Trust

Security at WillItInbox

WillItInbox is built around account isolation, hashed API keys, conservative retention, and transparent operational controls.

Account-scoped access

Reports, validation jobs, API keys, and usage records are tied to authenticated accounts. Public API keys are stored hashed at rest.

API key handling

New API keys are shown once, only prefixes and last characters are displayed later, and revoked keys are rejected immediately.

Short-lived sensitive data

Raw email bodies, CSV artifacts, reports, and derived results are designed for short retention windows until tiered retention is implemented.

Responsible disclosure

Security reports can be sent through the contact page using the security channel. Please include impact, reproduction steps, affected endpoints, and avoid testing other customer accounts.

Current security roadmap

The next production hardening steps are webhook signatures for all outbound events, strict production CORS, backups, monitoring, public status checks, and separate staging and production environments.

See also Data Retention and Privacy Policy.

Customer data boundaries

API keys, reports, validation jobs, domains, and workspace records are scoped to the owning account or workspace. Admin and support access should be used only for operational debugging and customer-requested help.

Operational evidence

Logs, webhook delivery records, and usage counters help diagnose failed jobs, abuse, billing disputes, and API reliability without exposing raw secrets in the browser.

Related trust pages

Read the Privacy Policy, Data Retention, and API docs for how these controls map to product workflows.