Security
Security is in Our DNA
Your email credentials and business data deserve enterprise-grade protection. We engineer security into every layer, from encryption primitives to infrastructure monitoring.
Encryption at Rest
All email credentials are encrypted with AES-256-GCM, the same standard used by banks and governments. Passwords are hashed with Argon2id (memory_cost=32MB, time_cost=2), the winner of the Password Hashing Competition. No plaintext secrets ever touch disk.
Encryption in Transit
TLS 1.3 is required for all production connections. Every API call, webhook, and OAuth handshake is encrypted end-to-end. HSTS headers enforce HTTPS across every subdomain. Downgrade attacks are not possible.
Authentication & Sessions
JWT tokens signed with RS256 asymmetric keys. Optional 2FA/TOTP for all accounts, with QR-code provisioning and backup recovery codes. Session management with automatic expiration and device tracking. Rate limiting on all auth endpoints.
Infrastructure Security
PostgreSQL 17 with encrypted connections and parameterized queries preventing SQL injection. Redis protected with password authentication and a singleton connection pool. Firewall rules restrict access to application ports only. No public database exposure.
Access Control & RBAC
Role-based access control with 50+ granular permissions spanning platform, organization, workspace, and sub-account levels. Custom roles allow fine-grained policy definition. Audit logging captures every critical action with actor, target, timestamp, and IP address.
Data Protection & GDPR
Fully GDPR compliant with configurable data retention policies, right to access, and right to deletion. Organization soft-delete prevents accidental cascade deletion of hundreds of thousands of rows. Personal data is exportable on request.
API Security
Per-plan rate limiting via Redis sliding window with JWT-decoded tier enforcement. Request body size capped at 10MB. CORS configured per environment with strict origin allowlists. Content Security Policy headers with configurable sources. HMAC-signed email verification tokens.
Monitoring & Observability
Full observability stack with Prometheus metrics collection, 4 pre-configured Grafana dashboards, Jaeger distributed tracing, and Loki log aggregation via Promtail. Real-time alerting on error spikes, latency degradation, and security anomalies.
SOC 2 Roadmap
We are actively pursuing SOC 2 Type II certification. Our engineering practices already align with Trust Service Criteria: security controls, availability monitoring, processing integrity checks, confidentiality measures, and privacy safeguards are baked into every layer.
Responsible Disclosure
We welcome security researchers. Report vulnerabilities to security@warmupsleuth.com. We acknowledge reports within 24 hours, triage within 72 hours, and aim to resolve critical issues within 7 days. We will never take legal action against good-faith researchers.
Our Security Commitment
Security is not a feature we bolt on -- it is foundational to how we architect, code, and operate WarmupSleuth. Every pull request goes through automated security scanning. Every deployment is gated by infrastructure-as-code checks.
We run regular penetration tests, maintain a private bug bounty program, and follow the principle of least privilege across all systems. Our team undergoes ongoing security training, and we stay current with OWASP Top 10, NIST guidelines, and emerging threat vectors.
If you have specific compliance requirements (HIPAA, ISO 27001, or custom security questionnaires), contact our security team and we will work with you directly.
Report a Vulnerability
Found a security issue? We take every report seriously. Reach out to our security team and we will respond within 24 hours. Good-faith researchers are always protected.
PGP key available on request. We support coordinated disclosure with a 90-day timeline.