Security

Authentication

API keys and dashboard sessions are stored only as hashes — the raw value is shown once. Passwords use scrypt. Optional two-factor (TOTP) with single-use recovery codes, plus login lockout and sign-up rate limits to blunt abuse.

Authorization & isolation

Role-based permissions gate every action, and every resource is scoped to its workspace and organization — one tenant can never read or change another's data. Plan features are enforced server-side.

Data protection

Encryption in transit, validated request input, and append-only audit logs. Exportable Layer-3 proof bundles are Ed25519-signed and pin a hash of exactly what was sent.

Sending safety

Test-mode sends never reach real inboxes; DKIM/SPF/DMARC authenticate the sending domain; and bounces and complaints feed an automatic suppression list to protect deliverability.

Webhooks

Inbound webhooks (billing, email events) are signature-verified and idempotent; outbound webhook targets are checked to prevent requests to internal networks.

Reporting

Found an issue? Email security@rootmail.io.