Production-grade security and operational hygiene
Telltide monitors whether your expected customer emails arrived correctly. This page describes what data we process to do that, how long we keep it, the controls available to you, and the operational posture we run the service on today.
Security-first product direction
Scoped to what you configure
Telltide only processes emails that land in the monitoring addresses you have configured for your account. It does not connect to, read from, or index your wider inbox or sending systems.
Workspace isolation
Each customer workspace is isolated. Monitor configurations, inbound message data and audit history are scoped to the workspace they belong to and are not shared across customers.
Product direction
We are building security into the foundation of the product from the start, not adding it later.
Authentication and identity
Telltide uses a dedicated identity and authentication platform for access control. Access to the Telltide application requires an authenticated account. We support secure sign-in flows and session management.
What Telltide does and doesn't collect
Telltide receives emails at monitoring addresses you configure. To check whether an expected send arrived on time, arrived only once, and matched what you expected, we store the message alongside a small amount of routing metadata.
What Telltide collects
- Inbound messages delivered to the monitoring addresses you configure, including sender, subject, timestamps, and body
- Sender authentication results (SPF, DKIM, DMARC) reported by our inbound infrastructure
- The account information you provide when signing up, such as name, email, company, and billing details
- Standard application logs needed to operate the service
What Telltide does not do
- Connect to your customers' inboxes or your sending systems
- Process email delivered to any address other than the monitoring addresses you configure
- Sell customer data, or share it with third parties for advertising or marketing
- Use your monitored email content to train third-party AI models
Optional AI-assisted content integrity
Some customer plans include an AI-assisted content integrity check. When enabled, the body of a monitored email is sent to a third-party language model provider to flag issues such as broken links, unresolved personalisation tokens (e.g. {{firstName}}), or visibly truncated content. Findings are surfaced in the Telltide app and in alerts.
Opt-in per monitor
Content checks run only on monitors where you have explicitly enabled them. They are off by default on every monitor you create.
Zero retention at the model provider
The model provider we use is configured for zero data retention. Prompts are not stored, logged, or used to train models. Only the email body is sent; no account or recipient information is included.
Disable at any time
Content checks can be disabled per monitor or account-wide at any time from your workspace settings. Disabling takes effect for subsequent emails immediately.
How long we keep data, and who helps us run Telltide
Retention windows
Monitored email content and delivery metadata are retained for up to 90 days by default, long enough to investigate incidents and trends. Account, incident, and audit records are retained for the life of your account. Extended retention is available on request for enterprise customers with specific compliance needs.
Deletion on request
You can delete stored emails for a monitor at any time from the app. Account closure triggers deletion of monitored email content within 30 days; account and billing records are retained as required by law.
Sub-processors
Telltide relies on a small number of third-party infrastructure providers for hosting, database, authentication, inbound and outbound email, billing, and (when enabled) AI content checks. The full sub-processor list is published with each provider's role, the data they process, and hosting region.
Working with your ESP
A Telltide monitoring address is an ordinary email address you add to a workflow in your sending platform. Every major ESP's Acceptable Use Policy hinges on express consent from the recipient, and a monitoring address owned by your account satisfies that test. The platforms Telltide sees most often from founding users are Klaviyo, Shopify Email, Mailchimp, Omnisend, HubSpot, Braze, Salesforce Marketing Cloud, Iterable, Customer.io, Postmark, SendGrid and Amazon SES. The same patterns apply to adjacent tools like ActiveCampaign, Constant Contact, Drip, Keap, MailerLite, Brevo, Marketo, Salesforce Pardot, Adobe Campaign, Mailgun, Mailjet and SparkPost. Six operational watch-outs worth knowing before you add a monitoring address to any of them.
Seeds count as billed contacts on some platforms
Klaviyo, HubSpot, ActiveCampaign, Constant Contact, Drip, Keap, MailerLite and Brevo count every address in your audience toward the billed contact tier. One monitor adds one contact. Platforms that charge per send only, including SendGrid, Mailgun, Postmark, Amazon SES, Mailjet and SparkPost, are unaffected.
Consent documentation on demand
Brevo, Mailgun and Salesforce Marketing Cloud require per-address proof of opt-in on abuse escalation. Braze's Acceptable Use Policy is the strictest, requiring express rather than implied consent. Telltide provides a seed-consent record for every monitor you create, ready for an ESP compliance review.
Role-address restrictions
HubSpot, Constant Contact and Mailchimp block or flag role-based mailboxes like monitor@, alerts@ or info@. Telltide provisions individual-looking addresses per monitor so imports, suppression rules and opt-in flows behave the same as they do for a real recipient.
Inactivity suppression and list hygiene
Customer.io auto-suppresses addresses idle for two years. Mailchimp's Omnivore flags imports you have not contacted before. Klaviyo's engagement-based sending can deprioritise unengaged addresses. Seeds receive real workflow traffic, so day-to-day monitoring avoids this. Low-frequency flows such as quarterly statements or annual renewals may need periodic engagement to stay resident.
Engagement and deliverability
An unengaged seed can drag sender reputation. Telltide registers opens by fetching the tracking pixels in each captured email, and clicks by visiting safe links, so monitoring addresses behave like engaged recipients in your ESP analytics. Account-action URLs such as unsubscribe, password reset and magic links are never visited. Engagement is sampled to a fixed target per monitor per day, so a campaign sending a thousand times still contributes a small, representative slice rather than skewing your open rate.
Platforms with native seed support
Salesforce Marketing Cloud ships Partner Seed Lists out of the box. Iterable documents seed testing positively. Enterprise rollouts on Adobe Campaign and Marketo treat monitoring addresses as a standard QA primitive, so adding Telltide to an existing journey is a familiar pattern for the platform team.
What runs in production today
Independent monitoring is only useful if the monitor itself is reliable. These are the operational controls that ship with Telltide today, not a roadmap.
Health checks and cron observability
Every scheduled job that powers detection (window evaluation, behavioural-monitor pass, digest dispatch, retention) writes a structured run record. A health endpoint surfaces the freshness of every cron, and a watcher pages our operators if a critical job stops running.
Rate limiting on public surfaces
Public webhook receivers, the data export endpoint and the health surface are rate-limited at the edge to keep the system resilient under load and spray-and-pray probing.
Environment validation at boot
Every required environment variable is type-checked and validated at startup. Misconfigured deploys fail loud, not silent.
Error and exception monitoring
Application errors are reported to Sentry with workspace and request context attached. We see and triage failures before customers report them.
GDPR data export
Every account holder can export the data Telltide holds about them and their workspace from the in-app account page, no support ticket required.
Workspace and account deletion
Workspace owners can delete a workspace, including all monitors, inbound message data and audit history, from the app. Account deletion is supported end-to-end and fans out to billing and identity providers.
Notification preferences per recipient
Every alert and digest email carries a per-recipient management URL. Recipients can opt out without contacting their workspace admin, and their preference is honoured by every dispatch path.
Audit log
Sensitive actions (workspace deletion, member changes, monitor changes) are recorded in a workspace audit log. Retention is 30 days on Growth and 180 days on Business.
Production deployment posture
Telltide is in production. Authentication is handled by Clerk, billing by Stripe, infrastructure on Cloudflare and Vercel, database on Neon, error monitoring through Sentry. Every component in the stack is industry-standard for B2B SaaS at this scale. Formal SOC 2 attestation is scoped for the Enterprise tier and is available on request. For procurement-required compliance documentation, including DPAs and security questionnaires, contact us via the demo form or directly at security@telltide.io.
For security or procurement questions, including our Data Processing Addendum or specific data-handling questions, email security@telltide.io. The current sub-processor list is public.
Start monitoring your critical email journeys
One monitor is free forever. Paid plans from $49 USD per month with the Telltide Card on Apple Wallet, agent attribution and drift detection.