Nexamail Home

Security & Encryption

Last updated May 2026

Nexamail is built on the principle that your inbox is yours. This page explains exactly how we protect it — in plain language, no jargon.

Encryption

  • In transit: TLS 1.2+ on every connection between your browser, our servers, and email providers.
  • At rest: AES-256 on the database and on every storage bucket.
  • OAuth tokens: Refresh tokens are stored encrypted, scoped to a single account, and never exposed to client-side code.

OAuth permissions — what we ask for and why

When you connect Gmail or Outlook, you'll see a consent screen listing exactly what we need. We ask for the minimum scopes required and nothing more.

  • Read mail — so we can show your inbox, draft replies, and surface follow-ups. We never read messages we don't display to you.
  • Send mail — only used when you hit Send. Nexamail never sends on your behalf without explicit approval.
  • Calendar (optional) — used to show meeting context next to email threads. Skip this scope and email still works fully.
  • Offline access (refresh token) — lets us sync new mail in the background without forcing you to log in every hour.

You can revoke Nexamail's access at any time from your Google or Microsoft security settings — disconnection is immediate.

How AI processing works

  • AI runs only on emails you've already chosen to surface — drafts, summaries, follow-up detection.
  • Prompts are transient: providers process them in memory and do not retain content for model training under our enterprise terms (OpenAI, Google).
  • Your data is never blended into a shared training corpus, sold, or shown to other Nexamail users.
  • You can disable AI memory entirely from Settings → Privacy & Safety. Existing memory can be wiped in one click.

Database & access controls

  • Row-level security on every table — your data is invisible to other users at the database layer, not just at the API layer.
  • Service-role keys live only on the server, never in browser code, and only privileged backend operations use them.
  • Session tokens are short-lived JWTs sent in Authorization headers — never in URLs or request bodies that could leak into logs.
  • Rate limiting on AI endpoints prevents abuse and protects your quota.

Billing security

We never see or store your card details. Payments are processed by Stripe (PCI-DSS Level 1). We only store the subscription status and the customer reference Stripe gives us.

Infrastructure

  • Edge delivery via Cloudflare with DDoS mitigation.
  • Database hosted on Supabase with daily encrypted backups (30-day rolling).
  • Application servers run in isolated regions with no shared state between users.

What we will never do

  • Sell your data, ever.
  • Train AI models on your private emails.
  • Send mail or accept calendar invites without your explicit approval.
  • Retain OAuth tokens after you disconnect an account.
  • Share your inbox content with advertisers or third parties.

Responsible disclosure

If you've found a vulnerability, please report it to security@nexamail.ai. We aim to acknowledge within 48 hours and remediate critical issues within 7 days. We don't pursue researchers acting in good faith.

Status & uptime

Real-time status: status.nexamail.ai.