DefrostDefrost
How it worksFeaturesPricingFAQ
Log inGet started
HomeHow it worksFeaturesPricingFAQLog inGet started
Trust

Defrost Security

Last updated · 2026-06-15

Defrost is built for teams who treat their customer data and their sending reputation like the assets they are. This page summarises our security posture, compliance footing, and sub-processor list. If you're evaluating us for procurement, the documents linked at the bottom should answer most security questionnaire items.

Security posture

  • Encryption at rest. All customer secrets (API keys, OAuth refresh tokens, SCIM tokens) are encrypted with AES-256-GCM before being written to the database. Encryption keys are stored as Vercel environment variables and never logged.
  • Encryption in transit. TLS 1.2+ on every public surface. HSTS enforced. HTTPS-only cookies for session state.
  • Row-Level Security on every table.Supabase RLS policies are enforced at the database layer so a logic bug in our app code cannot accidentally expose another tenant's data.
  • Audit log on every customer action. Theaudit_events table records every state-changing API call with the actor, the org, the action type, and the metadata. Retention is 7 years for Enterprise customers.
  • Secrets isolation. Production and preview deployments use separate Supabase projects and separate Stripe keys. Staff access to production secrets is logged.
  • Vulnerability disclosure. We publish an RFC 9116 security.txt and accept reports at security@defrostmail.com with a 24-hour acknowledgement SLA.

Compliance

  • GDPR (EU) + UK GDPR. We honour Data Subject Access Requests (DSARs) including right-to-access, right-to-rectification, and right-to-erasure within 30 days. Standard DPA template available at /dpa.
  • CCPA / CPRA (California). California residents have the right to know, delete, and opt out of sale. We do not sell personal information.
  • California ARL §17602. SaaS subscription auto-renewal notifications, cancellation paths, and price-change disclosures are implemented per California Automatic Renewal Law.
  • CAN-SPAM + CASL + UK PECR + EU ePrivacy. Our cold-email features include opt-out enforcement, identification requirements, and rate-limited send pacing to keep customers compliant. See the Acceptable Use Policy for the legal footing.

Sub-processors

We use the following sub-processors to deliver the service. Customers will receive 30 days' notice via email before any new sub-processor is added.

Sub-processorPurposeData location
SupabaseDatabase, authentication, file storageUnited States (us-east-1)
VercelHosting, edge runtime, CDNGlobal edge network
ResendTransactional system mail (account auth, billing notifications)United States
AWS SESPrimary system-mail transport from mail.defrostmail.com (backup transactional)United States
StripeSubscription billing, payment processingUnited States
AnthropicLLM inference for AI features (research, copy, classification)United States
MillionVerifierEmail verification (optional, customer-enabled)European Union
ZeroBounceEmail verification (optional, customer-enabled)United States
NeverBounceEmail verification (optional, customer-enabled)United States
Google (Gmail / Workspace)OAuth pass-through for customer mailbox send transportPer Google Workspace contract
Microsoft (Outlook / 365)OAuth pass-through for customer mailbox send transportPer Microsoft 365 contract

See /sub-processors for the canonical sub-processor disclosure including OAuth pass-through providers and upcoming additions.

Vulnerability disclosure

If you discover a security vulnerability, please email security@defrostmail.com. We acknowledge within 24 hours and triage within 5 business days. Full policy: /.well-known/security.txt.

Data Processing Agreement

Our standard DPA is available at /dpa. For Enterprise customers requiring a counter-signed DPA on company letterhead, contact hi@defrostmail.com.

Acceptable Use Policy

Customer obligations for cold-email compliance, prohibited content, and suspension policies are documented at /aup.

Status & uptime

Real-time service status: status.defrostmail.com. Incident history is published with 30-day root-cause analysis for any Sev-1 or Sev-2 event.

Contact

  • Security disclosures: security@defrostmail.com
  • Procurement / DPA / SIG / CAIQ questionnaire: hi@defrostmail.com
  • Abuse reports: abuse@defrostmail.com (24h SLA per ICANN)
DefrostDefrost

Cold outreach that runs itself — research, copy, sending, learning. All from a URL.

Product
  • How it works
  • Features
  • Pricing
  • FAQ
Company
  • About
  • Standards
  • Blog
  • Changelog
  • Founding 100
  • System status
  • Brain Book
  • Contact
Legal
  • Privacy
  • Terms
  • DPA
  • Sub-processors
  • Do Not Sell My Information
  • Security
  • Acceptable Use Policy
  • API Docs
© 2026 DEFROST LLC · All rights reservedMade in the cold