Security

Inbox Insignia is designed to protect data in transit and at rest using mainstream platform and application controls.

• TLS is used for browser-to-application and application-to-provider traffic.
• Stored application data relies on the managed database platform's encryption-at-rest controls.
• Passwords are validated in the live sign-up and reset flows before they are handed to the auth provider.
• DMARC ingestion payloads are integrity-verified during webhook processing.
• Database and provider connections are configured to use encrypted transport.

Workspace isolation is enforced primarily at the database layer with PostgreSQL Row Level Security, with application controls layered on top for workspace-scoped access.

• Tenant-scoped tables rely on database policies to constrain reads and writes by workspace.
• Application flows still check workspace membership and context before returning or mutating data.
• Cross-workspace access is prevented through tenant-scoped database policies and application controls.
• Separate policies and checks exist for different operations rather than relying on one global guard.

Authentication and access control rely on Supabase Auth for user identity and role-based workspace access in the application.

• Email/password and magic-link authentication are supported in the live product.
• Password validation in the shipped sign-up and reset flows enforces length, complexity, and a common-password blocklist.
• Workspace access is role-based, with owner, admin, member, and viewer roles in the product model.
• Session handling is managed through the current Supabase Auth integration and application session checks.
• Invite and collaborator features remain gated by the canonical pricing and permissions contract.

The product is designed to give teams reviewable evidence around important workspace actions, posture changes, and exports.

• Significant operations can be recorded in audit and evidence surfaces where the current plan contract allows them.
• Retention varies by plan: 60 days on Starter, 180 days on Growth, and 365 days on Agency.
• Growth and Agency plans add deeper evidence and export workflows through the current entitlement model.
• Customers should validate the exact evidence surfaces they need against the active plan and workflow.

Inbox Insignia runs on managed cloud infrastructure providers that publish their own security and compliance information.

• Vercel hosts the Next.js application and edge/runtime infrastructure.
• Supabase provides the managed PostgreSQL database and authentication platform.
• Stripe handles payment processing; payment card data does not pass through the application.
• Backup, recovery, and platform hardening inherit from the managed providers and the application's own deployment controls.

The application uses defense-in-depth controls to reduce common web and integration risks rather than relying on a single protection layer.

• Input validation is applied in server actions, API routes, and supporting utility layers.
• Webhook endpoints use signature or HMAC verification where the current integrations require it.
• Security headers and origin-aware controls help reduce browser-side attack surface.
• XML and URL handling paths include targeted protections for the workflows the product supports today.
• No copy on this page should be interpreted as a guarantee that all failure modes are impossible.

Data handling is tied to the current product workflow, retention model, and the legal documents published on this site.

• Retention and export behavior follow the active plan entitlements and workflow-specific controls.
• Workspace and subscription data can be deleted through the product and support workflows that exist today.
• Payment card data is handled within Stripe's systems rather than stored by Inbox Insignia.
• Customers can review the DPA and subprocessor disclosures published on this site for current legal and operational details.

If you believe you have found a security issue or have a question about security posture, contact the team directly so the report can be reviewed through the current operating process.

• Security contact: security@inboxinsignia.com
• Reports should include enough detail to reproduce or understand the issue safely.
• This page does not publish guaranteed response-time or remediation-time commitments beyond applicable law or contract.

Inbox Insignia publishes the legal and operational documents customers commonly review during trust and procurement conversations.

• Infrastructure providers publish their own certifications and compliance materials.
• The Data Processing Agreement is available at /dpa.
• The current subprocessor list is available at /subprocessors.
• Customers with specific regulatory or audit requirements should confirm the active product and provider controls against their own obligations.