Skip to content

Version 1.0 · Last updated 22 May 2026

This document is provided as a plain-language draft and is pending legal review. If you spot an issue, email legal@inboxdesk.ai.

Security

How InboxDesk protects your data and how to report a problem.

Reporting a vulnerability

Email security@inboxdesk.ai with:

  • A description of the issue
  • Steps to reproduce
  • Your contact info if you'd like updates

We acknowledge within 2 business days. No bug-bounty programme at this stage; we will credit responsible reporters in the changelog if you'd like attribution.

Our security.txt follows RFC 9116.

Technical and organisational measures

These mirror the contractual commitments in DPA Schedule 2 and reflect what's actually deployed today.

Encryption

  • TLS 1.2+ on every connection
  • AES-256 encryption at rest for the database, file storage, and OAuth refresh tokens (provider-managed)

Access control

  • Multi-factor authentication on every administrator account that can reach production
  • Row-Level Security policies scope every database query to the requesting tenant
  • The number of human accounts with production database access is minimised and reviewed periodically

Network

  • Managed edge network with TLS termination and DDoS protection (Vercel + Cloudflare)
  • Database not exposed to the public internet; only the application service role accesses it

Application

  • Inbound webhook endpoints verify cryptographic signatures from upstream services before accepting payloads
  • Standard protections against CSRF, XSS, and SQL injection
  • Anti-bot signup defences: Cloudflare Turnstile challenge, hashed-IP sliding-window rate limit (Upstash), input validation, deferred tenant creation, daily cleanup of unconfirmed signups
  • Dependencies monitored continuously; security-relevant updates prioritised

Operational

  • Source code in private version control with automated CI: lint, type-check, tests, secrets scan, dependency audit
  • Production secrets in a secrets manager, never committed
  • Application audit log retained for the life of the account
  • Daily backups with 7-day retention

People

  • InboxDesk operates as a sole trader; only the owner has production access today
  • Any future personnel will be bound by confidentiality and trained on data-protection responsibilities

Incident response

  • Documented procedure for triaging and responding to personal-data breaches
  • 72-hour breach-notification commitment to customers (per DPA §10)
  • Sentry and PostHog feed the incident-detection workflow

What we don't have yet

To be transparent: InboxDesk does not currently hold SOC 2 or ISO 27001 certification (per Terms §13 and decisions log D-022). The cost of those audits is not justified at our pre-revenue stage. We will revisit once enterprise demand justifies the spend.

Related

Effective date

This page was last updated 2026-05-22.