Security

• Signed payloads

  every delivery is signed with HMAC-SHA256 per the Standard Webhooks spec; verify authenticity before trusting any event.

• Encryption in transit

  all API and delivery traffic is served over TLS.

• Secret management

  endpoint signing secrets can be rotated anytime from the dashboard; the old secret is invalidated immediately.

• Isolation

  every workspace's events, endpoints, and deliveries are isolated.

• Backups

  production data is backed up daily to off-site storage.

• Responsible disclosure

  found a vulnerability? Email security@eventinbox.pro.