Security at Salesbee

Reassuringly simple.Enterprise-grade by default.

This page explains how we protect your data and your customers' data across our product, infrastructure, and company operations.

Need our security pack (DPA, sub-processor list, penetration summary)? Email [email protected] and we'll send it.

At a glance

Encryption everywhere: TLS in transit; AES-256 at rest.
Single-tenant isolation at the data layer: Logical isolation per workspace/organization.
Least-privilege access: Role-based access controls and audited admin actions.
SSO + 2FA: Google/Microsoft sign-in supported; TOTP 2-factor for all users.
No model training on your data: Your data is never used to train public foundation models.
Backups & disaster recovery: Point-in-time backups; tested recovery procedures.
UK & EU GDPR: Data Processing Addendum available; data subject rights supported.
Email authentication: SPF, DKIM, and DMARC alignment for high deliverability and spoofing protection.
Security contact: [email protected] (24/7 monitored).

Data protection

Data we process

Salesbee processes business contact data (companies you target), outbound email content and metadata, reply signals, and workspace/user profile data. You can request a full export at any time from Settings → Privacy & Data. Lead data sources: We derive lead and scoring signals primarily from public business websites and your inputs. We avoid special-category data.

Data ownership

You own your data. We do not sell, share, or rent customer data to third parties. We act as a processor for your data under the DPA.

Data minimisation

We only store what we need to operate your sequences, measure performance, and provide support. You control retention and deletion (see Retention).

AI usage & privacy

  • We use AI to draft outreach and analyse replies.
  • Your prompts, outputs, and related metadata stay within your workspace and are not used to train public models.
  • Where third-party model providers are used, we select providers that contractually commit to no training on customer prompts/outputs and to strong confidentiality.

Authentication & access control

SSO: Sign in with Google or Microsoft.
2-factor authentication: TOTP codes (Authy, Google Authenticator, etc.) optionally enforceable by admins.
RBAC: Roles for Owner, Admin, Member; fine-grained permissions for sending, importing, exporting, and billing.
Session security: Short-lived tokens with refresh; automatic logout on password/SSO change; device/session list with remote revoke.
IP allow-listing (optional): Enterprise feature to restrict access to named IP ranges.

Infrastructure & network security

Hosting: Deployed on a leading hyperscale cloud with ISO 27001/27017/27018, SOC 1/2/3 certified data centres.
Segmentation: Separate VPCs for staging and production; least-privilege security groups; private subnets for data services.
Secrets management: KMS/HSM-backed encryption for keys and application secrets.
Patching: Weekly patch windows for OS and containers; urgent CVEs patched out-of-cycle.
DDoS & WAF: Edge protection and web application firewall in place for L3–L7 attack mitigation.
Logging & monitoring: Centralised logs, metrics, and traces with anomaly alerts and retention policies.

Application security

Secure SDLC: Threat modelling, mandatory code review, and dependency scanning on every build.
Static & dynamic analysis: SAST/DAST gates in CI.
Penetration tests: Annual third-party penetration testing of the application and APIs; summary available on request.
Change management: Blue/green or rolling deploys with automated rollbacks; feature flags for risky changes.
Bug bounty / disclosure: Coordinated vulnerability disclosure policy; see Report a vulnerability.

Email security & deliverability

SPF/DKIM/DMARC: Guided setup wizard to authenticate your sending domains and enforce alignment.
Sending identity by plan:Trial & Starter: Sent from a protected Salesbee sending domain with a small "Powered by Salesbee" footer. • Growth: Footer removed; option to add a custom sending domain for your company. • Pro: Footer removed; option to connect your own mailbox via OAuth.
Follow-ups schedule: Automatic at +2, +5, and +14 business days (stop immediately on human reply).
Verified work emails: We prioritise verified work email addresses and include an easy one-click unsubscribe in every message.
Reply handling: Auto-stop on human reply; robust classification to ignore OOO/auto-replies.
OAuth for inboxes (read-only): When connecting Google/Microsoft inboxes, we request minimum scopes for sending and read-only reply sync so we can stop sequences on reply. No password storage.
Per-domain warm-up & rate limits: Adaptive sending limits to protect reputation.

Data retention & deletion

Default retention: Outreach content and analytics retained for as long as your workspace exists unless you set a shorter policy.
Configurable policies: Admins can set auto-deletion windows for email bodies, contact notes, and logs.
Right to be forgotten: Delete an individual contact and all linked personal data from Contacts → Privacy tools.
Account deletion: Workspace owners can permanently delete the workspace; backups age out per our backup schedule.

Backups & disaster recovery

  • Backups: Encrypted daily snapshots with point-in-time recovery.
  • Retention: Rolling 30-day backup window.
  • DR testing: Recovery procedures tested at least twice annually.
  • Targets: RPO ≤ 24 hours; RTO ≤ 12 hours for critical services.

Compliance & privacy

  • UK/EU GDPR: We act as processor; DPA and SCCs available for signature.
  • UK PECR (B2B email): We send only to business contacts and include an opt-out/unsubscribe link in every message.
  • Data residency: UK/EU hosting options available for Enterprise (contact us).

FAQs

Do you use my data to train AI models?

No. We do not use customer data to train public foundation models.

Can you sign our DPA?

Yes. We provide a standard DPA and can countersign yours (light redlines).

Where is my data hosted?

UK/EU options are available for Enterprise; otherwise hosted in highly resilient, compliant regions with strong privacy laws.

How do sending identities differ by plan?

Trial & Starter use a protected Salesbee domain with a small footer. Growth can add a custom domain. Pro can connect a mailbox via OAuth. Footer is removed on Growth & Pro.

Do you support custom security reviews?

Yes. Contact [email protected].

Report a vulnerability

If you believe you've found a security issue, email [email protected] with details and steps to reproduce. We'll acknowledge receipt quickly and keep you informed as we resolve the issue. Please avoid publicly disclosing until we've fixed it. Safe-harbour for good-faith research.

Questions about security?

Our security team is here to help 24/7.

Contact Security Team

Last updated: 14 October 2025