Security at Verkh
We built Verkh to help you protect your email domains. That means protecting your data is not optional. It is foundational.
This page describes how we secure the platform, handle your data, and what you can expect from us.
Infrastructure
Verkh runs entirely on Cloudflare's edge network. There are no traditional servers, virtual machines, or containers to patch and maintain.
- Edge computing on Cloudflare Workers
- Database on Cloudflare D1
- Object storage on Cloudflare R2
- Email processing via Cloudflare Email Routing
This architecture eliminates entire categories of vulnerabilities. No SSH access to compromise. No operating systems to fall behind on patches. No server configuration to misconfigure.
Encryption
All data is encrypted in transit and at rest.
- In transit: TLS 1.3 for all connections
- At rest: AES-256 encryption via Cloudflare's infrastructure
- Sensitive credentials: DNS provider API keys and similar secrets are encrypted at the application layer before storage
- Session tokens: Signed with HMAC-SHA256 and hashed before storage
Authentication
Verkh uses OAuth 2.0 for authentication. We support Google and GitHub as identity providers.
We do not store passwords. Your credentials never touch our systems.
Session tokens are short-lived and can be revoked at any time from your account settings.
Data Handling
What we process:
DMARC aggregate reports (RUA) contain IP addresses, domain names, and authentication results. They do not contain email content, subject lines, or message bodies.
What we do not process:
We do not request or process forensic reports (RUF), which can contain email headers and partial message content.
Data isolation:
Each organization's data is logically isolated. Users can only access data belonging to their organization.
Access controls:
Role-based permissions (Owner, Admin, Member, Readonly) restrict what actions users can take within an organization.
Data Retention
Retention periods vary by plan:
| Tier | Report Data | Aggregated Stats |
|---|---|---|
| Free | 30 days | 30 days |
| Starter | 30 days | 12 months |
| Pro | 90 days | 24 months |
| Enterprise | 12 months | Unlimited |
| Enterprise+ | 12 months | Unlimited |
Automatic cleanup:
- Expired sessions are deleted automatically
- Revoked sessions are purged after 7 days
- Expired invitations are removed after 30 days
Account deletion:
When you delete your account, all associated data is permanently removed within 30 days. This includes user data, domains, reports, and organization data.
Compliance
SOC 2 Type II:
We are pursuing SOC 2 Type II certification and building for compliance from day one. Our policies, procedures, and controls are designed to meet SOC 2 requirements for security, availability, and confidentiality.
GDPR:
We process minimal personal data. DMARC reports contain IP addresses and domain information, not personal communications. We honor data subject requests for access, export, and deletion.
CCPA:
California residents can request access to or deletion of their personal information by contacting [email protected].
Subprocessors
We use the following third-party services to operate Verkh:
| Service | Purpose |
|---|---|
| Cloudflare | Infrastructure (Workers, D1 database, R2 storage, email routing) |
| Stripe | Payment processing |
| Resend | Transactional emails (invitations, alerts, digests) |
| IPInfo | IP geolocation for source identification |
| OAuth authentication | |
| GitHub | OAuth authentication |
We maintain a current list of subprocessors and will notify customers of material changes.
Security Practices
- Code reviews: All code changes are reviewed before deployment.
- Dependency scanning: We monitor dependencies for known vulnerabilities and update promptly.
- Least privilege: Internal access follows the principle of least privilege. Access to production systems is restricted and logged.
- Audit logging: Security-relevant events are logged for audit purposes.
Responsible Disclosure
If you discover a security vulnerability in Verkh, please report it to:
We will acknowledge your report within 48 hours and work with you to understand and address the issue. We ask that you give us reasonable time to respond before public disclosure.
We appreciate security researchers who help us keep Verkh secure.
Questions
For security-related questions not covered here, contact us at [email protected].
TLS 1.3
AES-256
Built on Cloudflare
SOC 2 (In Progress)
