Inbox Airlock Security


As an application dealing with email, we recognize the importance of great security practices.

This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.

General practices

  • Access to servers, source code, and tools and services are secured with multi-factor authentication.
  • We use strong, randomly-generated passwords that are never re-used.
  • Access to production systems is given to employees and contractors only when absolutely necessary to help our customers with support issues and provide high quality services. All access is closely monitored and logged to ensure customer privacy.
  • We update code dependencies immediatelly whenever a known security vulnerability is announced. This is done using automated security vulnerability detection tools.
  • We run periodic OWASP® pentests against our systems to ensure there are no security issues.


We've passed a CASA Tier 2 Security Certification on 6th Oct 2023 with no outstanding security issues. This certification is required to access Gmail™ data. It has to be completed annually and is overseen by Google, and we're commited to maintaining it consistently.


User authentication is handled by your email provider (Google) via OAuth2 protocol, Inbox Airlock does not have access nor store user's login credentials to their Google account, other than temporary Google API access tokens necessary to provide the service.

Access to Inbox Airlock organisation is controlled via Google OAuth2 and access configuration by the your account organisation admin.

Access to your Google account

When configuring Airlock for your inbox, you will be asked for access to parts of your Gmail™ account. Airlock will only request access to the following scopes:

  • See and download contact info automatically saved in your 'Other contacts': This allows Airlock to determine whether an incoming email is from someone you've previously communicated with.
  • See and edit your email labels This allows Airlock to create labels in your Gmail™ account, such as the "Airlock" label
  • See, edit, create or change your email settings and filters in Gmail This allows Airlock to set up filters in your Gmail™ account to instantly classify your emails into categories as soon as they arrive.
  • Read, compose and send emails from your Gmail™ account This allows Airlock to read the email metadata, suche as the sender email address, and move incoming emails between your Inbox and Airlock. While the permission grants access to reading and sending emails, Airlock does not read, store or send any emails on your behalf. Unfortunately, Google does not provide a more granular permission for this.
  • See your primary Google Account email address and Associate you with your personal info on Google This allows Airlock to know who you are and how to contact you in order to provide you with the service.


Application code and database are hosted on Render , which is a SOC 2 Type 2 compliant Platform as a Service provider.


All web traffic is encrypted using TLS 1.2, which is managed by Render with certificates provided by Certificate Authority.

In the databse, all personally identifiable information is encrypted at rest using AES 256 GCM encryption algorithm.

Data retention/logging

Logs are retained for 31 days, after which they are permanently deleted.


What user data do you collect?

All our income is from our user subscirbtions and we do not and will not make any money from user data. We collect some usage information that we can use to improve our services and guide the direction of the product, as well as help our users in their support queries. We track actions like:

  • Log-In and Log-Out events
  • Interaction with features of the web app (changing user settings etc.)
  • Crashes and other errors
  • Effectivness stats via the counts of email messages under Gmail™ labels

Users are identified in our system by their email address and a link to their Google user account profile. We don't attempt to collect any demographic information, and don't log IP addresses on incoming connections.

Do you cache my email contents or contact details on your servers?

Airlock currently does not scan your email contents and does not cache nor persist any of the email headers or contents on our servers, except for anonimysed technical data for debugging server errors.

Airlock may cache hashed and salted digests of your contacts' email addresses to determine whether incoming email is from a known contact or not. Hashed and salted digest does not allow determining the original email address, but is used to determine whether a new incoming email sender is from a known contact or not, by comparing the email sender digest with the cached contact digests.

Are you SOC 2 or ISO 27001 certified?

We strive to provide the best security there is, but we're a small organisation and are more focussed on security practices than certifications at the moment.


If you'd like to ask any questions or inform us about any security concerns, please email us.