Security

Security at ColdConvert.

How we handle your data, plain English. No certifications we don't have.

Hosting and infrastructure

Application

Railway (US-East). Containerized FastAPI service.

Database

Supabase Postgres (US-East). TLS in transit, encryption at rest via Supabase defaults.

Access controls

· Workspace-scoped data. Recruiters see only their agency's workspace.
· Role-scoped permissions inside a workspace (admin, recruiter).
· Memberstack authentication. Magic-link email login. Password fallback.
· No SSO yet. Targeted for design-partner #4.
· Session expiry: 30 days idle. Force re-auth for sending domain changes.

Outbound posture

· Sending domains verified (SPF, DKIM, DMARC) before launch.
· STOP/HELP responses automatic on every SMS.
· Suppression list persistent across all future sends, per workspace.
· Bounce and complaint rate auto-pause at configurable thresholds.
· Quiet hours and warmup caps enforced per workspace.
· PHI markers scanned in outbound content; flagged sends blocked before they leave our system.

What we don't claim

Plain language so you don't have to read between the lines.

— Not SOC 2 audited.
— Not HIPAA-covered. Not BAA-eligible. Don't upload patient data.
— Not certified compliant with TCPA, CAN-SPAM, state telemarketing laws, or carrier rules.
— Not a substitute for your attorney's review of your outbound program.

Reporting a vulnerability

If you find a vulnerability, email security@coldconvert.net. We respond within 48 hours. We do not run a paid bug bounty yet — but we will credit researchers who report responsibly.

Related: /trust · /privacy · /terms · /disclaimer-agreement