Security

We take the security of your data seriously. This page outlines how HeroBounce protects your email validation data across infrastructure, application, and operations.

Data Protection

  • Encryption in transit:

    TLS 1.3 for all client connections, API traffic, and webhook deliveries. All HTTP connections are automatically upgraded to HTTPS.

  • Encryption at rest:

    Database encryption via AES-256 for PostgreSQL; validation results and user data are encrypted at rest. Secrets and API keys are encrypted using industry-standard cryptographic algorithms.

  • Access controls:

    Role-based access control (RBAC) for user accounts and scoped API keys with granular permissions. Multi-factor authentication available for enhanced account security.

  • Auditability:

    Server-side audit logs for authentication events, API access, validation requests, and administrative actions. Logs are retained for 90 days for security monitoring.

  • Least privilege:

    Segregated development, staging, and production environments. Service credentials are restricted to minimum necessary permissions.

  • Data isolation:

    Email addresses and validation results are isolated by user account. No cross-user data access is possible.

Application Security

Security Headers & CSRF Protection

  • Hardened HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options)
  • CSRF protection tokens for all state-changing operations
  • Secure, HttpOnly cookies with SameSite attributes
  • CORS policies restricting unauthorized cross-origin requests

Input Validation & Sanitization

  • Strict email format validation and sanitization
  • File upload validation with size limits and MIME type checks
  • SQL injection prevention using parameterized queries
  • XSS protection through output encoding and content sanitization
  • API rate limiting to prevent abuse and DDoS attacks

Dependency Management

  • Regular dependency updates and security patch management
  • Automated vulnerability scanning with GitHub Dependabot
  • Security audit of third-party packages before integration
  • Minimal dependency footprint to reduce attack surface

Authentication & Authorization

  • Secure password hashing using bcrypt with salt
  • JWT tokens with expiration and refresh token rotation
  • API key authentication with scoped permissions
  • Session management with automatic timeout
  • Failed login attempt monitoring and account lockout protection

Infrastructure Security

Network Security

  • Firewall rules restricting unauthorized network access
  • Private network isolation for database and cache servers
  • DDoS protection and traffic filtering
  • Regular penetration testing and security assessments

Monitoring & Incident Response

  • 24/7 automated security monitoring and alerting
  • Real-time intrusion detection systems
  • Incident response plan with defined escalation procedures
  • Regular security log reviews and anomaly detection
  • Breach notification within 72 hours as required by GDPR

Backup & Disaster Recovery

  • Automated daily backups with encrypted storage
  • Geographic redundancy for critical data
  • Point-in-time recovery capability
  • Regular disaster recovery testing
  • Business continuity plan with defined RTOs and RPOs

Email Validation Security

HeroBounce implements specific security measures for email validation operations:

  • No email content storage: We only validate email addresses, never email content or messages
  • Temporary processing: Bulk upload files are deleted immediately after validation
  • Hashed analytics: Email addresses in logs are hashed for privacy
  • Rate limiting: Protection against abuse and validation spam
  • SMTP security: Secure connections to email servers for validation checks
  • DNS security: DNSSEC validation where supported
  • No spam usage: Strict anti-spam policies and usage monitoring

Third-Party Security

We carefully vet all third-party services and ensure they meet our security standards:

Stripe (Payment Processing)

PCI DSS Level 1 certified, SOC 2 Type II compliant

OpenAI (AI Services)

Enterprise API agreement with no model training on customer data

Cloud Infrastructure

ISO 27001, SOC 2, and SOC 3 certified hosting providers

Compliance & Certifications

Current Compliance

  • GDPR: Fully compliant with EU General Data Protection Regulation
  • LOPDGDD: Spanish data protection law compliance
  • EU AI Act: Aligned with limited-risk AI system requirements
  • CAN-SPAM: Adherence to US email marketing regulations
  • CASL: Compliance with Canadian anti-spam legislation

In Progress

SOC 2 Type II program: We are working towards formal SOC 2 Type II certification. We align our practices with industry standards while iterating towards formal certification.

Responsible Disclosure

If you believe you've found a security vulnerability in HeroBounce, please report it to us responsibly. We appreciate the security research community's efforts to help keep our users safe.

How to Report

  • 1. Email: support@herobounce.com
  • 2. Include a detailed description of the vulnerability
  • 3. Provide steps to reproduce the issue
  • 4. Allow us reasonable time to address the issue before public disclosure

What to expect:

  • Acknowledgment of your report within 24-48 hours
  • Regular updates on our investigation and remediation progress
  • Credit for responsible disclosure (if desired) when we publish a fix
  • Coordination on disclosure timeline

Please do not: Publicly disclose the vulnerability before we've had a chance to address it, access user data beyond what's necessary to demonstrate the vulnerability, or perform denial of service attacks.

Employee Security Practices

  • Background checks for employees with access to production systems
  • Security awareness training and annual refresher courses
  • Strict access control policies with regular access reviews
  • Mandatory use of password managers and 2FA for all accounts
  • Secure device management with full-disk encryption
  • Non-disclosure agreements and data protection clauses

Questions About Security?

For general security inquiries or to learn more about our security practices, please reach out:

General Security: support@herobounce.com

Vulnerability Reports: support@herobounce.com

Privacy Concerns: support@herobounce.com

We investigate all reports and appreciate coordinated disclosure. Security is a continuous journey, and we're committed to protecting your data.

Last updated: December 23, 2025

This page is regularly updated as we enhance our security posture and implement new protections.