Your email data is sensitive. We treat it that way. Messybox is built from the ground up with security, privacy, and compliance at every layer.
Every decision we make starts with one question: does this protect our users?
We never store email content. Period. Messybox processes your emails in real-time, extracts the intelligence you need, and discards the raw content immediately. No email bodies, no attachments, no message metadata sitting on our servers.
Our architecture is stateless by design. We act as a pass-through layer between your email provider and your organized inbox. Once processing is complete, the only thing that remains is the structure we've created for you — categories, priorities, and summaries — never the original content.
All data in transit is protected with TLS 1.3, the latest and most secure transport layer protocol. Data at rest — including account configuration and user preferences — is encrypted with AES-256, the same standard used by banks and governments.
Encryption keys are managed through a dedicated key management service with automatic rotation. Even our own engineers cannot access your data without multi-party authorization and a documented audit trail.
Messybox has completed a SOC 2 Type II audit, validating our security controls across availability, confidentiality, and privacy. We maintain strict role-based access control (RBAC) throughout our infrastructure.
Every action — from API calls to admin configuration changes — is logged in an immutable audit trail. Enterprise customers get full access to these logs for their own compliance reviews. We believe transparency isn't optional; it's table stakes.
GDPR: Full compliance with the EU General Data Protection Regulation. We support data portability, right to erasure, and explicit consent management. Data processing agreements (DPAs) are available for all customers.
HIPAA: Messybox is HIPAA-ready for healthcare organizations handling protected health information. Business Associate Agreements (BAAs) are available on request.
ISO 27001: Our information security management system is certified to ISO 27001 standards, ensuring continuous improvement of our security posture through regular internal and external audits.
Messybox acts as a secure processing layer. We read, organize, and return — we never store.
Step 1: Email Provider — Your email stays with Gmail or Outlook. We connect via OAuth 2.0 with the minimum permissions required. You can revoke access at any time.
Step 2: Messybox Processing — Emails are processed in memory within an encrypted, isolated environment. AI models analyze content for categorization, priority scoring, and draft generation. No raw content is written to disk.
Step 3: Organized Inbox — Only structured metadata (categories, labels, priority scores, draft suggestions) is returned to your inbox. The original email content is never copied or retained.
Everything your IT and compliance teams need to say yes.
Single sign-on with SAML 2.0 and OIDC support. Integrate with Okta, Azure AD, Google Workspace, and more.
Pre-signed Data Processing Agreements available for all plans. Custom DPAs and BAAs for enterprise customers.
Configure retention policies to match your compliance requirements. Auto-purge metadata on your schedule.
Enterprise customers get isolated processing environments with dedicated compute and network resources.
Active bug bounty program and responsible disclosure policy. We work with the security community to stay ahead of threats.
Enterprise-grade availability with financially-backed SLAs. Real-time status page and proactive incident communication.
Common questions from security and compliance teams.
No. Messybox never stores email content, attachments, or message bodies. All processing happens in real-time in memory. Once your emails are categorized and drafts are generated, the original content is discarded. Only structured metadata like categories, priority labels, and draft suggestions are retained.
We request the minimum OAuth 2.0 scopes required to read your inbox and apply labels. We do not request permission to send emails on your behalf, delete messages, or access contacts. You can review and revoke permissions at any time through your Google or Microsoft account settings.
Yes. Messybox is fully GDPR compliant, supporting data portability, right to erasure, and consent management. We are also HIPAA-ready and can provide Business Associate Agreements (BAAs) for healthcare organizations. Data Processing Agreements (DPAs) are available for all customers.
Absolutely. Our SOC 2 Type II report is available under NDA. Contact security@messybox.ai and we'll share it with your security team within one business day.
Messybox processing infrastructure is hosted in SOC 2-certified data centers in the United States and European Union. Enterprise customers can choose their data residency region to meet local regulatory requirements. All inter-region traffic is encrypted with TLS 1.3.