'%3e%3cpath%20d='M12%2041%20L24%2041%20L32%2049%20L40%2041%20L52%2041%20L52%2056%20L12%2056%20Z'%20fill='%2384CC16'%3e%3c/path%3e%3cpath%20d='M23%2041%20L32%2050%20L41%2041%20L37%2041%20L32%2046%20L27%2041%20Z'%20fill='%23B4E863'%3e%3c/path%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3crect%20x='8'%20y='27'%20width='48'%20height='10'%20fill='%23CBC9ED'%20opacity='0.9'%3e%3c/rect%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3ccircle%20cx='22'%20cy='32'%20r='1.4'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='29'%20cy='34'%20r='2.4'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='38'%20cy='33'%20r='1.8'%20fill='%23F87171'%3e%3c/circle%3e%3ccircle%20cx='44'%20cy='31'%20r='1.3'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='33'%20cy='30'%20r='1.1'%20fill='%238B87E0'%3e%3c/circle%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3ccircle%20cx='34'%20cy='20'%20r='2.6'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='29'%20cy='24'%20r='3.4'%20fill='%238B87E0'%3e%3c/circle%3e%3ccircle%20cx='33'%20cy='15'%20r='1.6'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='30'%20cy='18'%20r='1.1'%20fill='%238B87E0'%3e%3c/circle%3e%3c/g%3e%3cpath%20d='M28%2012%20V25%20L13%2050%20Q11.5%2053.5%2015%2053.5%20H49%20Q52.5%2053.5%2051%2050%20L36%2025%20V12'%20stroke='%234338CA'%20stroke-width='4'%20stroke-linejoin='round'%20stroke-linecap='round'%3e%3c/path%3e%3cpath%20d='M8%2036%20H56'%20stroke='%234338CA'%20stroke-width='4'%20stroke-linecap='round'%3e%3c/path%3e%3crect%20x='24'%20y='7'%20width='16'%20height='4.5'%20rx='2.25'%20fill='%234338CA'%3e%3c/rect%3e%3c/svg%3e)
Security
filtrat.io processes email addresses on behalf of B2B teams. We treat every address as personal data and protect it accordingly. This page describes what we do — honestly and specifically.
Encryption in transit
All connections to filtrat.io use TLS (HTTPS). API requests, dashboard sessions, and webhook callbacks are encrypted end-to-end. We enforce HSTS and do not support plaintext HTTP.
Encryption at rest
Sensitive data stored in our databases — including account credentials, API key hashes, and verification results — is encrypted at rest using AES-256 or equivalent.
Credential handling
Passwords are hashed using industry-standard algorithms (bcrypt). API keys are stored as cryptographic hashes — the raw key is shown once at creation and never stored or logged. OAuth tokens are managed by our authentication provider (SuperTokens) and are never accessible to our application code.
Access controls
Access to production systems and databases is restricted to authorised personnel on a strict need-to-know basis. We do not grant blanket access to engineering staff. Administrative actions are logged.
Data retention and deletion
Email addresses submitted for verification are cached per account for a maximum of 180 days, then automatically and permanently deleted. Users can clear their cached results at any time from account settings. API keys are deleted immediately upon revocation. Server logs are retained for 90 days. Full retention schedule is documented in our Privacy Policy.
Breach notification
In the event of a personal data breach likely to affect your rights, we notify the Polish supervisory authority (UODO) within 72 hours and affected users without undue delay, as required by GDPR Articles 33 and 34. Notifications are sent to the email address on your account.
Payment security
All payment processing is handled by Stripe, Inc. We never store, process, or have access to full card numbers. Stripe is PCI DSS Level 1 certified — the highest level of payment security certification.
Sub-processors
We share data only with the services required to operate filtrat.io. Each is bound by contractual data protection obligations. The full list with transfer mechanisms is maintained in our Privacy Policy and Data Processing Agreement.
What we don’t do
- We do not sell personal data
- We do not share verified email addresses with other customers or third parties
- We do not use submitted addresses for any purpose other than returning verification results
- We do not use marketing pixels, retargeting cookies, or cross-site tracking
- We do not retain verification data beyond 180 days
Certifications
We do not currently hold SOC 2 or ISO 27001 certification. We are a small team and will pursue formal certification as we scale. In the meantime, we are transparent about what we do and how we do it. If your security review process requires specific documentation, contact us and we will provide what we can.
Report a security issue
If you discover a vulnerability or suspect a security incident, contact us at [email protected]. We appreciate responsible disclosure and will respond within one business day.