Boring infrastructure, on purpose
Nothing exotic here. The goal is a shared-IP sending reputation that every customer can rely on, protected by unglamorous, well-tested practices.
Encryption in transit
TLS everywhere, terminated at Caddy, no plaintext HTTP path to the API or dashboard.
API keys, hashed
Keys are SHA-256 hashed at rest and prefix-searchable for support — we can't read your live key back to you, ever.
Signed webhooks
Every webhook is HMAC-SHA256 signed. Verify the signature before trusting a payload; retries use exponential backoff with a per-endpoint circuit breaker.
Rate limits, per key
Per-API-key rate limits enforced in Redis, independent of account-level sending quota.
Tested backups
pgBackRest point-in-time recovery, restore-tested monthly, not just configured and forgotten.
Least-privilege infrastructure
Separate production and staging AWS accounts, least-privilege IAM roles, secrets held in SOPS/age — never in plaintext env files in a repo.
Dependency scanning
Automated dependency and vulnerability scanning in CI on every merge.
Audit-logged admin actions
Every administrative action against a customer account is logged and attributable.
Uptime and incident history
A public status page tracks API uptime, SES send latency, and any active incidents. Every incident gets a written post-mortem within 5 business days.
View status pageFound a vulnerability?
We take reports seriously and respond fast — email directly, no bug bounty bureaucracy required for a good-faith report.
Read security.txt