skink.devverified

Security

Last updated: 2026-07-13

This page describes the technical and organizational security measures skink applies to protect customer data and the Service.

Application Security

  • Credentials such as API keys are hashed and never stored or shown in plain text after creation. Keys can be revoked at any time and are rate-limited.
  • Every request is authenticated before it reaches any internal system.
  • All input is validated before it's processed.
  • Billing and credit changes are handled safely to prevent double-charges or incorrect balances.
  • Payment events are verified before any billing action is taken on them.

Data Security

  • Submitted email addresses are hashed by default, not stored as plain text. Customers can optionally keep an encrypted copy of what they submit, and control how long records are kept, up to 90 days.
  • Data is encrypted both in transit and at rest.
  • Access to stored data is restricted on a least-privilege basis, and credentials are never committed to source control.
  • Records are automatically deleted on schedule, per our Data Retention policy.

Infrastructure Security

  • Only the access required to run the Service is open; everything else is restricted.
  • Dependency and security updates are reviewed before deployment.
  • Systems are isolated so an issue in one part of the Service can't affect the availability of another.

Secrets Management

API keys, database credentials, and third-party provider tokens follow a documented rotation policy with a named owner.

Vulnerability Disclosure

We welcome reports of potential security issues at `security@skink.dev`. We acknowledge reports promptly and aim to remediate confirmed issues on a timeline proportionate to severity.

Provider Account-Existence Techniques

skink's catch-all resolution uses provider-specific signals solely to determine mailbox deliverability for addresses our customers ask us to verify. This is rate-limited, used only in service of a deliverability verdict, and is not offered or marketed as a standalone enumeration or discovery service.

Certifications

skink does not currently hold SOC 2, ISO 27001, or a HIPAA compliance attestation. We will not display certification badges or make compliance claims that aren't backed by a completed, independent audit. The practices described on this page — hashing, encryption, least-privilege access, key rotation, and automatic retention purging — reflect our current security posture and form the basis for pursuing a formal certification when customer requirements warrant it.

Contact

Security questions or reports: `security@skink.dev`.