Security controls
- Transport security via HTTPS/TLS where deployed.
- Role-based access control for owner and operator permissions.
- Password hashing for stored passwords.
- CSRF protection on state-changing requests.
- Audit-friendly records for sends, password resets, approvals, and notifications.
Shared responsibility
Customers remain responsible for mailbox hygiene, lead sourcing, endpoint security, local device security, and secure handling of app passwords or OAuth credentials.
No internet-facing service can be guaranteed to be entirely secure. You must notify us immediately at kiwi.webai@gmail.com if you suspect compromise or misuse.