73 lines
1.9 KiB
Markdown
73 lines
1.9 KiB
Markdown
# Security & Compliance
|
|
|
|
## Credential handling
|
|
|
|
| Data | Storage | Access |
|
|
|------|---------|--------|
|
|
| Mailbox passwords | AES-256-GCM encrypted | Decrypt only in send/IMAP workers |
|
|
| AI API keys | Env or encrypted settings | Never returned in GET settings |
|
|
| API keys | Env | Header auth self-hosted |
|
|
|
|
### SaaS evolution
|
|
|
|
- Per-tenant encryption keys (KMS)
|
|
- Secrets rotation without re-entering passwords where OAuth applies
|
|
- Audit log for credential access
|
|
|
|
## Authentication roadmap
|
|
|
|
| Phase | Model |
|
|
|-------|-------|
|
|
| 1 | Optional single API key |
|
|
| 2 | Session auth for web UI |
|
|
| 3 | Multi-tenant JWT + RBAC |
|
|
|
|
### Roles (SaaS)
|
|
|
|
| Role | Permissions |
|
|
|------|-------------|
|
|
| Owner | All + billing |
|
|
| Admin | Campaigns, mailboxes |
|
|
| Viewer | Read-only stats |
|
|
|
|
## Data privacy
|
|
|
|
- Warmup email bodies may contain AI-generated business text — not PII by default
|
|
- Store minimum content needed for thread continuity
|
|
- Retention policy: 90 days for logs (configurable)
|
|
- GDPR: export + delete workspace data
|
|
|
|
## Transport security
|
|
|
|
- TLS required for SMTP (587/465) and IMAP (993)
|
|
- HTTPS for API and UI
|
|
- No credential logging in Pino output
|
|
|
|
## Abuse prevention (SaaS)
|
|
|
|
- Rate limit API
|
|
- Verify email domain ownership before warming (DNS TXT challenge)
|
|
- Block disposable email domains for signup
|
|
- Monitor outbound volume per tenant
|
|
|
|
## Legal
|
|
|
|
Before public SaaS:
|
|
|
|
- Terms of Service (user owns mailboxes, compliant use)
|
|
- Privacy Policy
|
|
- Acceptable Use Policy (no spamming prospects via warmup)
|
|
- ESP ToS disclaimer
|
|
|
|
## Incident response
|
|
|
|
| Event | Response |
|
|
|-------|----------|
|
|
| Credential leak | Rotate ENCRYPTION_KEY, force password re-entry |
|
|
| ESP suspension | Pause all campaigns for affected mailbox |
|
|
| AI generating harmful content | Block send, alert operator |
|
|
|
|
## Compliance frameworks (future)
|
|
|
|
- SOC 2 Type II (SaaS scale)
|
|
- Not required for self-hosted FillCare deployment
|