What security measures does InboxPilot have in place?

InboxPilot follows industry-leading security practices and maintains key compliance certifications to keep your data safe. We work with organizations across heavily regulated sectors—including healthcare, legal, and financial services—who've carried out thorough due diligence before adopting our platform.

InboxPilot is built for privacy, security, and trust. We meet the highest industry standards and maintain ongoing security audits to ensure your data is always protected.

Security Measures

Access and Authentication

InboxPilot implements multiple layers of security to protect your data:

OAuth2.0 Encryption: Access to your email and calendar is encrypted using OAuth2.0, ensuring no chance of data being mixed between accounts
Data Encryption: All data is encrypted both in transit and at rest using enterprise-grade encryption standards (AES-256 at rest, TLS 1.3 in transit)
Infrastructure: We use Google Cloud Platform (GCP) infrastructure, which includes automatic encryption and built-in threat detection
Access Controls: Only authorized systems can access your data. All access is monitored and logged for security auditing
Multi-Factor Authentication (MFA): Required for all administrative access and available for all user accounts
Role-Based Access Control (RBAC): Implemented with least privilege principles to ensure users only have access to data necessary for their role
No Data Training: Your data is never used to train third-party AI models or shared externally
Single Sign-On (SSO): Supported for Enterprise users, adding another layer of secure authentication

Data Security Practices

InboxPilot maintains comprehensive data security practices:

Encryption Standards: All customer data is encrypted using AES-256 encryption at rest and TLS 1.3 for data in transit
Network Security: Firewalls, intrusion detection systems, and network segmentation protect our infrastructure
Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning
Security Monitoring: 24/7 monitoring with real-time alerts for suspicious activities or unauthorized access attempts
Incident Response: Documented incident response procedures with less than 1-hour initial response time, tested quarterly
Data Segregation: Client-level data segregation ensures your data is isolated from other customers' data
Backup and Recovery: Daily encrypted backups with 30-day retention, tested regularly for data integrity
Audit Logging: Comprehensive audit logs retained for 90 days, tracking all access and modifications to customer data
Security Training: Annual security and data protection training for all personnel with access to customer data

Compliance Certifications

InboxPilot maintains the highest industry standards for security and compliance. These certifications reflect our commitment to secure data handling, ongoing audits, and best-in-class operational practices.

Certifications and Standards

InboxPilot is:

CASA assessments by Google — We maintain completed Cloud Application Security Assessment (CASA) evaluations through Google Cloud Platform
SOC 2 Type II compliant — We meet all advanced security, availability, and confidentiality standards and are currently pursuing formal certification
Fully GDPR compliant for all users, including UK GDPR and DPA 2018 compliance
CCPA/CPRA compliant — Compliant with California Consumer Privacy Act and California Privacy Rights Act requirements

Infrastructure Certifications

Our infrastructure provider, Google Cloud Platform (GCP), maintains the following certifications and standards:

ISO/IEC 27001 – Information Security Management Systems (ISMS)
ISO/IEC 27017 – Cloud-specific security controls
ISO/IEC 27018 – Protection of personal data in the cloud
SOC 1, SOC 2, SOC 3 – Service Organization Controls reports
PCI DSS Level 1 – Payment card data security
HIPAA – U.S. healthcare data compliance
GDPR – European data privacy compliance

These certifications are independently audited and verified by third-party assessors.

Privacy and Data Control

Your data stays private, secure, and under your control at all times. We never access more than what's needed to deliver the features you've enabled—and never share or use your data for training external models.

Infrastructure

InboxPilot uses Google Cloud Platform (GCP) for hosting, which adheres to globally recognized security and privacy frameworks, including:

ISO/IEC 27001 – Information Security Management Systems (ISMS)
ISO/IEC 27017 – Cloud-specific security controls
ISO/IEC 27018 – Protection of personal data in the cloud
SOC 1, SOC 2, SOC 3 – Service Organization Controls reports (focused on controls over financial reporting and general security, availability, processing integrity, confidentiality, and privacy)
PCI DSS – Payment card data security
HIPAA – U.S. healthcare data compliance
GDPR – European data privacy compliance

GCP data centres are built to Tier III or higher specifications, offering robust redundancy and uptime resilience.

Data Ownership

InboxPilot accesses your email data to provide services like drafting replies and tracking tasks or follow-ups. However, you remain the sole owner of your data at all times.

Important: InboxPilot does not send emails on your behalf—only you can review and send drafts.

Data Storage and Usage

To provide an intelligent, context-aware service, InboxPilot builds a private knowledge base from your connected inbox. This helps us:

Improve draft accuracy
Proactively support your tasks across emails
Maintain context for better AI responses

All data is stored securely using encrypted infrastructure, with strict access controls and client-level segregation.

AI Training Practices and Data Usage

InboxPilot's AI Functionality

InboxPilot uses AI to provide intelligent email drafting and automation services. Our AI practices are designed to protect your personal data:

No Training on Customer Data: InboxPilot does not use your personal data, email content, or customer information to train our AI models
Private Knowledge Base: Each customer's data is used only to build a private, isolated knowledge base for that specific customer
No Cross-Customer Learning: Data from one customer is never used to improve services for another customer
Data Isolation: Your data remains segregated and is only used to provide services to your account

Third-Party AI Models (ChatGPT and Other Providers)

InboxPilot may use third-party AI services, including OpenAI's ChatGPT, to provide certain features. Our practices regarding third-party AI models:

No Data Retention by Third Parties: We configure third-party AI services to not retain or use your data for training purposes
Data Minimization: We only send the minimum necessary data to third-party AI services required to provide the requested functionality
Contractual Protections: We have agreements in place with third-party AI providers that prohibit them from using your data for training their models
API Configuration: We use API configurations that explicitly disable data retention and training features where available
No Sharing for Training: Your personal data, email content, and customer information are never shared with third-party AI providers for model training or improvement purposes

Data Processing for AI Services

When using AI services:

Temporary Processing: Data sent to AI services is processed temporarily and not stored by the AI provider
Purpose Limitation: Data is only used for the specific service requested (e.g., generating an email draft)
No Secondary Use: Your data is not used for any secondary purposes, including model training, improvement, or analytics
Compliance: All AI processing complies with GDPR, UK GDPR, and other applicable data protection laws

For more information, visit our Security Page for a detailed overview of security and privacy measures.

Data Deletion on Cancellation

When you uninstall or cancel your InboxPilot account, your data is automatically and securely deleted from our systems. This includes:

Inbox data
Internal knowledge records
Backups where applicable

Once your account is cancelled or deleted, all associated data is purged from our systems.

For more technical detail, visit our Security page.