprocessors