How Credentials are Handled
We understand that sharing AWS and database credentials is a big deal, so we want to detail the exact process we employ to ensure the security of your credentials:
- All our pages employ TLS. Hence, your credentials are always encrypted during transmission.
- We utilize the AWS Systems Manager Parameter Store to safeguard secrets. The Parameter Store is a widely recognized standard for storing secrets, using AWS KMS to encrypt the secret via AES-256.
- We never store secrets in our database or cache layer. To enhance efficiency, we maintain a temporary, in-memory cache that holds AWS and database credentials when an email campaign is active, preventing a multitude of calls to AWS's API.
- We request only Amazon SES send permissions for your AWS credentials. Even though this is somewhat difficult to strictly enforce, it's our guideline for newcomers when setting up their credentials.
- We ask only for read-only access to your database and only to the tables essential for email marketing.
- If you query for more columns than necessary, we store only the values of the columns requested in the email template. For instance, if you use
SELECT * FROM user_account
and your email template requires only the first_name
column, we store {first_name: "First Last"}
in our database when creating the email request object.
If you have any concerns or queries about security at cc.dev, please don't hesitate to contact us at [email protected] – we're always available to address your questions.