Security
Last updated: 2026-06-24
We take the security of your data seriously. This page explains, in plain language, the measures we use to protect your account and your content, and how to report a security issue.
Encryption
All traffic between you and Madoo is encrypted in transit using TLS (HTTPS). Sensitive credentials — such as the access tokens for connected Gmail and Outlook accounts — are encrypted at rest before being stored.
Authentication
You can sign in with Google, GitHub, Apple or an email and password. Passwords are never stored in plain text — we keep only a salted hash. Sessions are protected with secure, signed cookies.
Connected accounts
When you connect an email provider, we request only the permissions needed to send or export your emails. Tokens are encrypted, and you can revoke access at any time from your settings or directly with the provider.
Payments
Payments are processed by Stripe, a PCI‑DSS Level 1 certified provider. Madoo never sees or stores your full card details — we store only the identifiers needed to manage your subscription.
Infrastructure & access
Madoo runs on reputable cloud infrastructure (including Vercel) with isolated environments. Access to production systems and data is limited to authorized personnel on a need‑to‑know basis.
Data isolation
Your content is scoped to your account and workspaces. Requests are authorized so that one account cannot read or modify another account's data.
Reporting a vulnerability
If you believe you have found a security vulnerability, please email asponceg@gmail.com with the details and steps to reproduce. Do not publicly disclose the issue until we have had a reasonable chance to address it. We appreciate responsible disclosure and will work with you in good faith.
Incident response
If a security incident affects your data, we will investigate, contain it, and notify affected users as required by applicable law.