Security overview

Security

SignalPost uses layered controls to protect accounts, customer data, sending infrastructure, and operational access.

Account protection

Passwordless one-time codes expire quickly and may be used once. Sessions use HTTP-only cookies, workspace-scoped authorization, and role-based access controls.

Infrastructure

Production traffic is encrypted with HTTPS. Administrative server access is restricted, inbound network exposure is limited, application data is backed up, and secrets are kept outside public source files.

Data and integrations

Workspace data is isolated by authorization boundaries. Integration credentials are encrypted when configured for production. Provider API keys are used only to perform requested operations.

Responsible disclosure

Report suspected vulnerabilities to support@signalpost.email. Include a clear reproduction and potential impact. Do not access other users’ data, disrupt service, use automated destructive testing, or disclose a vulnerability publicly before we have had a reasonable opportunity to investigate.