Security

All traffic between your browser, our backend, and our subprocessors is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 via our cloud providers' default managed encryption (Microsoft Azure and Supabase Postgres).

User-scoped data lives in Supabase Postgres behind row-level security (RLS). Every user table enforces auth.uid() = user_id policies so one authenticated user cannot read another user\'s records, even in the event of a backend bug. Application secrets are stored in Azure managed secret stores and rotated on role changes.

Multi-factor authentication is required on every operator account with access to production infrastructure, including Azure, Supabase, Stripe, and GitHub. Administrative access is granted on a least- privilege basis and reviewed periodically.

PureBox requests the minimum Gmail API scopes needed to deliver the service. You can revoke access at any time from your Google Account security page or from the PureBox account page. Mailbox actions (labels, archive, trash) are only performed in response to your explicit review and approval.

Structured application logs are captured with redaction of sensitive fields. User-facing mailbox writes are recorded in an activity log so you can audit changes from the app.

If you believe you\'ve found a security issue, please email support@pureboxai.com. We ask that you give us a reasonable window to investigate and remediate before public disclosure. We do not currently run a paid bounty program, but we recognize good-faith researchers in release notes on request.

We maintain an incident response process that includes triage, containment, customer notification, and post-incident review. In the event of a confirmed incident affecting customer data, we will notify affected customers without undue delay consistent with our DPA and applicable law. See the Data Processing Addendum for the contractual commitment.