Security

• App tier on Vercel (Next.js 16, Node 24); database on Neon Postgres (US-East).
• All inbound traffic over TLS 1.3. Internal service-to-service connections use mTLS via the platform.
• Secrets are stored in the hosting platform's encrypted env-var vault, never in source control. .env is gitignored and never committed.
• Subprocessors: Vercel, Neon, Resend, Stripe, Upstash. Each is contractually bound by a DPA.

• API keys: stored as SHA-256 hashes; the raw key is shown to you once at creation and never again. We cannot recover lost keys — generate a new one.
• Passwords: hashed with scrypt by Better Auth. We never see plaintext.
• Verification logs: stored per-user with the verdict, timestamp, and which API key made the call. Used for quota and dedup; never shared.
• Card data: handled exclusively by Stripe (PCI DSS Level 1). We store only the Stripe customer ID.

• Sign-up requires email verification via 6-digit OTP (5-minute expiry).
• Password reset uses the same OTP flow; reset tokens are single-use.
• Sessions are HTTP-only, secure, same-site cookies with a 30-day rolling window.
• API keys can be individually revoked at any time from Settings → API keys.
• Rate limits: 60 req/min and 10,000 req/day per API key.

• Only the team owner can promote other members to admin.
• Team subscription required to accept new invitations.
• One team per user (enforced at the database level).
• Invitations expire 7 days after creation and are single-use.

• All quota writes run in serializable Postgres transactions with retry on conflict — no double-charges under contention.
• Database backups: continuous WAL streaming via Neon, 7-day point-in-time recovery.
• Dependency monitoring via Dependabot; critical patches within 48 hours.
• Production deploys gated on green CI: yarn lint, yarn build, full integration test suite (Postgres testcontainer).

Found something? Email security@mailtrue.io. We acknowledge reports within 1 business day. We don't have a formal bug-bounty yet but recognise reporters publicly (with consent) and offer credit toward the Service.

Please don't test against production tenants other than your own, don't publicly disclose before we've responded, and don't exfiltrate data.

• Use a unique password and a password manager.
• Treat API keys like passwords. Rotate immediately on suspected compromise.
• Don't share accounts — invite teammates to your team instead.