Security

Security is fundamental to Notifs. We implement industry best practices to protect your data and ensure reliable notification delivery.

Encryption in Transit

All data transmitted between your systems and Notifs is encrypted using TLS 1.3. We enforce HTTPS for all API endpoints and webhook deliveries.

API Key Security

API keys are hashed using SHA-256 before storage. We never store plaintext keys. Keys can be revoked instantly, and we support key rotation without downtime.

Webhook Signatures

Every webhook request is signed with HMAC-SHA256, allowing you to verify authenticity. Timestamps prevent replay attacks, and signatures expire after 5 minutes.

Data Privacy

We follow data minimization principles. Notification content is processed transiently and not stored longer than necessary. Request logs are retained for 30 days.

Infrastructure Security

Our infrastructure is hosted on secure, SOC 2 compliant cloud providers. We implement network isolation, firewalls, and regular security patches.

Incident Response

We have documented incident response procedures. Security incidents are investigated promptly, and affected users are notified in accordance with applicable laws.

Webhook Signature Verification

Every webhook request from Notifs includes an X-Notifs-Signature header containing a timestamp and HMAC-SHA256 signature:

X-Notifs-Signature: t=1700000000,v1=5257a869e7ecebeda32affa62cdca3fa51cad7e77a0e56ff536d0ce8e108d8bd

To verify the signature:

  1. Extract the timestamp (t) and signature (v1) from the header
  2. Construct the signed payload: timestamp.requestBody
  3. Compute HMAC-SHA256 of the signed payload using your webhook secret
  4. Compare the computed signature with the provided signature
  5. Verify the timestamp is within 5 minutes to prevent replay attacks

Our SDK provides helper functions for signature verification.

API Key Best Practices

  • Never expose API keys in client-side code or public repositories
  • Use environment variables to store keys securely
  • Rotate keys periodically and after any suspected compromise
  • Use separate keys for development and production environments
  • Revoke unused keys immediately
  • Monitor API key usage for unusual patterns

Compliance

We are committed to maintaining compliance with applicable regulations and industry standards:

  • GDPR: We provide data processing agreements and support data subject rights
  • CCPA: California residents can exercise their privacy rights
  • Data Residency: Contact us for specific data residency requirements

Reporting Security Issues

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

  • Email: security@notifs.io
  • Please include detailed steps to reproduce the vulnerability
  • Allow reasonable time for us to address the issue before public disclosure

We appreciate security researchers who help keep Notifs safe and will acknowledge responsible disclosures.

Questions?

For security-related questions or concerns, contact our security team at security@notifs.io.