As an application dealing with email, we recognize the importance of great security practices.
We've passed a CASA Tier 2 Security Certification on 6th Oct 2023 with no outstanding security issues. This certification is required to access Gmail data. It has to be completed annually and is overseen by Google, and we're commited to maintaining it consistently.
User authentication is handled by your email provider (Google) via OAuth2 protocol, Inbox Airlock does not have access nor store user's login credentials to their Google account, other than temporary Google API access tokens necessary to provide the service.
Access to Inbox Airlock organisation is controlled via Google OAuth2 and access configuration by the your account organisation admin.
When configuring Airlock for your inbox, you will be asked for access to parts of your Gmail account. Airlock will only request access to the following scopes:
Application code and database are hosted on Render , which is a SOC 2 Type 2 compliant Platform as a Service provider.
In the databse, all personally identifiable information is encrypted at rest using AES 256 GCM encryption algorithm.
Logs are retained for 31 days, after which they are permanently deleted.
All our income is from our user subscirbtions and we do not and will not make any money from user data. We collect some usage information that we can use to improve our services and guide the direction of the product, as well as help our users in their support queries. We track actions like:
Users are identified in our system by their email address and a link to their Google user account profile. We don't attempt to collect any demographic information, and don't log IP addresses on incoming connections.
Airlock currently does not scan your email contents and does not cache nor persist any of the email headers or contents on our servers, except for anonimysed technical data for debugging server errors.
Airlock may cache hashed and salted digests of your contacts' email addresses to determine whether incoming email is from a known contact or not. Hashed and salted digest does not allow determining the original email address, but is used to determine whether a new incoming email sender is from a known contact or not, by comparing the email sender digest with the cached contact digests.
We strive to provide the best security there is, but we're a small organisation and are more focussed on security practices than certifications at the moment.
If you'd like to ask any questions or inform us about any security concerns, please email us.