How It Works What It Catches Quickstart Pricing
Sign in Start 14-day trial

Security

How SendPromptly protects accounts, API keys, webhook data, and infrastructure.

SendPromptly handles data that sits between payment events and customer account state. This page explains how we protect it.

We are a small SaaS product, not an enterprise security platform. We aim to be honest about what we do and do not do.

Authentication

  • Passwords are hashed using a secure one-way algorithm. We do not store or have access to your plaintext password.
  • Accounts support multi-factor authentication (MFA) via authenticator app (TOTP). Recovery codes are provided at setup.
  • MFA is prompted for sensitive actions in addition to login.
  • Sessions are protected against common web attack patterns.

API keys

  • API keys are hashed on creation. The dashboard shows the plaintext value once; after that only the hash is stored.
  • Keys are scoped to a single project — a compromised key affects only that project.
  • You can generate new keys and revoke old ones at any time. We recommend rotating keys on a regular schedule and immediately after any suspected exposure.
  • Keep API keys in server-side secret managers. Do not commit them to source control or expose them in browser or mobile clients.

Signed repair callbacks

When you trigger a reprocess, SendPromptly sends a signed HTTP POST to your configured repair endpoint.

  • Every callback is signed with HMAC-SHA256 using a project-scoped signing secret.
  • Your endpoint receives three headers: X-SendPromptly-Timestamp, X-SendPromptly-Nonce, and X-SendPromptly-Signature.
  • Your endpoint should verify the signature against the raw request body, reject timestamps older than 5 minutes, and make repair logic idempotent by replay_id.
  • Replay callbacks include the same replay_id, so a handler that checks for it will not apply an effect more than once.
  • Reprocess retries on network errors or 5xx responses only. 4xx responses halt retries.

The signing secret for callbacks is stored and managed separately from your ingest API keys.

Payment security

  • Billing is processed through Stripe.
  • SendPromptly does not store card numbers, CVV, or raw payment credentials.
  • We store only Stripe references: customer ID, subscription ID, and billing status.
  • Stripe webhook events for billing are verified using Stripe’s signature mechanism before any billing state is updated.

Webhook and event data

  • By default, we store only metadata: event type, effect type, your internal reference, and status.
  • Full payload snapshots are opt-in per project, encrypted at rest, and purged automatically after 30 days.
  • All inbound API requests require an Idempotency-Key. Duplicate submissions are deduplicated, not double-processed.
  • Event records are deduped on (project, provider, provider_event_id) — duplicate payment webhooks from the provider never create duplicate incidents.

Audit logging

We log the following activity with actor and timestamp:

  • login events
  • MFA changes
  • API key creation and revocation
  • project creation and deletion
  • billing actions
  • incident state changes
  • operator reprocess actions

The audit log is read-only in the console and is retained for 12 months.

Application security

  • All traffic is served over HTTPS. HTTP requests are redirected.
  • API endpoints enforce authentication, rate limiting, and content type requirements.
  • Inbound webhook payloads are validated before processing.
  • Access is scoped by organization — users can only access their own organization’s data.

Infrastructure

SendPromptly is hosted on OVHcloud VPS infrastructure. We implement backups, uptime monitoring, and operational alerting.

We do not publish infrastructure IP ranges, firewall configuration, internal architecture details, or deployment pipeline specifics.

Privacy and compliance positioning

SendPromptly is designed with practical security and privacy safeguards informed by GDPR, CCPA/CPRA, and PIPEDA principles. We are not certified against any formal compliance framework. If you have specific compliance requirements, review our practices here and in the Privacy Policy to assess fit.

Reporting a vulnerability

If you discover a potential security issue, please contact us at [email protected] before public disclosure. We will acknowledge receipt and work with you on a resolution timeline.

Contact

Security questions or concerns: