Trust

NoticeAPI Security and Data Practices

NoticeAPI protects production email operations with server-side API keys, signed webhook payloads, verified sender domains, admin allowlisting, abuse monitoring, logs, and plan-based retention.

Security posture

Practical controls, stated plainly.

This page describes current product practices. It does not claim SOC 2, a formal certification, or a perfect security guarantee.

Practices

Controls developers should know before production.

API keys authenticate sends

Keys start with ntc_ and can be rotated from the portal. Keep them in server-side environment variables.

Webhooks are signed

Delivery callbacks include x-noticeapi-signature so your receiver can verify the raw request body with HMAC-SHA256.

Admin access is allowlisted

The operator console and admin APIs are gated by ADMIN_EMAILS and record account events for review.

Retention is operationalized

Email logs, message bodies, and delivery events follow plan retention windows enforced by the retention cron.

Read next

Policies and implementation details.