Security

Security at SendStack

Sending is trust infrastructure. Here is how we protect your account, your data and your recipients.

Encryption in transit

All API and dashboard traffic is served over HTTPS/TLS. Message payloads and credentials never travel unencrypted.

Scoped API keys

Keys are workspace-scoped, shown once at creation, stored hashed, and can be rotated or revoked at any time. Use separate keys per environment.

Tenant isolation

Every workspace is isolated at the database layer with row-level security, so one tenant can never read another tenant’s data.

Proven infrastructure

We build on established cloud providers (including AWS for email) and delegate delivery to vetted subprocessors under their own security controls.

Data minimisation

We store only the metadata needed to deliver and report on your sends. Deletes are honoured, and personal data is anonymised on account erasure.

Signed webhooks

Delivery events are signed with a per-endpoint secret so you can verify every payload came from us and was not tampered with.

Responsible disclosure

If you believe you have found a security vulnerability in SendStack, we want to hear from you. Email a detailed report to [email protected] and give us a reasonable window to investigate and fix the issue before any public disclosure. Please do not access or modify data that is not yours, and avoid actions that could degrade the service for other customers. We appreciate good-faith research and will acknowledge valid reports.