Security
Learn about Lettr’s security practices and how to secure your integration.Infrastructure Security
Data Centers
- Location: AWS data centers in EU and US
- Certifications: SOC 2 Type II, ISO 27001
- Redundancy: Multi-AZ deployments
Network Security
- All traffic encrypted with TLS 1.3
- DDoS protection via Cloudflare
- Web Application Firewall (WAF)
- Regular penetration testing
Data Protection
Encryption
| Data | At Rest | In Transit |
|---|---|---|
| Email content | AES-256 | TLS 1.3 |
| API keys | AES-256 | TLS 1.3 |
| Webhooks | - | TLS 1.3 |
| Attachments | AES-256 | TLS 1.3 |
Data Retention
| Data Type | Retention |
|---|---|
| Email metadata | 90 days |
| Email content | 7 days |
| Logs | 30 days |
| Analytics | 1 year |
Enterprise plans can customize retention periods.
API Security
Authentication
Always use API keys in headers, not URLs:IP Allowlisting
Restrict API access by IP:Rate Limiting
| Plan | Rate Limit |
|---|---|
| Free | 10 req/sec |
| Pro | 100 req/sec |
| Enterprise | Custom |
Webhook Security
Signature Verification
Always verify webhook signatures:Webhook IP Addresses
Allowlist Lettr’s webhook IPs:Compliance
GDPR
- Data processing agreements available
- EU data residency option
- Right to erasure support
- Data portability
CAN-SPAM
- Automatic unsubscribe handling
- Physical address support
- Opt-out processing
SOC 2
Lettr is SOC 2 Type II certified. Request our report:Request SOC 2 Report
Contact us for compliance documentation
Best Practices
Rotate API Keys Regularly
Rotate API Keys Regularly
Create new keys and retire old ones every 90 days.
Use Environment Variables
Use Environment Variables
Never hardcode API keys in source code.
Principle of Least Privilege
Principle of Least Privilege
Only grant permissions that are needed.
Monitor API Usage
Monitor API Usage
Set up alerts for unusual activity.
Enable 2FA
Enable 2FA
Require two-factor authentication for all team members.