Security at Toasty
Toasty connects to your mailbox and works with your customer conversations. That is a serious trust, and this page explains — plainly — how we protect it.
SOC 2 Type II: in progress — audit-ready controls operating
How we protect your data
Encryption everywhere
All traffic is TLS 1.2+ — there are no plaintext endpoints. Data is encrypted at rest with AES-256, and mail credentials get a second, application-layer AES-256-GCM encryption before they ever reach the database.
Tenant isolation
Every read and write is scoped to your organization. Your contacts, email content, and campaigns are never visible to another tenant, and cross-tenant access is treated as our highest-severity incident class.
Audited infrastructure
We build exclusively on SOC 2 Type II / ISO 27001-audited platforms and inherit their physical, network, and platform controls — then layer our own application controls on top.
Credential security
Mailbox credentials are encrypted with AES-256-GCM (unique IV per secret, integrity-checked), decrypted only in server memory at the moment of use, and never appear in logs, responses, or client code. MFA is mandatory on every account with production access.
Data handling
Your email content is classified Confidential: processed only for the features you use, shared with vendors only as strictly required, never sold, and never used to train AI models. Deletion requests cascade through every tenant record.
Accountable operations
Security-relevant actions are written to an append-only audit log. Every code change ships through typecheck and build gates with instant rollback, and automated endpoints are bearer-token gated and fail closed.
Compliance status
Our SOC 2 Type II program is in progress: the control set — access control, encryption and key management, change management, incident response, vendor management, and business continuity — is documented and operating today, and evidence is accumulating toward a formal audit window. Our infrastructure providers each hold current SOC 2 Type II and/or ISO 27001 attestations, and we inherit those platform controls. We are a deliberately small team, and we say so: where a large company would use headcount, we use automation, immutable audit trails, and unbypassable deploy gates — and we document the difference honestly.
Customers can request our current security documentation, including the full control matrix, at any time via the contact below.
Subprocessors
Every vendor that may process customer data, what it does for you, and its independent compliance posture. This list is updated before any new subprocessor begins processing customer data.
- VercelSOC 2 Type II · ISO 27001
Application hosting, serverless compute, CDN
- SupabaseSOC 2 Type II (on AWS: SOC 2 · ISO 27001)
Managed Postgres database and encrypted backups
- AnthropicSOC 2 Type II · ISO 27001 · no training on our data
AI drafting and classification (Claude API)
- GoogleSOC 2 Type II · ISO 27001/27017/27018
Gmail mailbox connectivity (IMAP/SMTP)
- Stripe (planned)PCI DSS Level 1 · SOC 2 Type II
Subscription billing — card data never touches our systems
- SmartleadSOC 2 attested · GDPR DPA
Outbound sending infrastructure and mailbox warmup
- MillionVerifierGDPR-compliant processor · DPA
Email address verification (addresses only, no content)
Responsible disclosure
Found a vulnerability in Toasty? We want to hear about it, and we will not pursue good-faith researchers. Email security@sendtoasty.com with reproduction steps. Reports are acknowledged within 24 hours, and affected customers are notified within 72 hours of any confirmed incident involving their data.