Security & Trust

Built for sensitive inbox data

Inboxer is designed around user approval, OAuth-based access, encrypted token storage, and clear controls for disconnecting accounts. This page is the single source of truth for our current posture and the certifications we’re pursuing.

Technical & organisational measures

OAuth-only access

Mailboxes and calendars are accessed via the provider's OAuth flow under the scopes the user approves. Inboxer never sees a password.

Encryption

TLS in transit. Database encryption at rest (managed Postgres). OAuth tokens are encrypted at the application layer with AES-256-GCM before storage.

Approval-first AI

AI suggestions never leave your account without explicit human approval. Drafts queue for review; classifications are overridable.

Audit visibility

Connection changes, draft approvals, AI actions, and admin events are recorded in a structured audit log scoped to the workspace.

User data control

Self-serve export and deletion at /settings/data. Deletion enters a 30-day grace period; full erasure on day 31.

Compliance programmes

We don’t claim certifications we don’t hold. This list is kept current; targeted dates are best-effort, not commitments.

GDPR

Live

Public DPA, sub-processor list, in-app DSAR tooling, region-pinned EU analytics.

AI sub-processor no-training contracts

Live

OpenAI and Anthropic accessed under API / Commercial Terms — customer content is not used to train models.

OpenAI Zero Data Retention (ZDR)

In progress

Application submitted; awaiting approval. Removes the default 30-day retention window on prompts.

Google CASA Tier 2 verification

In progress

Required for Gmail restricted scopes at scale.

SOC 2 Type I

Planned

Targeted within the next two quarters. Controls in build-out with a GRC platform.

SOC 2 Type II

Planned

Follows Type I after a 6-12 month observation window.

ISO 27001

Planned

Targeted alongside SOC 2 for EU enterprise procurement.

Sub-processors

We share data with the 9 sub-processors below, each bound by a DPA under Art. 28 GDPR. The full table with data categories and transfer mechanisms is on Privacy; the machine-readable feed for procurement automation is at /api/v1/sub-processors.

Clerk — Authentication, session management, organisation membership.
Stripe — Billing, subscription management, payment processing.
OpenAI — AI classification, drafting, summarisation, embeddings.
Anthropic — AI classification, drafting, summarisation.
Recall.ai — Meeting bot ingest of transcripts.
Inngest — Background job orchestration. Event payloads carry only IDs.
PostHog — Product analytics, in-app event tracking.
Google (Gmail, Calendar) — Mailbox and calendar access via OAuth, at user direction.
Microsoft (Graph, Outlook, Microsoft 365) — Mailbox and calendar access via OAuth, at user direction.

Responsible disclosure

If you believe you’ve found a security issue, please report it privately to security@inboxer.so. We commit to acknowledge within 2 business days, work with you on a coordinated fix, and credit you publicly once the issue is resolved (unless you prefer to remain anonymous). Please do not test against other users’ data, attempt social engineering of our staff, or run scanners against production beyond what’s necessary to reproduce the issue.

Documents

Data Processing Agreement — Art. 28 GDPR processor terms, incorporated into the ToS.
Privacy Policy — controller-grade: legal bases, retention, sub-processors, international transfers, data-subject rights.
Sub-processor JSON feed — diffable list for procurement automation.
Terms of Service