Security

Your data security is our top priority. Here's how we protect it.

Security Overview

Wontbounce is built with a security-first architecture. We implement industry-standard security measures, follow recognized best practices, and continuously monitor our systems to protect your data, ensure service availability, and maintain the confidentiality of your email verification activities. Security is not an afterthought — it is embedded into every layer of our platform.

Data Protection

Encryption in Transit

All data transmission is encrypted using TLS 1.2/1.3
HTTPS enforced across all endpoints, APIs, and web interfaces
Perfect Forward Secrecy (PFS) enabled to protect past sessions
HTTP Strict Transport Security (HSTS) headers enforced

Encryption at Rest

AES-256 encryption for all stored data
Database encryption with managed, rotated keys
Encrypted backups with geographic redundancy

Data Minimization

Email addresses submitted for verification are processed in memory only and immediately discarded — never written to disk or stored
Uploaded files are deleted immediately after processing
Verification results are returned to you and never stored on our servers
We collect only the minimum data necessary to operate the Service

Authentication & Access Control

User Authentication

OAuth 2.0 via Google for secure, passwordless login
JWT tokens with secure signing, short expiration times, and automatic refresh
No passwords stored on our systems — authentication is delegated to Google
Secure, HTTP-only session cookies with SameSite attributes

API Security

Unique API keys per user, transmitted only over HTTPS
Rate limiting to prevent abuse and brute-force attacks
Input validation and sanitization on all API endpoints
CORS policies configured to restrict unauthorized origins

Internal Access Controls

Principle of least privilege for all system and database access
Multi-factor authentication required for administrative access
Regular access reviews and audit trails for all privileged operations

Infrastructure Security

Cloud Infrastructure

Hosted on enterprise-grade cloud infrastructure with SOC 2 and ISO 27001 certifications
Automatic security patching and operating system updates
Network segmentation with strict firewall rules
DDoS protection and intelligent traffic filtering

Application Security

Secure coding practices following OWASP guidelines
Protection against SQL injection, XSS, CSRF, and other common vulnerabilities
Content Security Policy (CSP) headers to prevent code injection
Regular dependency scanning and vulnerability management

Monitoring & Detection

Continuous security monitoring and anomaly detection
Real-time alerting for suspicious activity and security events
Comprehensive logging with tamper-proof audit trails

Compliance & Standards

GDPR

Full compliance with the EU General Data Protection Regulation, including data subject rights, lawful processing, and cross-border transfer safeguards.

CCPA

Compliance with the California Consumer Privacy Act, including the right to know, delete, and opt out.

OWASP

Application security aligned with OWASP Top 10 guidelines to protect against the most critical web application security risks.

ISO 27001 Aligned

Security management practices aligned with ISO 27001 standards for information security management systems.

Data Processing Agreements

DPAs available upon request for enterprise customers who require formal data processing documentation.

Incident Response & Business Continuity

Security Incident Response

Documented incident response plan with defined roles, escalation paths, and procedures
Rapid containment, investigation, and remediation processes
Affected users notified promptly in the event of a data breach, in accordance with GDPR Article 33 and 34 requirements
Post-incident reviews and preventive measures to avoid recurrence

Business Continuity

High-availability architecture with automated failover
Regular automated backups with tested restoration procedures
Disaster recovery planning with defined RTOs and RPOs
99.9% uptime target for paid plans

File Upload Security

Strict file type validation — only CSV, XLSX, XLS, and TXT files accepted
Maximum file size limit of 10MB enforced server-side
Files are processed in isolated environments
All uploaded files are permanently deleted immediately after processing completes

Security Best Practices for Users

We recommend the following practices to keep your account secure:

Secure your Google account

Enable two-factor authentication (2FA) on your Google account, which is used for Wontbounce login.

Protect your API key

Store your API key in environment variables or a secrets manager. Never expose it in client-side code, public repositories, or logs.

Monitor your usage

Regularly review your dashboard for unexpected usage patterns that could indicate unauthorized access.

Use secure networks

Avoid accessing the Service over untrusted or public Wi-Fi networks without a VPN.

Only verify authorized data

Ensure you have the legal right to verify the email addresses you submit and comply with all applicable privacy laws.

Reporting Security Vulnerabilities

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a security issue, please report it to us so we can address it promptly.

How to Report

Email security vulnerabilities to [email protected] with "Security Vulnerability" in the subject line
Include a detailed description of the vulnerability and steps to reproduce it
Please do not publicly disclose the vulnerability until we have had reasonable time to investigate and address it

Our Commitment

We will acknowledge receipt within 24 hours
We will provide regular updates on our investigation
Verified vulnerabilities will be remediated promptly
We will credit researchers in our security acknowledgments (with your permission)

Contact Our Security Team

For security-related questions, concerns, or to report vulnerabilities:

Wontbounce Inc. — Security Team
Email: [email protected]