Security & Privacy

How we protect your data, your clients' data, and your trust. Enterprise-grade security with full transparency.

Data Encryption

Your data is encrypted everywhere

We use the same encryption standards trusted by banks, hospitals, and government agencies.

AES-256 at Rest

All stored data -- OAuth tokens, client configurations, and email metadata -- is encrypted with AES-256-GCM, the gold standard in symmetric encryption.

TLS 1.3 in Transit

Every connection between your browser, our servers, and third-party services is encrypted with TLS 1.3 -- the latest transport layer security protocol.

Access Controls

Strict data isolation

Your data is yours. Nobody else's system can see it, touch it, or query it.

Row-Level Security

Every database table enforces row-level security policies. Your data is partitioned at the database level -- not just the application level.

Per-Client Isolation

Each client's data is scoped by ownership checks on every request. No cross-client data leakage is possible, even if credentials are compromised.

Service Role Only

Database access is restricted to service_role credentials. Anonymous and authenticated public access has been explicitly revoked.

Data Ownership

You own your data. Period.

We are custodians of your data, not owners. You have full control at all times.

Full Ownership

All data generated through AssistantAI -- drafts, classifications, contact records, preferences -- belongs to you. We make no claims to it.

Export Anytime

Request a complete export of your data at any time. We provide it in standard formats (JSON/CSV) within 24 hours.

We Never Sell Data

Your data is never sold, shared, or used for advertising. It is used solely to power your AI assistant and improve your experience.

Third-Party Services

Services we use and what they access

We use best-in-class infrastructure providers. Here is exactly what each one accesses.

Service	Purpose	Data Accessed	Security
Supabase	Database & storage	Client records, configurations, email metadata	Security page
Gmail API	Email access	Email content (read/draft/send via OAuth)	Security page
Claude API	AI processing	Email content for classification & drafting	Security page
Stripe	Payment processing	Billing info, subscription status	Security page
Resend	Email notifications	Recipient email, notification content	Security page

Nothing sends without your approval

AI drafts responses in your voice, but every email waits for your review. You see the draft, edit if needed, and tap approve. If you don't approve it, it doesn't send. You are always in control.

Compliance

Built with compliance in mind

We follow industry best practices and are building toward formal certifications.

SOC 2 Practices -- We follow SOC 2 Type II security principles: access controls, encryption, monitoring, and incident response procedures.
GDPR-Ready Data Handling -- Data minimization, right to erasure, data portability, and transparent processing. Request deletion anytime.
Encrypted OAuth Tokens -- Gmail OAuth tokens are encrypted with AES-256-GCM before storage. Even in a database breach, tokens are unusable without the encryption key.
Revocable Access -- You can disconnect your Gmail from your Google Account settings at any time. We lose all access instantly.