Defrost is built for teams who treat their customer data and their sending reputation like the assets they are. This page summarises our security posture, compliance footing, and sub-processor list. If you're evaluating us for procurement, the documents linked at the bottom should answer most security questionnaire items.
Security posture
- Encryption at rest. All customer secrets (API keys, OAuth refresh tokens, SCIM tokens) are encrypted with AES-256-GCM before being written to the database. Encryption keys are stored as Vercel environment variables and never logged.
- Encryption in transit. TLS 1.2+ on every public surface. HSTS enforced. HTTPS-only cookies for session state.
- Row-Level Security on every table.Supabase RLS policies are enforced at the database layer so a logic bug in our app code cannot accidentally expose another tenant's data.
- Audit log on every customer action. The
audit_eventstable records every state-changing API call with the actor, the org, the action type, and the metadata. Retention is 7 years for Enterprise customers. - Secrets isolation. Production and preview deployments use separate Supabase projects and separate Stripe keys. Staff access to production secrets is logged.
- Vulnerability disclosure. We publish an RFC 9116 security.txt and accept reports at security@defrostmail.com with a 24-hour acknowledgement SLA.
Compliance
- GDPR (EU) + UK GDPR. We honour Data Subject Access Requests (DSARs) including right-to-access, right-to-rectification, and right-to-erasure within 30 days. Standard DPA template available at /dpa.
- CCPA / CPRA (California). California residents have the right to know, delete, and opt out of sale. We do not sell personal information.
- California ARL §17602. SaaS subscription auto-renewal notifications, cancellation paths, and price-change disclosures are implemented per California Automatic Renewal Law.
- CAN-SPAM + CASL + UK PECR + EU ePrivacy. Our cold-email features include opt-out enforcement, identification requirements, and rate-limited send pacing to keep customers compliant. See the Acceptable Use Policy for the legal footing.
Sub-processors
We use the following sub-processors to deliver the service. Customers will receive 30 days' notice via email before any new sub-processor is added.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States (us-east-1) |
| Vercel | Hosting, edge runtime, CDN | Global edge network |
| Resend | Transactional system mail (account auth, billing notifications) | United States |
| AWS SES | Primary system-mail transport from mail.defrostmail.com (backup transactional) | United States |
| Stripe | Subscription billing, payment processing | United States |
| Anthropic | LLM inference for AI features (research, copy, classification) | United States |
| MillionVerifier | Email verification (optional, customer-enabled) | European Union |
| ZeroBounce | Email verification (optional, customer-enabled) | United States |
| NeverBounce | Email verification (optional, customer-enabled) | United States |
| Google (Gmail / Workspace) | OAuth pass-through for customer mailbox send transport | Per Google Workspace contract |
| Microsoft (Outlook / 365) | OAuth pass-through for customer mailbox send transport | Per Microsoft 365 contract |
See /sub-processors for the canonical sub-processor disclosure including OAuth pass-through providers and upcoming additions.
Vulnerability disclosure
If you discover a security vulnerability, please email security@defrostmail.com. We acknowledge within 24 hours and triage within 5 business days. Full policy: /.well-known/security.txt.
Data Processing Agreement
Our standard DPA is available at /dpa. For Enterprise customers requiring a counter-signed DPA on company letterhead, contact hi@defrostmail.com.
Acceptable Use Policy
Customer obligations for cold-email compliance, prohibited content, and suspension policies are documented at /aup.
Status & uptime
Real-time service status: status.defrostmail.com. Incident history is published with 30-day root-cause analysis for any Sev-1 or Sev-2 event.
Contact
- Security disclosures: security@defrostmail.com
- Procurement / DPA / SIG / CAIQ questionnaire: hi@defrostmail.com
- Abuse reports: abuse@defrostmail.com (24h SLA per ICANN)