Security
We treat security as a baseline. Here is how we protect the product and your data.
Authentication and access
Sign-in uses industry-standard practices: hashed passwords, secure sessions, and optional OAuth (Google, Apple). API access is by scoped API keys; we store only a hashed representation and prefix. We do not log or expose raw keys.
Data in transit and at rest
All traffic is served over HTTPS. Sensitive data (credentials, API keys, tokens) is hashed or encrypted as appropriate. Email content and recipient data are processed to deliver the service and to show you event visibility; we do not use them for other purposes.
Infrastructure and operations
We run on established infrastructure providers. Access to production systems is restricted and audited. We follow standard practices for backups, dependency updates, and incident response.
Compliance and transparency
We align with applicable data protection and privacy laws (including GDPR and CCPA) as set out in our Privacy Policy. We are transparent about what we build and what we use for delivery—see Transparency.
Reporting a vulnerability
If you believe you have found a security issue, please report it to [email protected]. We will respond promptly and will not take legal action against good-faith researchers who follow responsible disclosure.