Security & Privacy by Design

Clear Security Boundaries. No Hidden Data Grab.

Signal is built on a non-custodial model. Your CRM and mailbox stay your systems of record. OAuth tokens are encrypted with AES-256 GCM. Access is limited to the minimum required to run the workflow.

Non-custodial model
AES-256 GCM encryption
Minimum-required access
Built for visibility
Principle

The Core Principle

Non-custodial by design. Your data stays in the systems you already control.

Your data stays in your systems

Signal does not replicate, warehouse, or retain your CRM records, mailbox data, or contact graph. Your existing tools remain the single source of truth.

Non-custodial is a product posture

Non-custodial is not a security setting. It is a design decision that shapes what Signal stores, what it accesses, and how it operates within your stack.

Clear boundaries create trust

When the boundaries between your data and a vendor's reach are unambiguous, security review becomes faster and trust is easier to build.

Practice

What Non-Custodial Means in Practice

Signal operates as a workflow layer — not a second CRM or a shadow mailbox.

Signal is a workflow layer

Signal connects to your tools to discover, qualify, and sync journalist records. It does not become a second CRM or a shadow mailbox.

Your systems stay in control

Your CRM owns the contact graph. Your mailbox owns the message history. Signal runs a defined job and hands the result back to your systems.

Access supports a specific job

Every permission Signal requests is tied to a specific workflow step — discovery, sync, or outreach — not broad platform access.

OAuth

How Signal Handles OAuth Access

Authorized connections with encrypted token storage — not vague security promises.

OAuth for authorized connections

Signal uses OAuth to connect to your CRM and mailbox. OAuth lets you grant specific, revocable permissions without sharing your passwords.

Token handling matters

OAuth tokens are credentials. How they are stored and protected determines the real security of the connection — not just whether OAuth was used.

AES-256 GCM protection

Signal encrypts all stored OAuth tokens with AES-256 GCM — authenticated encryption that provides both confidentiality and integrity protection.

Encryption

Why AES-256 GCM Matters

Specific, auditable encryption — not marketing language.

Specific controls beat generic claims

Saying 'enterprise-grade encryption' tells a buyer nothing. Naming the cipher (AES-256), the mode (GCM), and the use case (OAuth token storage) gives reviewers something they can actually evaluate.

Tokens require strong protection

OAuth tokens grant authorized access to third-party systems. Weak token storage can expose the very accounts OAuth was designed to protect.

Clarity improves trust review

When buyers or security teams can see the specific encryption model, they can compare it against their own standards and make faster procurement decisions.

Access

What Minimum-Required Access Means

Narrow scope. Less exposure. Cleaner trust.

Access needed to do the work

Signal requests only the permissions required to execute the workflow — reading contacts for sync, sending messages for outreach, and nothing beyond that.

Narrower scope reduces exposure

Every additional permission is a potential surface area. Limiting scope to the minimum means less risk if a token is ever compromised.

Better scope creates cleaner trust

When buyers see a narrow permission list, the trust conversation shifts from 'what could go wrong' to 'this is well-scoped.'

Security Model

How the Security Model Works

Four steps that define how Signal connects, protects, scopes, and defers to your systems of record.

01

Connect via OAuth

You authorize Signal to connect to your CRM and mailbox through standard OAuth flows. No passwords are shared or stored.

02

Encrypt tokens

All OAuth tokens are encrypted with AES-256 GCM before storage — authenticated encryption that protects both confidentiality and integrity.

03

Limit scope

Permissions are scoped to the minimum required for each workflow step. No broad platform access, no unnecessary data reads.

04

Keep systems of record

Your CRM and mailbox remain your systems of record. Signal operates as a workflow layer — it does not replicate or warehouse your data.

Bottom Line

Security should be legible. Signal names the cipher, the mode, and the scope of access. When a vendor makes its security model easy to read, review goes faster and trust is cleaner.

Constrained access over hidden accumulation. Signal does not quietly expand its reach into your systems. It asks for the minimum it needs, encrypts what it stores, and keeps your tools as the systems of record.

See how Signal fits into your stack

See how Signal fits into your stack without taking control of it.