Security & Retention

Security Overview

WebhookBase uses administrative, technical, and organizational measures designed to protect customer and account data. These may include encryption in transit, access controls, logging, secrets handling, authentication controls, infrastructure monitoring, and role-based access restrictions where applicable.

Webhook delivery payloads, request headers, and query strings are encrypted at rest. Access to customer data is limited to what is reasonably necessary to provide, secure, support, and maintain the Service.

Infrastructure is currently expected to include Hetzner hosting in Frankfurt, Neon Postgres, Cloudflare services, and other providers listed on the Subprocessors page. Actual vendor regions may vary by provider configuration and service needs.

WebhookBase may use internal operational tooling for logging, monitoring, infrastructure management, deployment, and incident response. These tools are protected through access controls and administrative safeguards.

No service can guarantee absolute security, and customers remain responsible for secure configuration of their own endpoints, agents, credentials, replay destinations, and local environments.

Retention

Data retention may vary depending on plan, customer settings, system design, support requirements, abuse prevention, backups, and legal obligations.

Webhook deliveries, logs, attempt records, replayable content, and related metadata may be deleted after plan-specific retention windows, cancellation, downgrade, or expiration.

Current delivery retention limits are 3 days on Free, 30 days on Pro, 60 days on Team, and custom by agreement for Enterprise. Attempt records, payload bodies, replayable content, and related metadata may follow the same or shorter retention windows. Backups and security logs may be retained for a limited additional period for restoration, audit, abuse prevention, legal, or operational purposes.

Regulated Data

The Service is not intended for protected health information under HIPAA, payment card data subject to PCI DSS, regulated production secrets, or other highly regulated data unless we have separately agreed in writing and appropriate safeguards are in place.

AI Explain

When a customer uses AI Explain, WebhookBase may send selected delivery metadata, request body excerpts, headers, and recent attempt information to OpenAI to generate debugging guidance. Customers should avoid sending secrets, production credentials, or unnecessary personal data in webhook payloads when using this feature.

AI Explain is intended to help identify likely delivery, forwarding, replay, or payload issues. Generated explanations should be reviewed by the customer and should not be treated as a security audit or production incident report.

Incident Response

We maintain internal processes designed to identify, assess, and respond to security incidents. Where required by law or contract, we may notify affected customers of confirmed incidents involving personal data or material service impact.

Vulnerability Reports

Security reports may be sent to [email protected]. Reports should include enough detail to reproduce the issue. Do not access, modify, delete, exfiltrate, or disclose another user's data while testing.