Security at Postbox

You trust us with your data and your users' data. We take that seriously. This page describes how we protect it - and how we verify that protection.

Internal Security Audit - February 2026

We run continuous static analysis on every code change using industry-standard tools. Our latest full audit completed with:

0 dependency vulnerabilities 0 critical findings 0 high-severity findings

Tools: Sobelow (Phoenix security scanner), mix deps.audit (CVE database), Credo (static analysis)

Infrastructure

Postbox is deployed on secure infra with isolated application instances and encrypted storage volumes. All connections are served over TLS 1.2+ - there is no unencrypted path to the application. Database connections use SSL. HSTS headers enforce HTTPS for all clients. Request body size is limited to prevent abuse.

Authentication

We support email/password, magic links, and social login via Google and GitHub. Multiple layers protect your account:

Passwords hashed with bcrypt - timing-safe comparison prevents enumeration

Two-factor authentication (TOTP) available for all accounts, with encrypted backup codes

Session tokens are encrypted, signed, and rotated on sensitive actions - password changes invalidate all sessions

OAuth 2.1 with PKCE for MCP connections - no implicit grants, no secrets in browsers

API keys are hashed before storage - the plaintext is shown once at creation and never again

Data Protection

Every database query is scoped to the authenticated user at the query level - not just the application level. Account data is tenant-isolated by design:

Forms, submissions, knowledge bases, and API keys are isolated per user in every query

No shared data surface between accounts - cross-tenant access is architecturally impossible

Cookies are encrypted, HTTP-only, and Secure-flagged in production

Application Security

Content Security Policy restricts script, style, and connection sources across all pages

CSRF protection on all state-changing requests - API endpoints use Bearer token auth instead

Parameterized queries prevent SQL injection - no raw SQL anywhere in the codebase

All user input is validated and constrained through typed schemas before storage

Security headers include X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and HSTS

Rate Limiting

Every public and authenticated endpoint is rate-limited to prevent abuse:

Public submission endpoints, authenticated API, login, and OAuth endpoints all enforce per-IP limits

Multi-layer spam protection on all forms including AI-powered classification

Webhook signature verification with idempotency checks prevents replay attacks

AI Data Handling

AI features (spam detection, translation, smart replies) are opt-in per form and disabled by default. When enabled, only the minimum submission data needed is sent to the AI provider over encrypted connections. You can disable AI processing on any form at any time.

Responsible Disclosure

If you discover a security vulnerability, we want to hear about it. Please report it to support@usepostbox.com with a description of the issue. We commit to:

Acknowledging your report within 48 hours

Providing a timeline for resolution

Notifying you when the issue is fixed

Please do not publicly disclose vulnerabilities before we've had a chance to address them.

What's Next

Security is ongoing. Here's what we're working toward:

SOC 2 Type II certification

Third-party penetration testing

GDPR Data Processing Agreement for Pro customers