OutboxlySecurity at Outboxly
Your subscriber data is your most valuable asset. We protect it with encryption, database-level isolation, strict access controls, and industry-standard security practices.
How we protect your data
Security is built into every layer of Outboxly — from the network edge to the database row level.
Encryption Everywhere
All data is encrypted in transit using TLS 1.3 (HTTPS). We enforce HTTP Strict Transport Security (HSTS) to ensure every connection to Outboxly is encrypted. Database connections use SSL.
Row-Level Security
Every database table is protected by Row-Level Security (RLS) policies enforced at the PostgreSQL level. Your data is isolated from every other tenant — queries physically cannot return another customer's data.
Role-Based Access Control
Invite team members with granular permissions. Four roles — Owner, Admin, Editor, and Viewer — control who can send campaigns, manage subscribers, change settings, or just view data.
Secure Authentication
Passwords are hashed with bcrypt and salted automatically. Sessions use secure, httpOnly cookies — never stored in localStorage. We support email confirmation for new accounts.
Security Headers
Every response includes Content-Security-Policy, X-Frame-Options (SAMEORIGIN), X-Content-Type-Options (nosniff), X-XSS-Protection, Referrer-Policy, and Permissions-Policy headers.
Rate Limiting
All API endpoints are rate-limited with tiered thresholds — stricter limits on sensitive endpoints like authentication and form submissions, preventing brute-force and abuse attacks.
Webhook Verification
Incoming webhooks from Stripe and Resend are verified using cryptographic signatures (HMAC). Invalid or tampered payloads are rejected immediately.
Input Validation
Every API endpoint validates input using strict schema validation (Zod). Malformed, oversized, or unexpected data is rejected before it reaches your database.
HTML Sanitization
Email previews are rendered in sandboxed iframes. Inline HTML rendering strips script tags, event handlers, javascript: URLs, and dangerous elements to prevent XSS attacks.
Domain Authentication
Set up SPF, DKIM, and DMARC records for your sending domain. Outboxly monitors your domain health and alerts you to deliverability issues.
Unsubscribe Token Security
Unsubscribe and preference links use HMAC-SHA256 tokens with timing-safe comparison, preventing enumeration attacks and unauthorized modifications.
Infrastructure Security
Hosted on Railway with automatic SSL provisioning. Database powered by Supabase with enterprise-grade PostgreSQL, daily backups, and network isolation.
Security practices
Beyond technical controls, we follow operational practices that keep your data safe.
Data Isolation
Multi-tenant architecture with database-level isolation. No customer can access another customer's data under any circumstances.
Minimal Data Collection
We only collect what's needed to run the service. No tracking pixels on our marketing site, no third-party analytics on your dashboard.
Secrets Management
API keys, webhook secrets, and service credentials are stored as environment variables — never in source code or client-side bundles.
Cron Job Protection
Background jobs (campaign processing, sequence execution, RSS feeds) require a secret bearer token, preventing unauthorized triggers.
Admin Access Control
Platform administration is restricted to a whitelist of verified email addresses. No public admin registration exists.
Secure Defaults
Double opt-in available for subscriber signups. CORS restricted to same-origin by default, with controlled exceptions only for public embed forms.
Security summary
Questions about security?
We take security seriously. If you have questions or concerns, reach out to our team.