Security is embedded in our development lifecycle, not treated as an afterthought. We maintain organizational practices that ensure security is a continuous priority across every level of our platform.
Internal security reviews: Regular reviews of access controls, configurations, and deployment practices to identify and address gaps proactively.
Least privilege access: The principle of least privilege is enforced for all internal systems access and database permissions. Team members receive only the access necessary for their role.
Secure development practices: Mandatory code review before deployment, dependency auditing, and strict environment separation between development, staging, and production.
Secrets management: Encryption keys, API keys, and credentials are stored in environment variables and secrets management systems, never committed to source control.
Team security awareness: Credential hygiene, phishing recognition, and secure communication practices are part of our team culture.
2. Risk Management
We take a structured approach to identifying, assessing, and mitigating risk across our infrastructure, application layer, and third-party dependencies.
Third-party vendor security: We evaluate the security posture of every critical vendor. Stripe (PCI DSS Level 1 certified) handles payment processing. Neon (SOC 2 Type II) provides database hosting with encryption at rest and automated backups. Upstash (SOC 2 Type II) powers our Redis and queue infrastructure.
Business continuity: Automated database backups with point-in-time recovery ensure data durability. Self-healing background workers recover from transient failures without manual intervention, minimizing service disruption.
Separation of concerns: Encryption keys are stored separately from encrypted data. Production credentials are isolated from development environments with no shared access.
Change management: All code changes are reviewed before deployment to production, ensuring changes are intentional, tested, and do not introduce regressions.
3. Vulnerability Management
We proactively identify, track, and remediate security vulnerabilities across our codebase and dependencies.
Dependency scanning: Automated vulnerability scanning of all third-party packages is integrated into our development workflow, with timely patching of known vulnerabilities.
Secure coding practices: Input validation and sanitization on all user-facing endpoints. Output encoding via DOMPurify to prevent cross-site scripting (XSS). Parameterized database queries via Drizzle ORM to prevent SQL injection. CSRF protection through same-site cookie policies.
Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks, with IP-based throttling on login and verification endpoints.
Security hardening: HTTP security headers are enforced via Helmet.js (detailed in Section 12), including frame protection, MIME sniffing prevention, and strict referrer policy.
Continuous improvement: Security findings from code reviews and monitoring are tracked and remediated, with root cause analysis to prevent recurrence.
4. Compliance Alignment
Our security practices are informed by industry-standard frameworks including SOC 2 Trust Service Criteria and HIPAA Security Rule requirements.
Administrative controls: Security governance, risk assessments, access management policies, and workforce security practices aligned with SOC 2 CC1 and HIPAA Administrative Safeguards.
Technical controls: Encryption (AES-256-GCM at rest, TLS 1.2+ in transit), access controls (OAuth 2.0, RBAC), audit logging, and integrity verification.
Operational controls: Incident response procedures, change management, vendor assessment, and business continuity planning.
We are committed to expanding our formal compliance program as we grow. For specific compliance questions or to request our security documentation, contact hello@warmysender.com.
5. Infrastructure Security
WarmySender is hosted on enterprise-grade infrastructure with HTTPS enforced on all connections. Our PostgreSQL database is managed by Neon, which provides automated daily backups, point-in-time recovery, and encryption at rest. All data in transit between services is encrypted using TLS 1.2 or higher.
6. Data Encryption
We employ strong encryption standards to protect your data at every layer:
At rest: Sensitive credentials (IMAP/SMTP passwords, app-specific passwords) are encrypted using AES-256-GCM with unique initialization vectors per record.
In transit: All network traffic is encrypted with TLS 1.2+ (HTTPS). Internal service-to-service communication uses encrypted connections.
Key management: Encryption keys are stored separately from encrypted data and are never committed to source control.
7. Authentication & Access Control
WarmySender implements multiple layers of authentication and authorization:
OAuth 2.0 / OpenID Connect: Primary authentication via trusted identity providers. We never store user passwords.
Secure sessions: HTTP-only, secure, same-site cookies with configurable expiration. Sessions are stored server-side and can be revoked at any time.
Workspace RBAC: Role-based access control with owner, admin, and member roles. Each workspace is fully isolated with tenant-level data separation.
Email account OAuth: Gmail and Microsoft Outlook connections use OAuth 2.0 with automatic token refresh, so we never handle email passwords for these providers.
8. Payment Security
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. WarmySender never stores, processes, or has access to your full credit card numbers. Payment forms are rendered directly by Stripe's secure elements, and all billing operations go through Stripe's API with webhook signature verification (HMAC-SHA256) to prevent tampering.
9. API Security
The WarmySender Public API (v1) is protected with industry-standard security measures:
API key authentication: Keys are hashed using SHA-256 before storage. Raw keys are shown only once at creation time and cannot be retrieved afterward.
Rate limiting: Enforced at 60 requests per minute per API key, with standard rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) in every response.
Webhook signing: Outbound webhooks are signed with HMAC-SHA256 so you can verify they originated from WarmySender.
Idempotency: Supported via the Idempotency-Key header to prevent duplicate operations on retries.
10. Email Account Security
Your connected email accounts are handled with care:
Gmail & Outlook: Connected via OAuth 2.0 with minimal required scopes. We request only the permissions needed for sending and reading warmup emails. Tokens are refreshed automatically and can be revoked from your Google/Microsoft account at any time.
Custom IMAP/SMTP: Credentials are encrypted with AES-256-GCM before storage. Connection testing validates credentials without persisting them in logs.
Automatic protection: Mailboxes with repeated authentication failures are automatically excluded from warmup peer pools to prevent cascading errors.
11. Data Retention & Deletion
We follow data minimization principles and provide clear retention policies:
Automated cleanup: Warmup emails and job records are automatically cleaned up on a recurring schedule to minimize stored data.
Account deletion: When you delete your account, all associated data (mailboxes, campaigns, prospects, warmup history, and credentials) is permanently removed via cascading deletes.
Workspace isolation: Each workspace's data is logically isolated. Removing a member immediately revokes all access.
12. Security Headers
WarmySender enforces security headers on all HTTP responses via Helmet.js:
Strict-Transport-Security (HSTS): Forces HTTPS connections with a one-year max-age in production.
X-Frame-Options: DENY: Prevents the application from being embedded in iframes, protecting against clickjacking attacks.
X-Content-Type-Options: nosniff: Prevents browsers from MIME-sniffing responses away from the declared content type.
Referrer-Policy: Set to strict-origin-when-cross-origin, limiting referrer information shared with third parties.
Cross-Origin-Resource-Policy: Restricts resource loading to same-site requests.
13. Monitoring & Incident Response
We actively monitor our systems to detect and respond to issues quickly:
Health checks: Automated health endpoints monitor database connectivity and service availability.
Admin dashboard: Real-time monitoring of warmup network health, mailbox status, campaign performance, and system errors.
Structured logging: All API requests, authentication events, and system operations are logged with timestamps and correlation IDs for audit trails.
Self-healing architecture: Background schedulers and workers are designed to recover automatically from transient failures without manual intervention.
Defined incident response process: We follow an identify, contain, remediate, and communicate framework with clear escalation paths to ensure rapid response to security events.
Post-incident review: Root cause analysis is conducted after every significant incident to prevent recurrence and continuously improve our security posture.
Audit trail: Authentication events, API access, and administrative actions are logged with timestamps for forensic review and compliance purposes.
14. Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly: