unblot← Back to home

Security overview

Last updated: 3 June 2026

We take the security of your data — and your contacts' data — seriously. This overview summarises the main measures we use. It is a plain-language summary, not a warranty.

Authentication & access

  • We connect to Klaviyo via Klaviyo's official OAuth 2.0 (PKCE) — we never see or store your Klaviyo password, and you can revoke access from Klaviyo at any time.
  • Your Klaviyo access tokens are encrypted at rest using AWS KMS and are only decrypted at the moment they're needed to call Klaviyo.
  • App sign-in is handled by Clerk; we never store your password.
  • Internal access follows least-privilege principles.

Data protection

  • All traffic is encrypted in transit (TLS).
  • Data is stored in Amazon Web Services (Sydney, ap-southeast-2) and encrypted at rest.
  • We request only the Klaviyo scopes we need, and read only the data required to score engagement and perform the suppressions you direct.

Payments

Payments are processed by Stripe. We do not store your full card details; card data is handled by Stripe under its PCI-DSS compliance.

Reporting a vulnerability

If you believe you've found a security issue, please email support@unblot.com and we'll respond promptly. Please give us reasonable time to investigate and fix before any public disclosure.