Trust
NoticeAPI Security and Data Practices
NoticeAPI protects production email operations with secure API key management, signed webhook payloads, verified sender domains, restricted administrative access, automated logs, and plan-based data retention.
Security posture
Developer-first security. Shipped, practical controls.
NoticeAPI focuses on practical controls a small team can verify: scoped keys, domain verification, signed webhooks, retention jobs, abuse monitoring, and restricted operator access.
Security controls
Built-in safeguards for production workloads.
Secure API Authentication
API requests use NoticeAPI keys prefixed with ntc_. Generate with scopes, store once, and rotate from the developer dashboard.
Cryptographically Signed Webhooks
Delivery callbacks are signed with HMAC-SHA256. NoticeAPI appends x-noticeapi-signature so your server can verify origin and integrity.
Restricted Administrative Access
Administrative access is restricted to allowlisted operator accounts, with sensitive operator actions logged for review.
Automated Data Retention
Logs, message content, and delivery history are purged according to configured retention jobs and plan boundaries.
Infrastructure
Infrastructure with clear responsibility boundaries.
Microsoft Azure Communication Services
NoticeAPI uses Azure Communication Services for the core mail delivery pipeline. Delivery events feed back into NoticeAPI logs, suppressions, webhooks, and abuse controls.
Secure Database Architecture via Neon
NoticeAPI stores product data in PostgreSQL through Neon. Database access is limited to application and operator workflows needed to run, support, and protect the service.
Application and Edge Routing
Production traffic is routed through the configured NoticeAPI web and edge deployment before it reaches the application. Operational checks, rate limits, and account controls then run inside NoticeAPI.
Transmission
Encryption in transit, verification at every hop.
Transport Encryption
HTTPS protects API and dashboard traffic. The SMTP relay is served at smtp.noticeapi.com:465 using implicit TLS for applications that send through SMTP.
Domain Verification & Sender Integrity
Production sending requires an authorized sending domain. NoticeAPI checks DNS records for sender ownership, SPF, and DKIM, and recommends DMARC alignment for mailbox-provider expectations.
Compliance Scope
NoticeAPI does not currently market a SOC 2, HIPAA, or dedicated enterprise compliance certification. Azure, Neon, Stripe, and other vendors publish their own security and compliance materials, but those are not NoticeAPI certifications. We publish practical controls so customers can decide whether the service fits their risk and compliance needs.
Read next