What security measures does InboxPilot have in place?

InboxPilot follows industry-leading security practices and maintains key compliance certifications to keep your data safe. We work with organizations across heavily regulated sectors—including healthcare, legal, and financial services—who've carried out thorough due diligence before adopting our platform.

InboxPilot is built for privacy, security, and trust. We meet the highest industry standards and maintain ongoing security audits to ensure your data is always protected.

InboxPilot implements multiple layers of security to protect your data:

• OAuth2.0 Encryption: Access to your email and calendar is encrypted using OAuth2.0, ensuring no chance of data being mixed between accounts
• Data Encryption: All data is encrypted both in transit and at rest using enterprise-grade encryption standards (AES-256 at rest, TLS 1.3 in transit)
• Infrastructure: We use Google Cloud Platform (GCP) infrastructure, which includes automatic encryption and built-in threat detection
• Access Controls: Only authorized systems can access your data. All access is monitored and logged for security auditing
• Multi-Factor Authentication (MFA): Required for all administrative access and available for all user accounts
• Role-Based Access Control (RBAC): Implemented with least privilege principles to ensure users only have access to data necessary for their role
• No Data Training: Your data is never used to train third-party AI models or shared externally
• Single Sign-On (SSO): Supported for Enterprise users, adding another layer of secure authentication

InboxPilot maintains comprehensive data security practices:

• Encryption Standards: All customer data is encrypted using AES-256 encryption at rest and TLS 1.3 for data in transit
• Network Security: Firewalls, intrusion detection systems, and network segmentation protect our infrastructure
• Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning
• Security Monitoring: 24/7 monitoring with real-time alerts for suspicious activities or unauthorized access attempts
• Incident Response: Documented incident response procedures with less than 1-hour initial response time, tested quarterly
• Data Segregation: Client-level data segregation ensures your data is isolated from other customers' data
• Backup and Recovery: Daily encrypted backups with 30-day retention, tested regularly for data integrity
• Audit Logging: Comprehensive audit logs retained for 90 days, tracking all access and modifications to customer data
• Security Training: Annual security and data protection training for all personnel with access to customer data

InboxPilot maintains the highest industry standards for security and compliance. These certifications reflect our commitment to secure data handling, ongoing audits, and best-in-class operational practices.

InboxPilot is:

• CASA assessments by Google — We maintain completed Cloud Application Security Assessment (CASA) evaluations through Google Cloud Platform
• SOC 2 Type II compliant — We meet all advanced security, availability, and confidentiality standards and are currently pursuing formal certification
• Fully GDPR compliant for all users, including UK GDPR and DPA 2018 compliance
• CCPA/CPRA compliant — Compliant with California Consumer Privacy Act and California Privacy Rights Act requirements

Our infrastructure provider, Google Cloud Platform (GCP), maintains the following certifications and standards:

• ISO/IEC 27001 – Information Security Management Systems (ISMS)
• ISO/IEC 27017 – Cloud-specific security controls
• ISO/IEC 27018 – Protection of personal data in the cloud
• SOC 1, SOC 2, SOC 3 – Service Organization Controls reports
• PCI DSS Level 1 – Payment card data security
• HIPAA – U.S. healthcare data compliance
• GDPR – European data privacy compliance

These certifications are independently audited and verified by third-party assessors.

Your data stays private, secure, and under your control at all times. We never access more than what's needed to deliver the features you've enabled—and never share or use your data for training external models.

InboxPilot uses Google Cloud Platform (GCP) for hosting, which adheres to globally recognized security and privacy frameworks, including:

• ISO/IEC 27001 – Information Security Management Systems (ISMS)
• ISO/IEC 27017 – Cloud-specific security controls
• ISO/IEC 27018 – Protection of personal data in the cloud
• SOC 1, SOC 2, SOC 3 – Service Organization Controls reports (focused on controls over financial reporting and general security, availability, processing integrity, confidentiality, and privacy)
• PCI DSS – Payment card data security
• HIPAA – U.S. healthcare data compliance
• GDPR – European data privacy compliance

GCP data centres are built to Tier III or higher specifications, offering robust redundancy and uptime resilience.

InboxPilot accesses your email data to provide services like drafting replies and tracking tasks or follow-ups. However, you remain the sole owner of your data at all times.

Important: InboxPilot does not send emails on your behalf—only you can review and send drafts.

To provide an intelligent, context-aware service, InboxPilot builds a private knowledge base from your connected inbox. This helps us:

• Improve draft accuracy
• Proactively support your tasks across emails
• Maintain context for better AI responses

All data is stored securely using encrypted infrastructure, with strict access controls and client-level segregation.

InboxPilot's AI Functionality

InboxPilot uses AI to provide intelligent email drafting and automation services. Our AI practices are designed to protect your personal data:

• No Training on Customer Data: InboxPilot does not use your personal data, email content, or customer information to train our AI models
• Private Knowledge Base: Each customer's data is used only to build a private, isolated knowledge base for that specific customer
• No Cross-Customer Learning: Data from one customer is never used to improve services for another customer
• Data Isolation: Your data remains segregated and is only used to provide services to your account

InboxPilot may use third-party AI services, including OpenAI's ChatGPT, to provide certain features. Our practices regarding third-party AI models:

• No Data Retention by Third Parties: We configure third-party AI services to not retain or use your data for training purposes
• Data Minimization: We only send the minimum necessary data to third-party AI services required to provide the requested functionality
• Contractual Protections: We have agreements in place with third-party AI providers that prohibit them from using your data for training their models
• API Configuration: We use API configurations that explicitly disable data retention and training features where available
• No Sharing for Training: Your personal data, email content, and customer information are never shared with third-party AI providers for model training or improvement purposes

When using AI services:

• Temporary Processing: Data sent to AI services is processed temporarily and not stored by the AI provider
• Purpose Limitation: Data is only used for the specific service requested (e.g., generating an email draft)
• No Secondary Use: Your data is not used for any secondary purposes, including model training, improvement, or analytics
• Compliance: All AI processing complies with GDPR, UK GDPR, and other applicable data protection laws

For more information, visit our Security Page for a detailed overview of security and privacy measures.

When you uninstall or cancel your InboxPilot account, your data is automatically and securely deleted from our systems. This includes:

• Inbox data
• Internal knowledge records
• Backups where applicable

Once your account is cancelled or deleted, all associated data is purged from our systems.

If you have questions, concerns, or complaints regarding Terms of Service or our data practices, please contact us:

Thank you for choosing InboxPilot. We are committed to ensuring your privacy and providing a secure platform.