Security & Compliance

1. Encryption in transit

All communication between your browser (or API client) and Outbound's servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all routes and reject plain-text HTTP connections. HSTS (HTTP Strict Transport Security) is set with a two-year max-age and the preload directive, ensuring browsers remember to use HTTPS even on first visit.

Email we send on your behalf is transmitted to recipient mail servers over STARTTLS where supported by the receiving server. We do not transmit messages over unencrypted SMTP connections to our own infrastructure.

2. Encryption at rest

Sensitive credential fields — including OAuth access tokens, refresh tokens, and provider API keys stored per-rep — are encrypted at the application layer before being written to the database. The encryption key is managed separately from the database credentials.

Our database host applies transparent disk encryption at the storage layer. Database backups are encrypted at rest as well.

Non-sensitive data fields (contact names, email addresses, draft text, research extracts) are protected by the database host's disk encryption but are not additionally encrypted at the application layer, as they must be readable to provide the Service.

3. Access control

Outbound enforces role-based access control (RBAC) at every API boundary:

• Owner — full account access, billing, seat management, can promote or demote other users.
• Admin — all Sales Rep capabilities plus user management within the organization; cannot access billing.
• Rep — access only to their own drafts, sequences, and contacts within the organization.
• Platform Admin — Ustack staff only; has read access to platform-wide observability and suppression enforcement. Cannot read message bodies.

Multi-tenant isolation is enforced at the database query layer — every query is scoped to an organizationId that is derived from the authenticated session, not from user-supplied input. We run static analysis tests in CI to detect any query that may be missing the tenant scope.

4. Authentication

Outbound uses magic-link (one-time password) authentication by default. Links are signed with HMAC-SHA256, are single-use, and expire after 15 minutes. We do not store passwords.

Google OAuth 2.0 is offered as an alternative sign-in method. OAuth tokens received from Google are stored encrypted (see section 2). We request only the scopes necessary to provide the Service and do not retain tokens after you disconnect your account.

Session tokens are HTTP-only, Secure, SameSite=Lax cookies. They expire after 30 days of inactivity.

Signup is protected against disposable and temporary email addresses. Work email is required to create an account.

5. Infrastructure security

Our infrastructure runs on Vercel (application layer) and a managed PostgreSQL provider. Key controls:

• Database is IP-allowlisted — only our application servers can reach it.
• Production secrets (database credentials, API keys) are stored in Vercel's encrypted environment variable store, never in source code or build artifacts.
• The application runs with the minimal set of IAM permissions necessary.
• Vercel's edge network provides DDoS mitigation and rate limiting at the CDN layer. We additionally enforce application-level rate limiting on all auth and write endpoints.
• Dependency scanning runs on every pull request.

6. SOC 2 status

Outbound's SOC 2 Type II audit is in progress. We are targeting completion in Q4 2026. In the meantime, we are happy to complete security questionnaires and provide evidence of specific controls upon request.

Enterprise customers may request a current controls summary and our security questionnaire responses by emailing security@ustack.ai.

7. GDPR commitments

Outbound is committed to compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. As a Processor of your customers' Personal Data, we:

• Process Personal Data only on your documented instructions and for the purpose of providing the Service.
• Maintain confidentiality obligations for all personnel with access to Personal Data.
• Provide you with the ability to honor Data Subject rights requests (access, rectification, erasure, portability) — see our Data Processing Agreement.
• Notify you of Personal Data breaches within 72 hours of becoming aware of them.
• Engage Sub-processors under data processing obligations at least as protective as this DPA.
• Use Standard Contractual Clauses (SCCs) for transfers of EEA Personal Data to the US.
• Delete or return Personal Data upon termination of the Service.

Our full GDPR obligations as Processor are documented in the Data Processing Agreement.

8. Sub-processors

We use the following third-party sub-processors to deliver the Service. Each is bound by contractual data protection obligations. The full list with purposes is in our Data Processing Agreement.

• Vercel — application hosting
• Managed PostgreSQL — database
• OpenAI — AI draft generation and research extraction
• Anthropic — AI inference (alternate tier)
• Resend — transactional email delivery
• Keiro / Serper / Tavily — web search for prospect research
• Stripe — subscription billing

We do not sell data to sub-processors or allow them to use your data for their own purposes. AI model providers receive anonymized prospect context — no Gmail mailbox contents.

9. Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in our Service, please report it to:

security@ustack.ai

Please include a description of the issue, steps to reproduce it, and your assessment of the potential impact. We will acknowledge your report within 2 business days and aim to provide a timeline for remediation within 5 business days.

We ask that you:

• Not access, modify, or exfiltrate data belonging to other customers.
• Not perform denial-of-service attacks.
• Give us reasonable time to fix the issue before any public disclosure.

We do not currently offer a bug bounty program, but we will credit researchers in our changelog (with their permission) and express our sincere gratitude.

10. Incident response

Our incident response process follows a standard Prepare → Detect → Contain → Eradicate → Recover → Review lifecycle:

1. Detection — automated alerting for anomalous query patterns, error spike rates, and authentication failures. Manual reporting via security@ustack.ai.
2. Triage — on-call engineer assesses severity within 2 hours (critical / high) or next business day (medium / low).
3. Containment — affected accounts or API keys are suspended immediately; affected infrastructure is isolated.
4. Customer notification — affected customers are notified within 72 hours of a confirmed Personal Data breach, per GDPR Article 33/34. We will describe what happened, what data was affected, and what we're doing.
5. Remediation — root cause is identified and fixed; a post-mortem is written. Enterprise customers receive the post-mortem on request.
6. Review — controls are updated to prevent recurrence.

11. Data retention and deletion

Data retention schedules are detailed in our Privacy Policy. On account closure, Personal Data in scope of this policy is deleted within 30 days except where we are required by law to retain it (e.g., billing records for 7 years).

Secure deletion means records are removed from the live database and will not appear in backups after the next backup rotation cycle (maximum 30 days).

12. Contact

For security questions, vulnerability reports, or compliance questionnaires:

Ustack AI Inc.
Security: security@ustack.ai
Privacy / DPA: privacy@ustack.ai
General: hello@ustack.ai