Table of Contents
1. Executive Summary
MailWise is an AI-powered email management platform that prioritizes user privacy and data security above all else. This whitepaper provides a comprehensive overview of our security architecture, data protection measures, and compliance certifications.
Our Core Security Promise: We cannot read your emails. Your email content is encrypted on your device before it ever reaches our servers. This zero-knowledge architecture ensures that even in the unlikely event of a data breach, your sensitive information remains protected.
Key Security Features
AES-256 Encryption
Zero-Knowledge Architecture
GDPR Compliant
CCPA Compliant
OAuth 2.0
SOC 2 Partners
No Data Selling
UK-Based Company
2. Security Architecture
MailWise employs a defense-in-depth security model with multiple layers of protection:
Data Flow Architecture
Your Browser
→
AES-256 Encryption
→
TLS 1.3
→
Our API
→
Encrypted Database
All data is encrypted before leaving your browser. We only store encrypted data.
Architecture Principles
- Client-Side Encryption: Email content is encrypted in your browser using AES-256-GCM before transmission
- Transport Security: All communications use TLS 1.3 with perfect forward secrecy
- At-Rest Encryption: Database storage is encrypted using AES-256
- Key Management: Encryption keys are derived from your credentials and never stored on our servers
- Isolation: Each user's data is logically isolated using Row-Level Security (RLS)
3. Encryption & Data Protection
3.1 Encryption Standards
| Layer | Algorithm | Key Size |
|---|---|---|
| Data at Rest | AES-256-GCM | 256-bit |
| Data in Transit | TLS 1.3 | 256-bit |
| Email Content | AES-256-GCM | 256-bit |
| Key Derivation | PBKDF2 | 256-bit |
3.2 What We Encrypt
- Email Body: Full message content is encrypted client-side
- Attachments: All attachment references are encrypted
- AI Summaries: Generated summaries are encrypted before storage
- Action Items: Extracted action items are encrypted
- Draft Responses: AI-generated drafts are encrypted
Zero-Knowledge Design: Our servers never see your unencrypted email content. Even our engineers cannot access your data. The encryption keys are derived from your credentials and exist only in your browser's memory.
4. Authentication & Access Control
4.1 User Authentication
- Supabase Auth: Industry-standard authentication with secure password hashing (bcrypt)
- Session Management: JWT tokens with short expiration times
- Password Requirements: Minimum 8 characters with complexity requirements
4.2 Gmail Integration (OAuth 2.0)
- We use Google's OAuth 2.0 protocol for Gmail access
- We never see or store your Gmail password
- You can revoke access at any time from Google Account settings
- We request only the minimum permissions necessary
4.3 Requested Gmail Permissions
| Permission | Purpose | Type |
|---|---|---|
| gmail.readonly | Read email content for analysis and categorization | Read-only |
| gmail.modify | Manage labels, mark emails as read/unread, create drafts | Read/Write |
| gmail.send | Send emails on your behalf (with your approval) | Write |
Why gmail.modify? This permission allows us to:
- Read your emails for AI-powered analysis and categorization
- Mark emails as read/unread when you interact with them in MailWise
- Apply labels for organization (if enabled)
- Create and save draft emails for your review
What We Don't Do:
- We never delete your emails
- We never archive your emails without consent
- We never modify email content
- We only send emails that you explicitly approve
5. Infrastructure Security
5.1 Our Technology Partners
| Service | Provider | Location | Certifications |
|---|---|---|---|
| Database | Supabase (AWS) | US/EU | SOC 2 Type II |
| Frontend Hosting | Google Firebase | US | SOC 2, ISO 27001 |
| Backend API | Render | US | SOC 2 Type II |
| AI Processing | OpenAI | US | SOC 2 Type II |
| Email Auth | Google Cloud | Global | SOC 2, ISO 27001 |
5.2 Network Security
- All traffic encrypted with TLS 1.3
- DDoS protection via Cloudflare
- Rate limiting on all API endpoints
- Web Application Firewall (WAF) protection
6. AI Processing & Privacy
6.1 How AI Processing Works
We use OpenAI's GPT models for email summarization, categorization, and draft generation. Here's how we protect your privacy:
Key Privacy Protections:
- Only anonymized snippets (not full emails) are sent to OpenAI
- Personal identifiers are stripped before processing
- OpenAI does NOT use API data to train their models
- All AI requests use enterprise API agreements
6.2 What We Send to AI
- Email Subject: Used for categorization
- Sender Domain: (not full email address)
- Content Snippet: First 1000 characters only
- Never Sent: Full email addresses, attachments, sensitive financial data
6.3 OpenAI Data Usage Policy
Per OpenAI's enterprise API terms:
- API data is NOT used to train or improve OpenAI models
- Data is retained for 30 days for abuse monitoring, then deleted
- No human review of API data unless required for safety
7. Compliance & Certifications
7.1 GDPR Compliance (EU Users)
- Lawful Basis: We process data based on your consent and contract performance
- Data Portability: Export your data at any time
- Right to Erasure: Request deletion within 30 days
- Data Protection Officer: Contact shailaja.natarajan@sjrtchsrv.tech
- EU-US Data Privacy Framework: Compliant for international transfers
7.2 CCPA Compliance (California Users)
- Right to Know: Request what data we collect
- Right to Delete: Request data deletion
- Right to Opt-Out: We do NOT sell personal information
- Non-Discrimination: No penalty for exercising rights
7.3 Google API Compliance
MailWise adheres to Google API Services User Data Policy, including Limited Use requirements:
- Gmail data used only for providing app features
- No Gmail data used for advertising
- No selling or sharing Gmail data with third parties
- No using Gmail data for surveillance or tracking
8. Data Handling & Retention
8.1 Data Retention Periods
| Data Type | Retention Period | Deletion |
|---|---|---|
| Email Content (Encrypted) | While account active | 30 days after account deletion |
| AI Summaries | While account active | 30 days after account deletion |
| Usage Logs | 90 days | Automatic |
| Error Logs | 30 days | Automatic |
| Backups | 90 days | Automatic rotation |
8.2 Data Deletion Process
- User requests account deletion
- Account immediately deactivated
- Gmail OAuth tokens revoked
- All user data queued for deletion
- Data permanently deleted within 30 days
- Confirmation email sent
9. Incident Response
9.1 Security Incident Procedures
- Detection: Automated monitoring and alerting
- Assessment: Severity classification within 1 hour
- Containment: Immediate isolation of affected systems
- Notification: Users notified within 72 hours (GDPR requirement)
- Remediation: Root cause analysis and fix deployment
- Review: Post-incident review and documentation
9.2 Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: shailaja.natarajan@sjrtchsrv.tech
- Subject: [SECURITY] Brief description
- We aim to respond within 24 hours
- We do not pursue legal action against good-faith security researchers
10. Contact & Support
Company Information
- Company: SJR Tech Services Ltd
- Registered: United Kingdom
- Email: shailaja.natarajan@sjrtchsrv.tech
- Website: https://mailwise.co
Privacy & Security Contacts
- Privacy Inquiries: shailaja.natarajan@sjrtchsrv.tech
- Security Reports: shailaja.natarajan@sjrtchsrv.tech
- Data Requests: shailaja.natarajan@sjrtchsrv.tech
Our Commitment: We are committed to maintaining the highest standards of security and privacy. This whitepaper will be updated as our security practices evolve. Last updated: January 2026.