How Credentials are Handled

We understand that sharing AWS and database credentials is a big deal, so we want to detail the exact process we employ to ensure the security of your credentials:

1. All our pages employ TLS. Hence, your credentials are always encrypted during transmission.
2. We utilize the AWS Systems Manager Parameter Store to safeguard secrets. The Parameter Store is a widely recognized standard for storing secrets, using AWS KMS to encrypt the secret via AES-256.
3. We never store secrets in our database or cache layer. To enhance efficiency, we maintain a temporary, in-memory cache that holds AWS and database credentials when an email campaign is active, preventing a multitude of calls to AWS's API.
4. We request only Amazon SES send permissions for your AWS credentials. Even though this is somewhat difficult to strictly enforce, it's our guideline for newcomers when setting up their credentials.
5. We ask only for read-only access to your database and only to the tables essential for email marketing.
6. If you query for more columns than necessary, we store only the values of the columns requested in the email template. For instance, if you use SELECT * FROM user_account and your email template requires only the first_name column, we store {first_name: "First Last"} in our database when creating the email request object.

If you have any concerns or queries about security at cc.dev, please don't hesitate to contact us at [email protected] – we're always available to address your questions.