# Security & Compliance ## Credential handling | Data | Storage | Access | |------|---------|--------| | Mailbox passwords | AES-256-GCM encrypted | Decrypt only in send/IMAP workers | | AI API keys | Env or encrypted settings | Never returned in GET settings | | API keys | Env | Header auth self-hosted | ### SaaS evolution - Per-tenant encryption keys (KMS) - Secrets rotation without re-entering passwords where OAuth applies - Audit log for credential access ## Authentication roadmap | Phase | Model | |-------|-------| | 1 | Optional single API key | | 2 | Session auth for web UI | | 3 | Multi-tenant JWT + RBAC | ### Roles (SaaS) | Role | Permissions | |------|-------------| | Owner | All + billing | | Admin | Campaigns, mailboxes | | Viewer | Read-only stats | ## Data privacy - Warmup email bodies may contain AI-generated business text — not PII by default - Store minimum content needed for thread continuity - Retention policy: 90 days for logs (configurable) - GDPR: export + delete workspace data ## Transport security - TLS required for SMTP (587/465) and IMAP (993) - HTTPS for API and UI - No credential logging in Pino output ## Abuse prevention (SaaS) - Rate limit API - Verify email domain ownership before warming (DNS TXT challenge) - Block disposable email domains for signup - Monitor outbound volume per tenant ## Legal Before public SaaS: - Terms of Service (user owns mailboxes, compliant use) - Privacy Policy - Acceptable Use Policy (no spamming prospects via warmup) - ESP ToS disclaimer ## Incident response | Event | Response | |-------|----------| | Credential leak | Rotate ENCRYPTION_KEY, force password re-entry | | ESP suspension | Pause all campaigns for affected mailbox | | AI generating harmful content | Block send, alert operator | ## Compliance frameworks (future) - SOC 2 Type II (SaaS scale) - Not required for self-hosted FillCare deployment