Security & reliability in plain terms.

Infrastructure

The marketing site and API routes run on Vercel over HTTPS. Primary application data for signed-in users is stored in Postgres (hosted on Neon or equivalent per your deployment). Access to production credentials is operator-controlled — follow least privilege on your Vercel and database projects.

Encryption at rest and in transit: Data we persist in Postgres — including web sign-in session records (Auth.js session tokens and related rows) and operational metadata — is stored on volumes that Neon encrypts at rest as part of their managed service. Connections from our application to the database use TLS. Raw LinkedIn cookie values are not written to our Postgres; cookie sync history stores a one-way hash so we can detect changes without keeping the live session material on disk in Listful's database.

Extension & session model

The extension executes LinkedIn fetches in your browser using the cookies already present for linkedin.com. Session material may be relayed to Listful's backend and enrichment partner only after you accept the in-extension consent. Background sync uses Chrome alarms on an approximate six-hour cadence.

Full cookie names and purposes are enumerated in /privacy.

What we optimize for

• Read-only positioning — no automated messaging or connection requests from Listful.
• Jittered requests and conservative pacing when walking LinkedIn’s APIs — LinkedIn use still carries inherent account risk.
• Webhook payloads signed with HMAC when configured; verify signatures on your receiver before trusting ingress.

Reporting

Suspected vulnerability or abuse? Email support@listful.so with reproduction steps and prefix the subject with [security].