Loading...
InboxWatch processes email metadata for security analysis. Here's exactly how we protect your data.
We never see email content. Our 12-stage pipeline analyzes only metadata --headers, rules, settings, sign-in logs --through AI-powered classification.
Multiple layers of protection for your data at every stage.
TLS 1.2+ for all connections between your browser, our servers, and third-party APIs.
AES-256-GCM encryption for OAuth tokens. PostgreSQL with encrypted connections.
Role-based access with audit logging for all security-relevant actions.
US-based PostgreSQL (Neon), Vercel Edge Network. No self-hosted servers.
Industry-standard authentication with defense-in-depth session management.
Our security practices align with leading industry frameworks.
Data minimization, right to deletion, data portability. We collect only metadata necessary for security analysis.
Access controls, encryption, audit logging, continuous monitoring. Architecture follows SOC 2 Trust Services Criteria principles.
Metadata-only access and encrypted storage support healthcare security requirements. Contact us for details.
Protected against injection, XSS, CSRF, broken authentication. Parameterized queries via Prisma ORM.
We retain data only as long as necessary and automatically purge expired records.
| Data Type | Retention | Deletion |
|---|---|---|
| Scan results | 14 days | Auto-purged |
| AI analysis | 14 days | Auto-purged |
| Audit logs | 90 days | Auto-purged |
| Account data | Until deletion | On request |
| OAuth tokens | Until revoked | Immediate on disconnect |
Defined processes for handling security events and vulnerability reports.
All security reports acknowledged within 24 hours of receipt.
We follow responsible disclosure and will coordinate fixes before public disclosure.
Our team is available to discuss security requirements, complete vendor questionnaires, or provide additional documentation for your compliance review.