Security at SMSKit

Your message content is sensitive. Here's how we treat it.

Isolation

Per-tenant database isolation. Every account has its own database. Your messages and metadata are never in a shared table with another customer’s. This is unusual in the SMS-gateway category — most competitors store everyone in one multi-tenant database.

Data handling

PII-masked logging. Phone numbers and message content are masked in our structured logs.
Minimal retention. Job history retention follows your plan; you control how long data lives.
Fully managed, still isolated. We host the platform, but your data never leaves your own dedicated database — it’s not pooled with other customers, even though we run it.

Access & keys

Hashed API keys. Keys are stored as SHA-256 hashes, shown once, and independently rotatable (Key 1 / Key 2) for zero-downtime rotation.
Passwordless login for the dashboard (email one-time code); recovery phone verified via Twilio Verify.
Account-scoped everything. Every key, session, and device resolves to one account before any data is read — no cross-account access.

Hardening

CSRF protection and security headers on the dashboard.
Rate limiting per API key and IP.
Health checks and Prometheus metrics so issues surface fast.

We don't use scare-words like "military-grade." We tell you exactly what we do — per-tenant isolation, masked logs, hashed keys — in plain terms you can hold us to.

Questions about security?