Security
We hold real customer mail. Here's how we keep it safe — at the network, application, data, and operational layers.
Encryption
- TLS 1.2+ on every public endpoint (Let's Encrypt, auto-rotated).
- AES-256 at rest for Postgres + object storage (AWS-managed keys).
- Internal traffic stays on the private VLAN; no public DB exposure.
Authentication
- Bcrypt password hashing (cost 12), Auth.js sessions on httpOnly cookies.
- TOTP 2FA available to every user, mandatory for super-admins.
- API keys:
inb_live_…, hashed with SHA-256 server-side; plaintext shown once. - SAML/OIDC SSO for enterprise plans.
Tenant isolation
- Every query is tenant-scoped at the application layer.
- Postgres row-level security policies enforce isolation independently.
- Webhook payloads include only the tenant's own data; HMAC-signed.
Auditability
- Every privileged action goes to the audit log (kept 13 months).
- Visible in-product at /audit.
- JSON export of your data on demand from
Settings → Danger zone.
Infrastructure
- Hosted in AWS Sydney + us-east-2; no third-region replication required.
- Daily Postgres backups, encrypted, 30-day retention, restore-tested quarterly.
- SES for outbound mail (verified domain identity, DKIM/SPF/DMARC aligned).
Operational practice
- Production access limited to the on-call engineer; every shell session logged.
- Dependencies pinned and audited;
npm auditgates release. - Incidents posted to /status within minutes.
- Annual external penetration test (results available under NDA).
Reporting a vulnerability
Security researchers can email security@getinboxr.app. Please review our acceptable-use policy first and give us a reasonable window before public disclosure.
Need a SOC 2 report or signed DPA? Email security@getinboxr.app.