Security Policy

Security Program

This Security Policy describes the emailfinder.dev security program and technical and organizational security controls to protect customer data from unauthorized use, access, disclosure, or theft and safeguard the emailfinder.dev services. As security threats change, emailfinder.dev continues to update its security program and strategy to help protect customer data and emailfinder.dev services. As such, emailfinder.dev reserves the right to update this Security Policy from time to time; provided, any update will not materially reduce the overall protections stated in this Security Policy.

Risk-Based Security Framework

emailfinder.dev maintains a risk-based security assessment program. The framework for emailfinder.dev's security program includes administrative, organizational, and technical safeguards designed to protect emailfinder.dev services and confidentiality, integrity, and availability of customer data. emailfinder.dev's security program is intended to be appropriate to the nature of the emailfinder.dev services and the size and complexity of emailfinder.dev's business operations.

Confidentiality

All emailfinder.dev employees and contract personnel are bound by contractual agreements and emailfinder.dev internal policies regarding maintaining the confidentiality of customer data and are contractually obligated to comply with these obligations.

People Security

All emailfinder.dev employees must complete a security and privacy training which covers emailfinder.dev security policies, security best practices, and privacy principles. All application passwords must be saved on a password manager. Each service must have its unique password. When available, two-factor authentication (2FA) must be enabled. When available, by using a physical key. Otherwise, by using a 2FA application. SMS 2FA is not allowed.

Third Party Vendor Management

Vendor Assessment — emailfinder.dev may use third party vendors to provide certain services. emailfinder.dev carries out a security risk-based assessment of prospective vendors before working with them to validate they meet emailfinder.dev security requirements.

Vendor Agreements — emailfinder.dev enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for customer data that these vendors may process.

Hosting Architecture and Data Segregation

Vercel Edge Network — The emailfinder.dev services are hosted on Vercel Edge Network with global CDN distribution. Customer data transmitted through Vercel is encrypted in transit using TLS 1.3. Vercel provides automatic DDoS protection and enterprise-grade security.

Supabase (PostgreSQL) — The emailfinder.dev database is hosted on Supabase, a SOC 2 Type II certified platform. Customer data stored within Supabase is encrypted at rest using AES-256 encryption. Supabase does not have access to unencrypted customer data.

Databases are not open to the world: any connection from a disallowed IP address will be rejected. Only connections from authorized emailfinder.dev services are allowed. When possible, data is pseudonymized. Passwords are stored encrypted, using the bcrypt function with cost factor 10. API keys are hashed using bcrypt before storage.

Services

For the emailfinder.dev services, all network access between production hosts is restricted, using access control lists to allow only authorized roles to interact in the production network. Access control lists are in use to manage network segregation between different security zones in the production and corporate environments. Access control lists are reviewed regularly.

Security by Design

emailfinder.dev follows security by design principles when it designs the services. This includes the performance of internal security reviews before deploying new services or code; and regular scans to detect potential security threats and vulnerabilities.

Access Controls

Provisioning Access — To minimize the risk of data exposure, emailfinder.dev follows the principles of least privilege through a role-based-access-control model when provisioning system access. An employee's access to customer data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. emailfinder.dev logs high risk actions and changes in the production environment.

Password Controls — Users cannot create an account on emailfinder.dev using a compromised password. All passwords are hashed using bcrypt with cost factor 10 before storage.

Row Level Security (RLS) — All database tables implement Row Level Security (RLS) policies to ensure users can only access their own data. Database-level access control provides an additional layer of security beyond application-level checks.

Rate Limiting — API endpoints are protected with rate limiting of 1,000 requests per minute to prevent abuse and ensure fair usage. Rate limits are enforced at the user level, not per API key.

Logs

The following logs of actions are stored: On Vercel, every HTTP request is logged; Every API call is stored in the database with full audit trail; Every user sensitive action is stored in the database; Every admin action is stored in the database.

Vulnerability Management

emailfinder.dev maintains controls to mitigate the risk of security vulnerabilities by using third-party tools to conduct vulnerability scans regularly to assess vulnerabilities in emailfinder.dev infrastructure and systems. Critical software patches are evaluated, tested, and applied proactively. Dependencies are updated regularly for security patches, and automated vulnerability scanning is performed on every deployment.

Customer Data Backups

emailfinder.dev performs the following backups of its data: On-site backups (managed by Supabase, performed daily), encrypted at rest, through the Advanced Encryption Standard (AES-256) algorithm; Point-in-time recovery (PITR) enabled for database restoration.

Encryption

Data in Transit — All data transmitted between clients and emailfinder.dev services is encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol. This ensures that all API requests, responses, and authentication tokens are protected from interception.

Data at Rest — All customer data stored in our database is encrypted at rest using AES-256 encryption, a military-grade encryption standard. API keys are hashed using bcrypt with cost factor 10 before storage. Sensitive data is never stored in plain text.

Payment Security

emailfinder.dev uses Stripe, a PCI Level 1 certified payment processor, for all payment processing. We never store or have access to your payment card details. All payment information is handled directly by Stripe with 3D Secure authentication and automatic fraud detection via Stripe Radar.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly: Email: support@emailfinder.dev. Please include detailed steps to reproduce the issue.

We commit to: Respond within 24 hours; Keep you informed of our progress; Credit you in our security acknowledgments (if desired).

Compliance & Certifications

emailfinder.dev complies with industry standards and regulations: GDPR Compliant — EU data protection regulation; SOC 2 Type II — Via Supabase infrastructure; PCI-DSS Level 1 — Via Stripe payment processing.

Limitation of Liability

This Security Policy is provided for informational purposes. While emailfinder.dev implements industry-standard security measures, no system is completely secure. emailfinder.dev makes no warranties or guarantees regarding the absolute security of customer data.

Any claims arising from or related to this Security Policy, security incidents, data breaches, or security vulnerabilities shall be subject to the liability limitations set forth in our Terms of Service, including but not limited to the liability cap and exclusion of indirect, consequential, and punitive damages.

In particular, emailfinder.dev's liability for any claims related to security incidents, data breaches, or security vulnerabilities shall not exceed the greater of (i) €10,000 or (ii) the total amount paid by Customer to emailfinder.dev in the twelve (12) months preceding the event giving rise to the liability claim, as set forth in Section 13.5 of the Terms of Service.

emailfinder.dev shall not be liable for any indirect, incidental, consequential, or punitive damages, including but not limited to loss of profits, loss of revenue, loss of data, loss of business opportunity, or business interruption arising from security incidents or data breaches.

For the avoidance of doubt, the liability limitations in the Terms of Service apply to all claims, whether arising under contract, tort, or otherwise, including claims related to security, data protection, or privacy.