Inbox Assistant
 Back to site

Security

Protecting your most sensitive data layer.

Last updated May 10, 2026

We assume every inbox contains passwords, bank statements, medical records, contracts, and conversations with people who matter most. We engineer accordingly.

Encryption

  • At rest: AES-256-GCM. Per-tenant data encryption keys, wrapped by a master key in AWS KMS.
  • In transit: TLS 1.3 only. HSTS preloaded. No SSLv3/TLS 1.0/1.1.
  • In memory: Email bodies are decrypted only inside short-lived inference workers and never written to disk.
  • Customer-managed keys (Enterprise): bring your own KMS key — revoke it and your data becomes unreadable instantly.

Access control

  • Hardware MFA (YubiKey) required for all production access.
  • Just-in-time access with peer approval and 15-minute expiry.
  • Engineers cannot read message bodies — production reads are blocked at the IAM policy level.
  • All access logged in an immutable audit trail (90 days hot, 1 year cold).

Application security

  • SDLC with mandatory code review and SAST on every PR.
  • Dependency scanning (Dependabot + Snyk), automatic patching for CVEs ≥ High.
  • OWASP Top 10 hardened. CSP, SRI, anti-CSRF, rate limiting, bot detection.
  • Annual third-party penetration test. Latest report available under NDA.
  • Public bug bounty: cardimattos@gmail.com · responsible disclosure rewarded.

Infrastructure

  • AWS Frankfurt primary, Stockholm DR. Both EU regions.
  • Network isolation via VPC, private subnets, no public DBs.
  • Tenant isolation at row-level in the database; embeddings namespaced per tenant.
  • Daily encrypted backups; 35-day point-in-time recovery; quarterly restore drills.

Operational security

  • Background checks on all engineering hires.
  • Annual security & privacy training for all employees.
  • Endpoint MDM with disk encryption and remote wipe.
  • Phishing simulations quarterly.

Breach notification process

If we detect a confirmed Personal Data breach, our runbook is:

  1. 0–1h — Containment. Isolate the affected system, rotate credentials.
  2. 1–24h — Forensics. Determine scope, affected users, data categories.
  3. ≤72h — Notify the lead supervisory authority (IMY in Sweden) per Art. 33 GDPR.
  4. Without undue delay — Notify affected users per Art. 34 if there is a high risk to their rights.
  5. Post-mortem — Public, blameless post-mortem published within 30 days.

Compliance

  • GDPR & UK GDPR — compliant
  • SOC 2 Type II — audit in progress (Q4 2026)
  • ISO 27001 — roadmap 2027
  • HIPAA — not currently supported. Do not route PHI through Inbox Assistant.

Report a vulnerability

Email cardimattos@gmail.com. PGP key on request. We commit to acknowledge within 24 hours and triage within 3 business days.

Questions? Email cardimattos@gmail.com. Operated by Cardim IT AB (org. nr. 559278-1453), Göteborg, Sweden.