Security at SendStack
Sending is trust infrastructure. Here is how we protect your account, your data and your recipients.
Encryption in transit
All API and dashboard traffic is served over HTTPS/TLS. Message payloads and credentials never travel unencrypted.
Scoped API keys
Keys are workspace-scoped, shown once at creation, stored hashed, and can be rotated or revoked at any time. Use separate keys per environment.
Tenant isolation
Every workspace is isolated at the database layer with row-level security, so one tenant can never read another tenant’s data.
Proven infrastructure
We build on established cloud providers (including AWS for email) and delegate delivery to vetted subprocessors under their own security controls.
Data minimisation
We store only the metadata needed to deliver and report on your sends. Deletes are honoured, and personal data is anonymised on account erasure.
Signed webhooks
Delivery events are signed with a per-endpoint secret so you can verify every payload came from us and was not tampered with.
Responsible disclosure
If you believe you have found a security vulnerability in SendStack, we want to hear from you. Email a detailed report to [email protected] and give us a reasonable window to investigate and fix the issue before any public disclosure. Please do not access or modify data that is not yours, and avoid actions that could degrade the service for other customers. We appreciate good-faith research and will acknowledge valid reports.