Security
Security is foundational to a service that handles your contact details and removals. This overview describes our current approach in plain language. It reflects how the service is built today and the direction we are investing in. We will keep it current as our program matures.
Last updated
In plain language
This overview describes how Spamroot approaches security. We rely on established providers for authentication and infrastructure, encrypt data in transit, limit access on a need-to-know basis, and vet the vendors we depend on. We are building toward formal certifications and do not claim any we have not yet earned.
Built on
We prefer trusted, well-maintained infrastructure over reinventing security-critical systems. Here is what runs underneath Spamroot - and what's planned.
Clerk
Authentication
Sign-in, sessions, and account security are handled by a dedicated identity provider rather than rolled by hand.
Convex
Data model
Our application data lives on a managed backend, so access rules stay consistent and the data layer stays auditable.
UniPile
Inbox connections
Planned inbox connectivity will use permissioned access through this provider - never your raw email credentials.
We are building toward formal, independently audited certifications and do not claim any we have not yet earned.
Our approach
We design Spamroot to collect only the information we need, protect it with established tools and providers, and limit who can access it. We prefer building on trusted, well-maintained infrastructure over reinventing security-critical components ourselves.
We are early, and we are honest about that. We are building toward formal certifications rather than claiming them prematurely.
Authentication
Authentication is powered by Clerk, a dedicated identity provider. Using a specialist for sign-in lets us offer secure account management, session handling, and modern authentication practices without building those security-sensitive systems from scratch.
Data model and storage
Our application data is built on Convex, which provides our database and backend platform. Structuring our data on a managed, well-maintained backend helps us apply consistent access rules and keep our data layer reliable and auditable.
Planned inbox connections
Inbox connections are planned and will be powered by UniPile. When available, these connections will use the provider's supported, permissioned access rather than asking for your raw credentials, and we will request only the access needed for the feature.
Encryption in transit
Traffic between your browser and Spamroot, and between Spamroot and the providers we rely on, is encrypted in transit using industry-standard transport encryption (TLS). This protects your information as it travels across networks.
Access controls
We limit access to personal data to the people who need it to operate the service, and we apply the principle of least privilege.
- Internal access is granted on a need-to-know basis and reviewed periodically.
- Administrative access to systems is restricted and protected with strong authentication.
- We log access to sensitive systems so it can be reviewed.
Vendor management
Because we rely on third-party providers for parts of the service, we are deliberate about whom we choose. We favor established providers with strong security practices, and we review the access and data each one requires before relying on them.
Our current core providers and what they do are listed in our Data Processing overview.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please report it to us privately so we can investigate and address it before it is disclosed publicly.
Email security@spamroot.com with the details. We ask that you give us a reasonable opportunity to respond before any public disclosure, and that you avoid accessing or modifying data that is not yours while testing.
Working toward certifications
We are building our security program toward formal, independently audited certifications. We have not completed those audits yet, and we will not claim certifications we do not hold. When we achieve them, we will say so clearly and provide evidence.
Still have questions?
We'd rather explain it than make you guess. Reach out and a real person will get back to you.