Security

Security at Warmy

Your inbox credentials are among the most sensitive data you can hand to a third-party service. We take that seriously at every layer of the stack.

Core protections

01

AES-256-GCM encryption at rest

Every OAuth token, SMTP password, and IMAP credential stored in Warmy is encrypted using AES-256-GCM with per-record keys before being written to the database. Even if a database backup were exposed, credentials would be unreadable without the corresponding encryption key material, which is stored separately.

02

TLS in transit

All communication between your browser and Warmy servers, and between our servers and email providers, is encrypted using TLS 1.2 or higher. We enforce HTTPS-only and use HSTS to prevent downgrade attacks. Connections over plain HTTP are automatically redirected.

03

Row Level Security — data isolation

Our database runs on Supabase with PostgreSQL Row Level Security (RLS) enforced at the database layer. Every query is automatically scoped to the authenticated user — it is structurally impossible for one user's data to leak into another's API response, regardless of application-level logic.

04

No password storage — OAuth only

For Gmail and Outlook, we use OAuth 2.0 exclusively. We never ask for, store, or transmit your email account password. Connecting an inbox grants Warmy a scoped access token with only the permissions required for warmup — and you can revoke that access from your Google or Microsoft account at any time.

Engineering practices

  • Dependency vulnerability scanning on every pull request
  • Automated security tests in CI/CD pipeline
  • Access to production systems restricted to two engineers via hardware MFA
  • Database backups encrypted and stored in a separate cloud region
  • Security review on all third-party integrations before shipping
  • Incident response plan with defined escalation paths

SOC 2 Type II — in progress

We are currently undergoing a SOC 2 Type II audit. We expect to receive our report in Q3 2026. In the meantime, we are happy to share our security questionnaire responses with enterprise customers upon request.

Responsible disclosure

If you discover a security vulnerability in Warmy, please report it to us privately before disclosing it publicly. We will acknowledge your report within 24 hours, keep you informed of our progress, and credit you if you wish.

security@warmy.io