Security

All traffic is encrypted in transit with TLS. Data is stored in access-controlled databases with encryption at rest at the infrastructure layer, and every workspace's data is isolated — one workspace can never read another's campaigns, prospects, or messages.

We never store your LinkedIn password. Account connections run through a dedicated messaging provider using scoped session credentials.

API keys are scoped (read / write / admin), rate-limited, shown once at creation, and stored hashed. Revoke any key instantly from Settings.

Every webhook delivery is signed with a per-endpoint HMAC-SHA256 secret (the X-Signature header), so your receiver can verify each payload really came from us.

Protecting your senders is a security feature too: per-account daily limits, randomized human-like pacing, scheduling windows, and warm-up ramps keep sending behavior within safe bounds. Health monitoring surfaces disconnected or restricted accounts immediately.

Least-privilege access for our team, audit logging on production systems, peer-reviewed code changes, and rolling encrypted backups with tested restores. Payments are processed by Stripe, a PCI-DSS Level 1 provider — card numbers never touch our servers.

Found a vulnerability? Email [email protected] with the details and steps to reproduce. We respond within 72 hours, keep you updated while we fix it, and credit researchers who report in good faith. Please don't access other customers' data or disrupt the service while testing.