Trust

NoticeAPI Security and Data Practices

NoticeAPI protects production email operations with secure API key management, signed webhook payloads, verified sender domains, restricted administrative access, automated logs, and plan-based data retention.

Security posture

Developer-first security. Shipped, practical controls.

NoticeAPI focuses on practical controls a small team can verify: scoped keys, domain verification, signed webhooks, retention jobs, abuse monitoring, and restricted operator access.

Security controls

Built-in safeguards for production workloads.

Secure API Authentication

API requests use NoticeAPI keys prefixed with ntc_. Generate with scopes, store once, and rotate from the developer dashboard.

Cryptographically Signed Webhooks

Delivery callbacks are signed with HMAC-SHA256. NoticeAPI appends x-noticeapi-signature so your server can verify origin and integrity.

Restricted Administrative Access

Administrative access is restricted to allowlisted operator accounts, with sensitive operator actions logged for review.

Automated Data Retention

Logs, message content, and delivery history are purged according to configured retention jobs and plan boundaries.

Infrastructure

Infrastructure with clear responsibility boundaries.

Microsoft Azure Communication Services

NoticeAPI uses Azure Communication Services for the core mail delivery pipeline. Delivery events feed back into NoticeAPI logs, suppressions, webhooks, and abuse controls.

Secure Database Architecture via Neon

NoticeAPI stores product data in PostgreSQL through Neon. Database access is limited to application and operator workflows needed to run, support, and protect the service.

Application and Edge Routing

Production traffic is routed through the configured NoticeAPI web and edge deployment before it reaches the application. Operational checks, rate limits, and account controls then run inside NoticeAPI.

Transmission

Encryption in transit, verification at every hop.

Transport Encryption

HTTPS protects API and dashboard traffic. The SMTP relay is served at smtp.noticeapi.com:465 using implicit TLS for applications that send through SMTP.

Domain Verification & Sender Integrity

Production sending requires an authorized sending domain. NoticeAPI checks DNS records for sender ownership, SPF, and DKIM, and recommends DMARC alignment for mailbox-provider expectations.

Compliance Scope

NoticeAPI does not currently market a SOC 2, HIPAA, or dedicated enterprise compliance certification. Azure, Neon, Stripe, and other vendors publish their own security and compliance materials, but those are not NoticeAPI certifications. We publish practical controls so customers can decide whether the service fits their risk and compliance needs.

Read next

Policies and implementation details.