Your data is yours. Always.

Every connection to SwarmCherry — whether from your browser, your phone, or our API — is encrypted with TLS 1.3, the strongest transport layer standard available today. We enforce certificate pinning on our mobile clients to prevent man-in-the-middle attacks, and all HTTP traffic is permanently redirected to HTTPS with HSTS headers in place.

All data stored in SwarmCherry — your contacts, campaigns, messages, and files — is encrypted at rest using AES-256, the same standard used by banks and government agencies worldwide. Encryption keys are rotated quarterly on a strict schedule, and old keys are securely archived so your historical data remains accessible and protected simultaneously.

SwarmCherry uses role-based permissions so every team member sees only what they need to see. Admins, operators, and read-only users each have fully isolated permission sets. Every single action taken inside your account — from sending a campaign to deleting a contact — is recorded in a tamper-evident audit log with timestamps and user attribution.

API keys are scoped to the minimum permission level required — you choose exactly what each key can and cannot do at the time of creation. Any key can be revoked instantly from your dashboard with no grace period, cutting off access in real time. Keys are never shared across sub-accounts, ensuring your agency clients remain completely isolated from one another.

Each account's data is logically isolated at the database level. No cross-account data access is possible by design — not through the UI, not through the API, and not through any internal tooling. Our architecture enforces tenant boundaries as a first-class constraint, not an afterthought. Agency sub-accounts are isolated from each other and from the parent account unless explicitly shared.

All API endpoints are rate-limited at both the account and IP level to prevent abuse and protect platform stability for every user. Authentication endpoints have dedicated brute-force protection with exponential backoff. Accounts showing suspicious login patterns — unusual geographies, rapid failed attempts, credential stuffing signatures — are automatically locked and owners are immediately notified.

SwarmCherry does not sell your data. We do not build advertising profiles. We do not share your business data with third parties for any purpose other than delivering the service you pay for. You own your data in full and can export it in a machine-readable format or permanently delete your account and all associated data at any time — no hoops, no waiting period.

Our production infrastructure runs on hardened VPS instances with fail2ban intrusion prevention and UFW firewall rules that block all unnecessary inbound traffic. We conduct regular internal security audits and review our dependency stack for known CVEs on a monthly basis. All database backups are encrypted at rest using the same AES-256 standard as live data, and backup integrity is verified automatically after every snapshot.