The boring stuff, handled.

Every tenant provides their own physical mailing address at signup. Section 5(a)(5) requires the sender — not us as a service provider — to include a valid postal address; we enforce that the field is non-empty before sending is enabled.

Every outbound message gets an unsubscribe link automatically appended (List-Unsubscribe header + footer link). Suppressions are tenant-scoped and check at send-time — re-mailing a suppressed address is blocked, not "best-effort".

False/misleading From, deceptive Subject, and sexually-explicit content without [ADV:ADLT] are TOS violations and grounds for account termination.

We act as a Data Processor for tenant-uploaded contact data; the tenant is the Data Controller. EU/UK data transfers handled under Standard Contractual Clauses where the receiving infrastructure is outside the EEA.

A Data Processing Addendum (DPA) is available on request — open a support ticket and we send the executed version within 1 business day.

Tenant data export and deletion: a tenant can request a full export (contacts, sequences, sends, replies) or full account deletion via support. Deletion completes within 30 days; backups age out within 90.

B2C cold marketing — sending unsolicited promotional email to consumer mailbox addresses. This is enforced at the platform level and account-terminating.

Crypto airdrop / MLM / "make money fast" outbound. We don't care about your business model when you sign up; we care about it the moment your bounces and complaints start poisoning the network.

Buying lists from data brokers without verifying the consent provenance. If your list provider can't produce a record of how each contact opted in or qualified for B2B legitimate-interest sending, don't upload it.

Hosting + database: Railway (US + EU regions). Compute and Postgres run in Amsterdam (europe-west4) for EU tenant data residency.

Sending: SendGrid (Twilio) primary, with optional direct SMTP via tenant-provided credentials.

Warmup: CheddarInbox P2P network, operated by Nimbus.io, LLC (the same entity that operates BoomSauce — no third-party data flow for warmup signal generation).

Payments: Stripe (PCI compliant; we never see card numbers).

Domain registration: Namecheap.

AI: Anthropic (Claude API) for support triage and the free 1-page website generator. Content sent to Anthropic is not identity-linked.

SPF, DKIM, and DMARC are configured on every domain at provisioning. We don't allow a domain to send production traffic without all three resolving correctly.

DKIM uses dual selectors (s1, s2) per SendGrid spec — single-key compromise or rotation does not take a domain offline.

DMARC defaults to p=none with rua= reporting to dmarc-reports@<domain> for the first 30 days. Tenants can tighten to p=quarantine or p=reject from the domain settings.

TLS 1.2+ on every API and dashboard endpoint. HSTS preload submitted.

Database encrypted at rest; backups encrypted in transit.

Admin access gated by Google OAuth; no shared admin credentials.

Vulnerability disclosure: security@boomsauce.com (and we actually read it).