Security at delivr.to

Security at delivr.to starts with the people running it. Founders James Coote and Alfie Champion are career offensive security and purple teaming practitioners - security posture is a default, not a feature.

• Production deploys run from GitHub Actions using AWS IAM OIDC federation. No long-lived AWS access keys are issued to humans or to CI.
• Production AWS accounts are separated from development. Workloads are deployed to dedicated production accounts with environment-scoped IAM roles.
• Lambda execution roles follow least privilege, scoped per function category (campaigns, payloads, teams, integrations) with the minimum DynamoDB, S3 and KMS actions each handler needs.
• All access to third-party SaaS used to operate the platform requires multi-factor authentication.
• Cognito user pool activity is streamed to CloudWatch with structured authentication event logs for review and incident response.

Customer data, payloads and email artefacts are encrypted, isolated and auto-pruned. Sensitive material like attachments and raw email files is held against customer-managed KMS keys.

• Encryption in transit. Every customer-facing endpoint redirects HTTP to HTTPS at CloudFront and serves HSTS with a one-year max-age and preload directive. TLS 1.2 or higher is used between the customer and our edge.
• Encryption at rest. Stored EML files and sensitive integration material are encrypted with customer-managed AWS KMS keys held in the delivr.to production account. DynamoDB tables, S3 objects and CloudWatch Logs use AWS-managed server-side encryption by default.
• Secrets management. Third-party API credentials (SendGrid, Mailgun, O365, Google and others) are held in AWS Secrets Manager and read by Lambda functions at runtime. Application code never has plaintext credentials baked in.
• Backups. Production DynamoDB tables have point-in-time recovery enabled, providing rolling continuous backups with 35-day restore windows.

Authentication and authorisation are enforced consistently at the API edge, not in scattered handlers. Every request to a protected endpoint is checked against a central policy store before any business logic runs.

• Single sign-on through Amazon Cognito with native accounts plus federated identity via Google OAuth and Microsoft (SAML / OIDC).
• Multi-factor authentication is supported via TOTP (authenticator apps) and recommended for every account.
• Authorisation is enforced by a Lambda authorizer fronting API Gateway. The authorizer evaluates every request (there is no caching of authorisation decisions) against an Amazon Verified Permissions policy store.
• An immutable, organisation-wide audit log of user activity is available on the Enterprise plan, backed by DynamoDB streams on integration, campaign, email and team tables.
• Secure SDLC. Pull requests are required for all changes to production code; main and prod branches are protected and require review before merge.
• All payload deliveries are gated behind authenticated, time-limited download links scoped to the requesting user.

delivr.to is a UK-based company and operates entirely from AWS infrastructure in the United Kingdom. Customer data does not leave the UK region under normal operation.

• All production AWS resources (Lambda compute, DynamoDB tables, S3 buckets, Cognito user pool) are deployed exclusively in the eu-west-2 (London) region.
• Customer ownership. You retain ownership of the campaigns, recipient lists and integration credentials you upload. delivr.to processes that data only to deliver the service you have configured.
• Default least access. delivr.to staff have no standing access to customer campaign data or integration tokens. Operational access requires explicit ticket-based justification and is captured in CloudTrail-eligible audit logs.
• Automatic data lifecycle. Temporary upload and report objects in our S3 staging bucket are automatically expired after 24 hours via S3 Lifecycle rules. Time-bound material such as one-time passcodes is auto-purged via DynamoDB TTL.
• Customers may request export or deletion of their account data at any time by emailing security@delivr.to. Subscription and billing records are retained per UK and EU statutory obligations.
• Read more in our full Privacy Policy.

delivr.to runs entirely on Amazon Web Services. AWS is ISO/IEC 27001, SOC 1/2/3, PCI DSS and HIPAA-attested, with a global footprint of physically secured data centres covered by 24/7 access monitoring, perimeter controls, video surveillance and intrusion detection.

• Infrastructure as code. The entire production environment is defined in Terraform held in a private GitHub repository. Every change is peer-reviewed and applied via OIDC-federated GitHub Actions, no engineer runs Terraform from a laptop against production.
• Logging and observability. Application metrics, error rates and authentication events stream to CloudWatch for real-time monitoring and alerting on anomalous activity.
• Resource isolation. Production and development environments live in separate AWS accounts, with separate Cognito user pools, DynamoDB tables and KMS keys. Data does not cross between environments.