ScamVerify™
Resources

Security

How ScamVerify™ protects your data, handles API keys, and approaches infrastructure security.

Data Handling

No Raw PII Storage

ScamVerify™ hashes all lookup targets with SHA-256 before storing them. When you look up a phone number, URL, text message, or email, the raw value is used only for the real-time analysis. The stored record contains only the SHA-256 hash, never the original input.

This means:

  • We cannot reverse-engineer what phone numbers or URLs you have looked up
  • A database breach would not expose your customers' phone numbers or the URLs you verified
  • Usage logs contain hashes, not plaintext targets

Data Retention

  • Cached results: Lookup results are cached for 24 hours to enable free re-lookups and faster response times. After 24 hours, a fresh lookup is required.
  • Usage logs: Aggregated usage data (counts by channel, by day) is retained for billing and analytics purposes.
  • No email or text content storage: Email bodies and text messages submitted for analysis are processed in memory and not persisted after the response is returned.

API Key Security

Key Generation

API keys are generated using cryptographically secure random bytes. Each key is 48 characters long with a sv_live_ or sv_test_ prefix.

Key Storage

API keys are hashed with SHA-256 before being stored in the database. The full key is shown exactly once at creation. After that, only the first 12 characters (the prefix) are stored for display in your dashboard.

Copy your API key immediately when it is created. If you lose it, you cannot retrieve it. You will need to create a new key and revoke the old one.

Key Management

  • You can create up to 5 active API keys per account
  • Keys can be revoked at any time from your dashboard. Revocation is immediate and permanent.
  • Revoked keys return 401 Unauthorized on all requests
  • Use separate keys for development (sv_test_), staging, and production to limit blast radius if a key is compromised

Key Rotation

We recommend rotating your API keys periodically. The process is:

  1. Create a new key in your dashboard
  2. Update your application to use the new key
  3. Verify the new key works in production
  4. Revoke the old key

Since you can have up to 5 active keys, you can create the new key before revoking the old one, ensuring zero downtime.

Transport Security

HTTPS Only

All API endpoints are served over HTTPS only. HTTP requests are rejected. TLS 1.2 is the minimum supported version.

CORS

The API supports CORS with Access-Control-Allow-Origin: * for all /api/v1/ endpoints. This allows browser-based clients to call the API directly, though we recommend proxying through your server to keep your API key secret.

Infrastructure

Hosting

ScamVerify™ runs on Vercel's infrastructure with automatic scaling, global edge distribution, and built-in DDoS protection.

Database

Customer data is stored in Supabase PostgreSQL with encryption at rest and in transit. Database access requires authentication and is not exposed to the public internet.

Monitoring

We use Sentry for error tracking and PostHog for anonymized usage analytics. Neither system receives raw lookup targets (phone numbers, URLs, etc.).

Compliance Roadmap

ScamVerify™ is building toward formal compliance certifications as the platform grows:

MilestoneTarget
Privacy policy and data handling documentationAvailable now
Insurance coverageAt $10K ARR
SOC 2 Type II certificationAt $100K ARR

We take a practical approach to compliance, investing in formal certifications as revenue supports the cost. In the meantime, the security practices described on this page are in effect from day one.

Responsible Disclosure

If you discover a security vulnerability in the ScamVerify™ API, please report it through our contact form. We take all reports seriously and will respond within 48 hours.

Please do not publicly disclose vulnerabilities before we have had a chance to address them.

  • Authentication for API key setup and test mode
  • FAQ for general questions about data sources and handling
  • Common Issues for authentication troubleshooting

Pricing

ScamVerify™ API pricing tiers, per-channel quotas, rate limits, and billing FAQ.

Changelog

Release notes and version history for the ScamVerify™ API.

On this page

Data HandlingNo Raw PII StorageData RetentionAPI Key SecurityKey GenerationKey StorageKey ManagementKey RotationTransport SecurityHTTPS OnlyCORSInfrastructureHostingDatabaseMonitoringCompliance RoadmapResponsible DisclosureRelated