/ Legal

Security Policy

Last updated: March 30, 2026

1. Our Commitment

NoTemp.email takes the security of our Service and the protection of our users’ data seriously. We implement industry-standard security measures and continuously work to improve our security posture.

2. Infrastructure Security

  • Encryption in transit: All data is transmitted over TLS 1.2 or higher. API requests require HTTPS.
  • Encryption at rest: Data stored in AWS DynamoDB and S3 is encrypted using AES-256.
  • Authentication: User passwords are hashed using industry-standard algorithms via AWS Cognito. We never store plaintext passwords.
  • Access control: Internal access to production systems follows the principle of least privilege. Administrative access requires multi-factor authentication.
  • API key security: API keys are managed through AWS API Gateway with per-key rate limiting and quota enforcement.

3. Application Security

  • Input validation and sanitization on all API endpoints
  • CSRF protection on all authenticated routes
  • Content Security Policy (CSP) headers
  • Dependency vulnerability monitoring and regular updates
  • No storage of submitted email addresses beyond the duration of the API request

4. Incident Response

In the event of a security incident, we follow a structured incident response process:

  • Detection: Automated monitoring and alerting for anomalous activity
  • Containment: Immediate isolation of affected systems
  • Investigation: Root cause analysis and impact assessment
  • Notification: Affected users and relevant authorities are notified within 72 hours of confirmed breach, in accordance with GDPR Article 33
  • Remediation: Implementation of corrective measures and post-incident review

5. Responsible Disclosure

We welcome and appreciate security researchers who help us keep NoTemp.email safe. If you have discovered a potential security vulnerability, we encourage you to report it responsibly.

How to Report

Send your report to support@notemp.email with the subject line “Security Vulnerability Report”. Please include:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

What to Expect

  • We will acknowledge receipt of your report within 2 business days
  • We will provide an initial assessment within 5 business days
  • We will keep you informed of our progress toward resolving the issue
  • We will credit you (if desired) when we publish information about the resolved vulnerability

Guidelines

We ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks or disrupt service availability
  • Do not publicly disclose the vulnerability until we have had reasonable time to address it (minimum 90 days)
  • Do not use automated scanners or tools that generate excessive traffic
  • Act in good faith to avoid privacy violations, data destruction, and service degradation

Safe Harbor

We consider security research conducted in accordance with these guidelines to be authorized. We will not pursue legal action against researchers who discover and report vulnerabilities responsibly, provided they:

  • Comply with the guidelines above
  • Make a good-faith effort to avoid disruption to the Service and other users
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

6. Third-Party Security

We rely on the following security-certified third-party providers:

  • AWS: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1
  • Lemon Squeezy: PCI DSS compliant (via Stripe as sub-processor), SOC 2

7. Contact

For security concerns, vulnerability reports, or questions about our security practices, contact us at support@notemp.email.