1.9 KiB
1.9 KiB
Security & Compliance
Credential handling
| Data | Storage | Access |
|---|---|---|
| Mailbox passwords | AES-256-GCM encrypted | Decrypt only in send/IMAP workers |
| AI API keys | Env or encrypted settings | Never returned in GET settings |
| API keys | Env | Header auth self-hosted |
SaaS evolution
- Per-tenant encryption keys (KMS)
- Secrets rotation without re-entering passwords where OAuth applies
- Audit log for credential access
Authentication roadmap
| Phase | Model |
|---|---|
| 1 | Optional single API key |
| 2 | Session auth for web UI |
| 3 | Multi-tenant JWT + RBAC |
Roles (SaaS)
| Role | Permissions |
|---|---|
| Owner | All + billing |
| Admin | Campaigns, mailboxes |
| Viewer | Read-only stats |
Data privacy
- Warmup email bodies may contain AI-generated business text — not PII by default
- Store minimum content needed for thread continuity
- Retention policy: 90 days for logs (configurable)
- GDPR: export + delete workspace data
Transport security
- TLS required for SMTP (587/465) and IMAP (993)
- HTTPS for API and UI
- No credential logging in Pino output
Abuse prevention (SaaS)
- Rate limit API
- Verify email domain ownership before warming (DNS TXT challenge)
- Block disposable email domains for signup
- Monitor outbound volume per tenant
Legal
Before public SaaS:
- Terms of Service (user owns mailboxes, compliant use)
- Privacy Policy
- Acceptable Use Policy (no spamming prospects via warmup)
- ESP ToS disclaimer
Incident response
| Event | Response |
|---|---|
| Credential leak | Rotate ENCRYPTION_KEY, force password re-entry |
| ESP suspension | Pause all campaigns for affected mailbox |
| AI generating harmful content | Block send, alert operator |
Compliance frameworks (future)
- SOC 2 Type II (SaaS scale)
- Not required for self-hosted FillCare deployment