Account-scoped access
Reports, validation jobs, API keys, and usage records are tied to authenticated accounts. Public API keys are stored hashed at rest.
Trust
Security at WillItInbox
WillItInbox is built around account isolation, hashed API keys, conservative retention, and transparent operational controls.
API key handling
New API keys are shown once, only prefixes and last characters are displayed later, and revoked keys are rejected immediately.
Short-lived sensitive data
Raw email bodies and CSV artifacts are designed for short retention windows. Reports and derived results follow plan-level retention.
Responsible disclosure
Security reports can be sent privately to [email protected]. Please include impact, reproduction steps, and affected endpoints.
Current security roadmap
The next production hardening steps are webhook signatures for all outbound events, strict production CORS, backups, monitoring, public status checks, and separate staging and production environments.
See also Data Retention and Privacy Policy.