How we protect your data

API key storage

API keys are hashed using SHA-256 before being stored in the database. The plaintext key is shown to you exactly once — at creation time — and is never stored or retrievable afterward. This means even in the event of a database breach, your raw API keys remain protected.

Password hashing

User passwords are hashed with bcrypt using a high cost factor before storage. Plaintext passwords are never written to disk or logged at any point in the authentication flow.

Transport security (TLS)

All traffic between clients and our servers is encrypted over HTTPS/TLS. HTTP requests are redirected to HTTPS. Connections to our API at api.sendcraft.online enforce TLS at the load-balancer level.

Authentication

The platform supports two authentication methods: JWT tokens (for dashboard and session-based access) and API key authentication (for programmatic API access). Tokens carry a short expiry and are validated on every request.

Rate limiting

Every API endpoint is rate-limited based on your subscription tier. Requests are keyed by authenticated user ID, with IP address as a fallback for unauthenticated routes. Exceeding limits returns a 429 response.

HTTP security headers

We use Helmet.js to set security-relevant HTTP response headers on every response, including: X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), and X-XSS-Protection. CORS is configured per environment to restrict origins.

Payment security

Payments are processed via Cashfree, a PCI-DSS compliant payment gateway. SendCraft never receives, transmits, or stores cardholder data. All billing interactions happen directly with Cashfree's secure hosted payment pages.

Bounce and complaint handling

Permanent email bounces and spam complaints are processed automatically via verified webhooks and added to a per-account suppression list. This prevents repeated sending to bad addresses, protecting your sender reputation.