trustyourinbox
← All legal

Security

Last updated: 2026-04-29

This page describes the security posture of trustyourinbox today. We're a small operation — so we lean on hardened vendors, encrypt sensitive data at rest and in transit, and keep the attack surface small. We'll update this page as the posture matures (formal SOC 2 / ISO 27001 work is targeted for V3).

Encryption

  • At rest — customer data is stored in Neon Postgres (AES-256 at rest by Neon's default) and Cloudflare R2 (AES-256 by Cloudflare's default). Application secrets (API keys, signing tokens) are stored as Cloudflare Worker secrets, encrypted and only injected into the Worker runtime at request time.
  • In transit — TLS 1.2+ everywhere. Cloudflare's edge handles TLS termination for the public site and dashboard. All vendor APIs we call (Anthropic, Resend, Clerk, Neon, Stripe) require TLS.

Authentication and access control

  • End-user authentication — handled by Clerk (industry-standard provider, SOC 2 Type II compliant). Passwords are bcrypt-hashed; sessions are JWT short-lived. MFA is available; we recommend enabling it.
  • Multi-tenant isolation — every query in the dashboard is scoped to the requesting user's workspace_id. There is no cross-tenant data access path. This is enforced at the query layer, not just the route layer.
  • Founder access — today, only the founder has direct access to production infrastructure. No third-party support engineers, no shared accounts. When we add staff, we'll publish a vendor list update and rotate any compromised credentials.

Vendor list

We use these vendors. Each has its own published security posture:

  • Cloudflare — hosting, Workers, R2, DNS, Email Routing. Cloudflare's compliance documentation (SOC 2 Type II, ISO 27001, ISO 27701, PCI DSS, FedRAMP, GDPR).
  • Neon — Postgres database hosting. SOC 2 Type II.
  • Clerk — authentication. SOC 2 Type II, GDPR + CCPA compliant.
  • Anthropic — Claude API for plain-English summaries. SOC 2 Type II. We do not enable training-data retention; what we send to the API is processed and discarded per Anthropic's standard retention.
  • Resend — outbound transactional email.
  • Stripe — payment processing (when paid tiers launch). PCI DSS Level 1. We do not handle card details ourselves; Stripe Checkout handles them.

Data isolation and retention

See our Privacy Policy for what we collect and how long we keep it. The headline numbers: account data while active + 30 days; raw .eml files in R2 for 7 days then auto-deleted; parsed DMARC reports kept while your workspace is active.

Backups

Our Postgres database is backed up by Neon's standard snapshot policy. We have not formalized a Recovery Time Objective (RTO) or Recovery Point Objective (RPO) — that formalization is on the V3 hardening roadmap.

Incident response

If we discover a security incident affecting customer data, we will:

  1. Contain the incident immediately and revoke compromised credentials.
  2. Notify affected customers via email within 72 hours of discovery, or sooner if required by applicable law.
  3. Publish a post-incident summary on this page describing what happened, what was affected, and what we changed to prevent recurrence.
  4. Cooperate with any required regulatory or law enforcement reporting.

Reporting a vulnerability

Email dmistry@yourhostdirect.com with subject line [security]. Include:

  • A description of the issue and steps to reproduce it.
  • Any relevant URLs / API calls / screenshots.
  • Your name (so we can credit you, if you'd like).

We don't run a paid bug bounty yet. We respond within 2 business days, usually same-day. We won't pursue legal action against good-faith researchers who follow standard responsible-disclosure norms (don't exfiltrate data beyond what's needed to prove the issue, don't disrupt service, give us reasonable time to fix before public disclosure — typically 90 days).

Compliance and audit posture (current)

  • SOC 2 / ISO 27001 — not yet certified. We are following SOC-2-aligned practices (least-privilege access, vendor compliance review, encryption at rest and in transit, audit log of all data-modifying actions). Formal SOC 2 Type 1 readiness assessment is on the V3 roadmap.
  • GDPR / UK GDPR — we comply with the rights described in our Privacy Policy. A standard DPA is available on request — email dmistry@yourhostdirect.com.
  • HIPAA — not in scope. Don't use trustyourinbox to monitor domains that send PHI in DMARC report metadata (DMARC aggregate reports don't contain message content, but if your sending domain is itself subject to HIPAA, you should run your own diligence on whether the metadata flow meets your obligations).
  • PCI DSS — out of scope (we never handle card data).

See also: Privacy Policy · Terms of Service · Acceptable Use Policy.