Security & Compliance Last reviewed June 2026

Built for teams that take outbound seriously.

CarcMail enforces sender safeguards, encrypts every credential at rest, isolates all data by account, and aligns every send path with CAN-SPAM, GDPR, and Google/Yahoo's 2024 sender requirements — by default, not by configuration.

Email Compliance Data Security Sender Safeguards Billing Controls
AES-256 encryption at rest
OAuth 2.0 — no password storage
CAN-SPAM compliant unsubscribe
SPF · DKIM · DMARC enforced
User-scoped data isolation
HMAC-verified Paddle webhooks

Email compliance

Every email sent through CarcMail is constructed to satisfy CAN-SPAM (US), CASL (Canada), and the GDPR requirements for legitimate-interest B2B outreach — automatically.

CAN-SPAM (US)
  • Sender identity in From field
  • Honest subject lines — no deception
  • Physical address in footer
  • One-click unsubscribe link
  • Opt-outs honored ≤ 10 business days
GDPR / B2B Outreach
  • Legitimate interest basis for B2B
  • Data minimisation — leads only
  • Right to erasure via unsubscribe
  • Suppression list persisted globally
  • Contact: privacy request via email
Google / Yahoo 2024 Rules
  • SPF + DKIM + DMARC mandatory
  • List-Unsubscribe header on every email
  • Spam complaint rate kept below 0.1%
  • Domain alignment on all sends
  • Auto-pause at complaint threshold

List-Unsubscribe is enforced on every send path

Both _send_via_smtp() and _send_via_oauth() receive extra_headers containing both List-Unsubscribe and List-Unsubscribe-Post. This is not a setting — it is hard-wired into the send pipeline and cannot be disabled by users.

Sender safeguards

CarcMail's pipeline enforces sending limits, pre-send validation, and automated circuit breakers that protect your domain reputation — even if you try to send too aggressively.

Pre-send validation pipeline

Every lead goes through a 7-step validation before a single email is generated.

  1. 1Email format & domain check (MX record, catch-all detection)
  2. 2Suppression list lookup — blocked addresses never receive mail
  3. 3Daily send limit check against plan quota
  4. 4AI email generation grounded in your Identity Profile
  5. 5Spam score analysis — flags phrases before send
  6. 6AI rewrite if spam score exceeds threshold
  7. 7Send with full headers → logged to audit trail

Daily send limits by plan

Hard limits enforced server-side — not advisory warnings.

Trial 40 / day
Starter 250 / day
Growth 900 / day

Bounce rate circuit breaker

If your domain's 30-day bounce rate exceeds a safe threshold, CarcMail automatically pauses the campaign and alerts you. This prevents domain blacklisting before it becomes irreversible.

Inbox warmup

Automated warmup gradually ramps sending volume over 4–8 weeks using simulated real conversation patterns — opens, replies, and positive signals — to build domain reputation before campaigns launch.

Data security

Sensitive credentials are encrypted before storage. Data is isolated by user account at the query layer — not just by convention.

Credential encryption

  • SMTP credentials
    AES-256 encrypted at rest using a server-side vault salt. Decrypted only at send time, in memory.
  • Google OAuth tokens
    Stored as encrypted refresh tokens. Passwords are never requested or stored. Access scopes are read + send only.
  • API keys (Apollo, LLM providers)
    Encrypted via the same vault mechanism. Never logged or exposed in API responses.

Data isolation

Every database model carries a user_id column tied to the Supabase authentication identity. Every query — without exception — filters by user_id. There is no shared namespace between accounts.

# Every query follows this pattern
session.exec(
  select(Lead)
  .where(Lead.user_id == current_user.id)
)

Authentication & access

  • Supabase JWT authentication on all API endpoints
  • Only /health, /track/open, /unsubscribe are public
  • Pydantic schema validation on all inputs
  • DB query timeout enforced at the connection layer

Billing controls

Payments and subscription changes go through Paddle's PCI-compliant checkout. CarcMail never touches or stores card numbers.

Paddle-hosted checkout

All payment flows are handled by Paddle's PCI DSS Level 1 certified checkout. Card data never passes through CarcMail servers.

HMAC-verified webhooks

Every Paddle webhook is verified using HMAC-SHA256 signature validation. Requests without a valid signature are rejected immediately with HTTP 500. No fallback, no bypass.

Webhook idempotency

Every processed Paddle event is recorded in a PaddleEvent table. Duplicate webhook deliveries are detected and ignored — billing actions never fire twice.

Operational transparency

Every action CarcMail takes on your behalf is logged and visible. No black boxes.

What gets logged

  • Every email sent — timestamp, lead, inbox used, status
  • Open events (pixel tracking, opt-in)
  • Bounce events — type and timestamp
  • Reply received — classified by intent
  • Unsubscribe request — token, timestamp, suppression added
  • Credit usage — action type, cost, running balance
  • AI pipeline steps — each node, result, and duration

AI model transparency

CarcMail uses only two LLM providers, hardcoded in the platform:

A
Anthropic Claude
Primary — email generation, classification, rewrite
O
OpenAI GPT-4o-mini
Fallback only — no other providers permitted

No Gemini, no open-source models, no third-party routing layers. Your prompts go to these two providers only.

Policy documents

For security reviews

  • Share this page with your procurement or IT security team.
  • We provide supplemental documentation for enterprise onboarding on request.

Report a vulnerability

Found a security issue? Responsible disclosure is welcomed. We aim to respond within 48 hours.

contact.cyberarcmsp@gmail.com

Questions about compliance or data handling? Email contact.cyberarcmsp@gmail.com. We respond within one business day.

Start your journey CarcMail today