Workspace isolation
Every workspace is separated at the application and database level, with row-level controls documented for hosted and self-hosted deployments.
Security
Supromail gives teams control over their domains, phones, routes, and data. The security model is designed to isolate workspaces, reduce retained sensitive data, and make every integration verifiable.
Every workspace is separated at the application and database level, with row-level controls documented for hosted and self-hosted deployments.
DKIM private keys and webhook signing secrets are sealed at rest with AES-256-GCM using a deployment master key.
Webhook payloads include HMAC signatures and timestamps so your systems can reject spoofed or replayed delivery events.
Supromail scopes domains, phones, messages, members, API keys, webhooks, suppressions, logs, and settings to a workspace. The documented backend model uses Postgres Row-Level Security and a non-superuser runtime role so one workspace cannot read another workspace's rows.
API keys are shown once and stored as hashes. Device tokens are private to paired phones. DKIM private keys and webhook secrets are encrypted at rest and should be backed up with the deployment master key in self-hosted environments.
SMS delivery requires the dialable phone number while a message is in flight. After the message reaches a final status, Supromail is designed to erase the full number and retain only a masked display value plus a non-reversible hash for abuse controls and history.
Supromail signs webhook deliveries with a timestamped HMAC signature. Receivers should compute the signature over the raw request body, reject stale timestamps, and accept either active signature during the documented rotation overlap.
Outbound webhook delivery validates the actual destination IP after DNS resolution and disables redirects to reduce SSRF risk against internal networks and cloud metadata services.
Supromail uses passwordless login and workspace roles. Owners and admins can invite members, enable channels, manage domains and devices, create or revoke API keys, configure webhooks, and review activity. Removing a member or deleting an account revokes access within the product's short token lifetime.
Rate limits, quotas, duplicate collapse, recipient caps, premium or satellite prefix blocking, suppression handling, bounce handling, and complaint handling help contain abuse from mistakes, leaked keys, or misconfigured automations.
Self-hosted operators control the deployment environment, database, Keycloak login service, Redis if used, reverse proxy, backups, TLS, domain settings, SMTP relay, and master encryption keys. Operators should keep secrets outside source control, use the non-superuser database role, back up the encryption key separately, and sync backups off-host.
Send security reports to security@supromail.com. Please include affected URLs, reproduction steps, impact, screenshots or proof of concept where safe, and whether any customer data or credentials may be involved.