Security

How InboxBridge handles your email, OAuth credentials, and personal data. For the legal version, see the Privacy Policy.

What we hold vs. what we don't

InboxBridge is a pass-through for email content. When your AI assistant searches or reads a message, we fetch it on demand from your email provider and return it directly to the AI client. We do not store message bodies, headers, or attachments on our servers. Nothing is cached, indexed, or written to disk beyond the duration of a single request.

What we do store is the minimum needed to make connections work:

  • Your InboxBridge account (email address, display name, subscription tier)
  • Your OAuth refresh tokens and IMAP passwords (encrypted at rest)
  • Metadata about each connected email account (provider type, status, your custom label)
  • API keys you generate for AI clients (so we can match incoming requests to your account)
  • Audit-log rows of privacy-sensitive operations (connect, disconnect, delete, export)

Encryption at rest

OAuth refresh tokens and IMAP passwords are encrypted with AES-256-GCM before being written to the database. Each record is encrypted with its own initialization vector and authentication tag — even an attacker with a full copy of the database cannot decrypt one token's plaintext from another's.

The encryption key is held server-side and never exposed to client code. Database backups are encrypted as part of the production volume encryption.

Encryption in transit

All traffic to and from inboxbridge.app is TLS-encrypted. HSTS with max-age=63072000; includeSubDomains; preload is enforced on every response. The Content Security Policy includes upgrade-insecure-requests so any stray http:// subresource auto-upgrades.

Multi-tenant data isolation

Every database table has a user_id column. Every query is scoped by it. There is no shared state across users — neither AI assistants nor the InboxBridge code itself can address an account that doesn’t belong to the authenticated user.

API keys, OAuth tokens, audit log entries, and search results all respect the same boundary. We treat tenant isolation as a primary code-review concern, not a side effect of ORM.

OAuth scope minimization

For Gmail, InboxBridge requests three scopes only:

  • https://www.googleapis.com/auth/gmail.modify
  • https://www.googleapis.com/auth/userinfo.email
  • https://www.googleapis.com/auth/userinfo.profile

No access to contacts, calendar, photos, files, location, or any Google product other than Gmail. Sign-in (the “Continue with Google” button) uses a separate consent flow with only openid + email + profile — no Gmail access until you explicitly connect a Gmail account.

For Outlook, we request Mail.ReadWrite, Mail.Send, and User.Read via Microsoft Graph — same shape, no broader access.

Google API Services User Data Policy — Limited Use

InboxBridge’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train ML models, run advertising, or transfer to third parties for any purpose other than providing the user- facing features of InboxBridge.

Authentication

You sign in via magic link (one-time email token) or Google sign-in (non-sensitive scopes). Sessions are httpOnly cookies with Secure, SameSite=Lax, and a 30-day rolling expiry validated against the database on every request.

Magic-link delivery and authentication endpoints are rate-limited at 5 per hour per email and 20 per hour per IP. API surfaces are rate-limited per user/tier (Free 60/hr, Pro 600/hr, Team 3000/hr).

Audit log

Privacy-sensitive operations write to an append-only audit log: account connect / disconnect, user delete, GDPR data export, whitelist requests + approvals, email send failures, and subscription tier changes. Deletion-event rows are retained as evidence of GDPR compliance even after the user’s other data is wiped.

Account deletion

You can delete your account at any time from /dashboard/settings. On deletion we:

  • Revoke every stored Google OAuth refresh token with Google directly
  • Wipe your user record, connected accounts, encrypted credentials, API keys, and OAuth state from the live database within 7 days
  • Purge those records from rolling encrypted backups within 30 days

You can also download a complete copy of your data first at /api/user/export (JSON) — GDPR Article 20 / CCPA portability.

Sub-processors

See the dedicated Sub-processors page for the full list of third parties that process limited data on our behalf, what each does, and where they’re located.

Operational security

  • Production runs on encrypted DigitalOcean volumes
  • Encryption keys held in env (planned migration to a managed secrets manager)
  • Dependency vulnerability scanning via Dependabot
  • CASA Tier 2 security assessment in progress as part of Google verification

Reporting security issues

Found a vulnerability? Please email security@inboxbridge.app with as much detail as you can share. We aim to acknowledge within 48 hours and resolve within 30 days. We don’t currently run a paid bug bounty, but we will credit reporters in release notes if they prefer.