Security & Trust

• Principle of Least Privilege: Employees only have access to the necessary parts of the infrastructure required for their roles.
• Encryption at Rest and in Transit: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Automatic Updates: Servers and containers automatically update to the latest versions shortly after they are available.
• Clear Security Boundaries: Environments like production, staging, and development are kept separate.

We use the OpenAI API to enable AI features in Email PA. When you interact with these features, we share your email content with OpenAI, but only to provide you with the requested feature.

Your data is never used to train OpenAI's models or any other third-party provider.

We have a Zero Data Retention (ZDR) agreement with OpenAI, meaning your data is not stored on their servers after processing.

Email data: Email PA stores metadata and categorization information to provide the service. Email content is processed in real-time and not permanently stored beyond what's necessary for the service.

Account data: Your account information and preferences are stored securely in our encrypted database hosted on Heroku.

• Principle of Least Privilege: Services and users are provided with only the minimum permissions needed to fulfill their responsibilities.
• Access Control: We use strict access controls to limit who can access your data, including controls on third-party tools and code we use.
• Multi-Factor Authentication: All Email PA employees are required to use multi-factor authentication.

You do. Email PA can access your email data to provide the service, but you remain in control of your data. All data can be exported or deleted at your request. When you close your account, we promptly delete your data from our systems.

• Email Provider Delegation: User identification is delegated to Google, relying on OAuth2 for secure authorization.
• No Password Storage: We never see or store your email password. Authentication is handled entirely by Google.
• Session Security: All sessions are secured with industry-standard practices and automatically expire after periods of inactivity.

• Security Audits: Email PA conducts annual security audits using third-party firms to identify potential cyber risks.
• Dependency Monitoring: We continuously monitor our software dependencies for known vulnerabilities and apply patches promptly.
• Infrastructure Security: Our Heroku infrastructure is covered by Salesforce's comprehensive security program and certifications.

All data is processed on Heroku, a Salesforce company, which provides enterprise-grade physical security including 24/7 monitoring, access controls, and comprehensive environmental protections. For more details, see Heroku Security.