Security
Last updated: July 11, 2026
Deadweight is designed so that an audit and a suppression are different authorization events. The service fails closed when identity, scope, metric, count, payment, or job evidence cannot be verified.
Access and authentication
- Passwords are stored as adaptive password hashes, not plaintext.
- Sessions use random server-side tokens, secure cookies in production, SameSite protection, expiration, and revocation.
- Magic-link and OAuth state tokens are random, short-lived, single-use, and stored as hashes where applicable.
- Workspace-scoped routes check the authenticated owner before returning or changing data.
Klaviyo OAuth
- The initial authorization requests account, metric, and segment access. Segment write is required to create or update the review segment.
- Profile, list, and subscription access needed for cleanup is requested in a second OAuth consent.
- OAuth uses Authorization Code with PKCE and a short-lived state bound to the signed-in user and, for upgrades, the workspace.
- Access and refresh tokens are encrypted at rest with a dedicated encryption key.
- Disconnect and deletion attempt remote revocation and always remove local tokens.
Controlled cleanup
- A recent completed audit records the recipe version, definition hash, candidate count, a non-reversible membership digest, and approval expiration.
- A paid one-time capability, full required scopes, and the exact typed phrase are required.
- The current segment membership must match both the approved candidate count and membership digest.
- Members are copied to an immutable static list inside the merchant's Klaviyo account.
- Suppression runs against that list, and the remote job ID is saved before polling.
- Total, completed, and skipped counts determine complete, partial, or failed state.
- The processed billable count is checked separately. Rollback uses the same saved list.
Application and infrastructure
- SQLite transactions, unique idempotency keys, and durable job state prevent duplicate local transitions and duplicate remote submissions.
- Rate limiting exists at both the application and reverse-proxy layers.
- Security headers, HTTPS, restricted CORS, redacted structured logs, and request-size limits reduce common web risks.
- Encrypted backups are access-restricted, checksummed, rotated, and tested through scheduled service jobs.
- The private lead workspace at
/q/is separately authenticated and marked noindex.
Data minimization
Deadweight stores aggregate counts, object identifiers, state transitions, and approval evidence. It does not persist a raw subscriber email export. The temporary rollback list remains in the merchant's Klaviyo account and is targeted for deletion after seven days.
Limitations and reporting
No certification or formal compliance attestation is claimed on this page. Security depends partly on the merchant's account security and the connected providers. To report a vulnerability, email hello@deadweight.email with steps to reproduce. Do not access another customer's data or disrupt production.