Trust
NoticeAPI Security and Data Practices
NoticeAPI protects production email operations with server-side API keys, signed webhook payloads, verified sender domains, admin allowlisting, abuse monitoring, logs, and plan-based retention.
Security posture
Practical controls, stated plainly.
This page describes current product practices. It does not claim SOC 2, a formal certification, or a perfect security guarantee.
Practices
Controls developers should know before production.
API keys authenticate sends
Keys start with ntc_ and can be rotated from the portal. Keep them in server-side environment variables.
Webhooks are signed
Delivery callbacks include x-noticeapi-signature so your receiver can verify the raw request body with HMAC-SHA256.
Admin access is allowlisted
The operator console and admin APIs are gated by ADMIN_EMAILS and record account events for review.
Retention is operationalized
Email logs, message bodies, and delivery events follow plan retention windows enforced by the retention cron.
Read next