Security & Trust
InboxWatch processes email metadata for security analysis. Here's exactly how we protect your data.
Security Architecture
We never see email content. Only metadata: headers, rules, settings, sign-in logs.
Data Flow
What We Access
- Email headers (From, To, Date)
- Forwarding rules
- OAuth app permissions
- Sign-in activity logs
- Mailbox settings
- DKIM/SPF/DMARC records
What We Never Access
- Email body/content
- Attachments
- Contacts
- Calendar content (only metadata)
- Passwords
- Drive file content
Encryption & Data Protection
Multiple layers of protection for your data at every stage.
In Transit
TLS 1.2+ for all connections between your browser, our servers, and third-party APIs.
At Rest
AES-256-GCM encryption for OAuth tokens. PostgreSQL with encrypted connections.
Access Control
Role-based access with audit logging for all security-relevant actions.
Infrastructure
US-based PostgreSQL (Neon), Vercel Edge Network. No self-hosted servers.
Authentication & Authorization
Industry-standard authentication with defense-in-depth session management.
Security Controls
- OAuth 2.0 with official Google and Microsoft libraries
- JWT sessions with 48-hour expiry
- CSRF protection with __Host- prefix cookies
- Content Security Policy with per-request nonces
- Rate limiting on all endpoints
Compliance & Standards
Our security practices align with leading industry frameworks.
GDPR
Data minimization, right to deletion, data portability. We collect only metadata necessary for security analysis.
Trust Services Criteria
Access controls, encryption, audit logging, continuous monitoring. Architecture follows SOC 2 Trust Services Criteria principles.
Healthcare Ready
Metadata-only access and encrypted storage support healthcare security requirements. Contact us for details.
OWASP Top 10
Protected against injection, XSS, CSRF, broken authentication. Parameterized queries via Prisma ORM.
Data Retention
We retain data only as long as necessary and automatically purge expired records.
| Data Type | Retention | Deletion |
|---|---|---|
| Scan results | 14 days | Auto-purged |
| AI analysis | 14 days | Auto-purged |
| Audit logs | 90 days | Auto-purged |
| Account data | Until deletion | On request |
| OAuth tokens | Until revoked | Immediate on disconnect |
Incident Response
Defined processes for handling security events and vulnerability reports.
24-Hour Acknowledgment
All security reports acknowledged within 24 hours of receipt.
Responsible Disclosure
We follow responsible disclosure and will coordinate fixes before public disclosure.
Third-Party Services
We share data only with the following services, strictly for operating InboxWatch.
| Service | Purpose | Data Shared |
|---|---|---|
| Neon (PostgreSQL) | Database | Encrypted scan data |
| Vercel | Hosting | Request routing |
| Stripe | Billing | Email, plan info |
| Resend | Notification emails | |
| Pusher | Real-time | WebSocket events |
Have security questions?
Our team is available to discuss security requirements, complete vendor questionnaires, or provide additional documentation for your compliance review.