Safe, secure, and private.
Everything in Flowmail is designed to keep your work safe and secure. Because your business is nobody else's business.
Data Security
Your email data is protected at every layer with industry-standard encryption and secure infrastructure.
Encryption at rest
All sensitive credentials — OAuth tokens, IMAP passwords, and API secrets — are encrypted using AES-256-GCM before storage.
Encryption in transit
All connections are forced over HTTPS with TLS 1.2+. Strict security headers (HSTS, CSP) are enforced on every response.
OAuth 2.0 authorization
We connect to Gmail and Outlook via OAuth 2.0 — we never see or store your email password. You can revoke access at any time.
Access Control
Fine-grained permissions and multi-factor authentication protect every account.
Multi-factor authentication
Email OTP and Passkey support provide strong second-factor authentication for all user accounts.
Organization isolation
Each organization's data is strictly isolated. Cross-tenant access is impossible by design.
API token management
API tokens are hashed with SHA-256 before storage. Tokens can be scoped and revoked at any time.
Rate limiting
All authentication endpoints are protected with sliding-window rate limiting to prevent brute-force attacks.
AI & Privacy
We believe your email data belongs to you — not to AI model providers.
Zero data training
Your email content is never used to train, fine-tune, or improve AI models. We enforce zero-data-retention policies with our AI providers.
Minimal data access
AI only processes the specific fields needed for classification and extraction. Raw email content is not stored beyond processing.
Processing transparency
Every AI classification and extraction result is visible to you. You can review, correct, or reject any AI-generated output before it takes effect.
Compliance & Transparency
We protect your rights through rigorous internal controls and transparent data handling practices.
GDPR Ready
We follow core GDPR principles: data minimization, purpose limitation, and data subject rights. Data export and deletion supported. DPA available upon request.
Zero data training
Your email content is never used to train or improve AI models. We enforce zero-data-retention policies with all AI providers.
Comprehensive audit logging
All sensitive operations — approvals, connection changes, token management — are logged with actor, timestamp, and IP address.
Data portability
You can export or delete your data at any time. We respect your right to data portability and erasure.
Infrastructure
Flowmail runs on enterprise-grade infrastructure with built-in redundancy and global performance.
Vercel hosting
Deployed on Vercel's global edge network with automatic DDoS protection, SSL, and 99.99% uptime SLA.
Managed PostgreSQL
Data is stored in Neon serverless PostgreSQL with automatic backups, point-in-time recovery, and encryption at rest.
Security headers
Every response includes HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and strict Referrer-Policy.
Have security questions?
We take security seriously. If you have questions about our security practices or need a DPA, please reach out.
Contact security team