We handle your business emails with the same care you would. Here is exactly how we protect your data.
We connect to Gmail and Outlook using OAuth 2.0 tokens with read-only permissions. We never see, store, or ask for your email password.
Email body content is permanently removed immediately after AI classification. Only metadata (sender, subject) and the classification result are retained.
All connections use TLS 1.2+. Database storage is encrypted with AES-256 at rest. OAuth tokens are additionally encrypted at the application level using AES-256-GCM before storage.
Row-Level Security (RLS) on every database table ensures no customer can ever access another customer's data. Enforced at the database level.
You control how long we keep your data. Default is 30 days. Delete your account anytime and all data is permanently purged within 7 days.
Classification is powered by Claude (Anthropic) with zero data retention on their API. Your emails are never used to train AI models.
Every third-party service that touches your data, listed with their security certifications.
| Vendor | Purpose | Data Access | Certifications |
|---|---|---|---|
| Supabase | Database | All stored data | SOC 2HIPAA |
| DigitalOcean | Server hosting | Data in transit | SOC 2ISO 27001 |
| Anthropic | AI classification | Email content (transient) | SOC 2Zero retention |
| Twilio | WhatsApp alerts | Phone numbers, alert text | SOC 2ISO 27001 |
| Stripe | Billing | Payment info | PCI DSS L1SOC 2 |
| Cloudflare | DNS + CDN | Routing metadata | SOC 2ISO 27001 |
| Resend | Email delivery | Email addresses | SOC 2 |
Enterprise prospects and customers can self-serve.
DPA v2.0 โ EU GDPR, UK GDPR, UAE PDPL, CCPA
Download PDF โAccess controls, encryption, vendor assessments
Download PDF โSeverity levels, escalation matrix, notification timelines
Download PDF โAI classification risk assessment for all launch markets
Request via Email โPrivacy Policy, Terms of Service, Data Processing Agreement, configurable data retention, content masking, right to deletion.
โ ActiveTLS encryption, AES-256 at rest, OAuth 2.0, Row-Level Security, automated backups, Sentry monitoring.
โ ActiveCloud Application Security Assessment for Gmail API verification. Third-party security audit via authorized lab.
Target: Q3 2026Independent audit of security controls by a certified CPA firm. Point-in-time assessment.
Target: Q1 2027Extended audit demonstrating operational effectiveness over 3-12 months.
Target: Q3 2027International information security management certification for global enterprise readiness.
Target: 2028We're happy to discuss our security practices, provide policies, or answer vendor security questionnaires.