You're handing us the keys to your mailboxes and your clients' pipelines. That trust is the entire business. So security isn't a checkbox page here — it's how the system is built, from credential storage up to the access model.
Two layers that are non-negotiable: nothing moves in plaintext, and nothing rests in plaintext.
Every connection — browser to app, app to mailbox provider, service to service — is encrypted. Data at rest is sealed with AES-256, including databases, object storage and backups.
The most sensitive thing we hold is your access to a mailbox. OAuth is always preferred over passwords. Whatever we must store is encrypted with a key unique to your workspace — and never written to a log line.
The honest version. For Gmail and Microsoft we never see a password at all — only a scoped OAuth grant you can revoke. For raw SMTP, the credential is sealed before it ever lands in storage.
When you connect a Gmail or Microsoft 365 mailbox, NuMail receives a delegated OAuth token — scoped to sending and reading mail, nothing more. We never ask for, see, or store your account password.
For SMTP/IMAP mailboxes that have no OAuth path, the credential is encrypted with your workspace's own data-encryption key the moment it arrives. Decryption happens in-memory, only at send time, only for the worker handling that job.
Every workspace — and every agency sub-workspace — is a hard tenancy boundary. Services hold the narrowest grant that lets them do their one job, and everything they do is logged.
Every query is scoped to a workspace id at the data layer. Agency parent and sub-workspaces are separate tenancy boundaries — a sub-workspace cannot read another client's leads, mailboxes, or replies, and the parent only sees what the model explicitly grants.
The send worker can send. The reply detector can read inbound. The billing service can touch Stripe. No service carries a god-mode credential, and production secrets are injected at runtime — never committed, never baked into images.
Sensitive actions — mailbox connects and disconnects, member invites and role changes, API key creation, data exports — are written to an append-only audit log with actor, timestamp, and source. Agency owners get the trail for every sub-workspace.
Databases and queues live on private networking with no public ingress. Only the application edge is internet-facing, behind TLS termination and rate limiting. Outbound to mailbox providers goes over their official, authenticated APIs.
Point-in-time backups are encrypted and restore-tested. The job engine is idempotent and retry-safe, so a node failure mid-campaign never double-sends and never silently drops a scheduled email.
Role-based access on every plan. Single sign-on with SAML on the Agency tier, so your identity provider stays the source of truth.
Invite teammates with a role, not a free-for-all. Roles map cleanly to what a person actually needs — a copywriter drafting sequences shouldn't be able to rotate API keys or pull a billing export.
Connect your identity provider — Okta, Entra ID, Google Workspace, or any SAML 2.0 IdP. Provisioning and de-provisioning follow your directory, so off-boarding a team member there pulls their NuMail access with it.
Where we are today, stated plainly — no green checkmarks for things that aren't done yet.
We're mid-way through a SOC 2 Type II observation window with an independent auditor. Controls are implemented and being evidenced over time. Prospective customers under NDA can request the current status and the Type I report.
Built for GDPR from the data model up: lawful processing, data-subject deletion via a hard-delete endpoint, suppression lists, and EU-aware data handling. We act as processor; you remain the controller of your contact data.
A Data Processing Agreement is available for any customer who needs one — agencies signing it on behalf of their clients included. Our subprocessor list (hosting, AI inference, email infra) is published and kept current. Request the DPA →
Security researchers make this product safer. If you've found a vulnerability, report it — you'll have our attention and our safe harbor.
Email us with a description and reproduction steps. We acknowledge reports quickly, keep you updated as we triage and fix, and credit researchers who want it. Good-faith research that follows this policy will not lead to legal action from us — that's our safe-harbor commitment.
✉ security@numail.aiReviewing NuMail for an agency or an enterprise rollout? We'll walk through architecture, sign your DPA, and answer the questionnaire.