The short version: all data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Raw lists are purged 30 days after a run completes. Access to production data is least-privilege, audited, and limited to a short list of engineers.
Encryption
All connections to CleanMyList use TLS 1.2 or higher with modern cipher suites. HSTS is enforced. Stored data — lists, verification results, account information — is encrypted at rest using AES-256, managed by our hosting provider's KMS.
Data retention
Raw list content (the actual email addresses you uploaded) is encrypted at rest and purged 30 days after the verification run completes. Verification metadata (counts, timestamps, scores aggregated by domain) is retained for product analytics and capped per our privacy policy.
Access controls
Production access is limited to a named list of engineers, gated by hardware security keys (WebAuthn) and reviewed quarterly. All production database queries are logged. We do not browse customer data; access is read-only and only for incident response or support requests you initiate.
API keys and tokens
API keys are stored hashed at rest using HKDF-SHA256 and shown to you only once at creation. Webhook secrets are stored encrypted with envelope encryption. You can rotate or revoke any key from your Settings page; revocation takes effect within one minute.
Audit logging
Sensitive actions (sign-in, key rotation, member changes, billing changes) are recorded to a separate audit log retained for one year. Workspace owners can review their own logs from the Settings page.
Network and infrastructure
We run on AWS in EU-West-1 with private subnets, security groups locked to the minimum required, and managed databases with automated backups (encrypted, 7-day point-in-time recovery, 30-day snapshots).
Responsible disclosure
If you believe you've found a security issue, please email security@cleanmylist.io. We commit to acknowledging within 24 hours, providing a status update within 5 business days, and not pursuing legal action against good-faith security research conducted under this policy.
Compliance roadmap
We are working toward SOC 2 Type II during 2026. We will publish updates here and to customers under NDA on request.