Docs·Security & Privacy

Security & Privacy

Your customers' data is sensitive. Here's exactly how MailBridge handles it.

Encryption

In transit

All data is transmitted over TLS 1.2+. API requests, webhook deliveries, and dashboard connections are encrypted end-to-end.

At rest

Email content, credentials, and integration tokens are encrypted at rest using AES-256-GCM. Integration credentials (OAuth tokens, API keys) are stored in an encrypted JSONB column — never in plain text.

Database

Your PostgreSQL database is encrypted at the storage layer. Backups are also encrypted.

Data storage

MailBridge stores the following data associated with your organisation:

Inbound emails

Subject, body, sender — stored encrypted, linked to a request.

Triage results

Category, priority, summary, confidence score.

Replies

Content and timestamp of every reply sent to a customer.

Webhook events

Raw event payloads — retained for 7 days, then automatically deleted.

Integration credentials

OAuth tokens and API keys — encrypted at rest, never logged.

PII handling

Before email content is sent to the AI model, MailBridge strips financially and medically sensitive data. The original full email is stored encrypted and is never sent to any AI provider. See AI Triage → PII handling for the full list of what is preserved and what is stripped.

Data retention

Data typeRetention period

Requests & emailsUntil account deletion

RepliesUntil account deletion

Webhook event payloads7 days (auto-deleted)

Audit logs90 days

To request early deletion of your data, contact us.

API key security

API keys are shown only once at creation — we store only a hashed version. If you lose a key, revoke it and generate a new one from Settings → API Keys.

Never share API keys in client-side code or public repositories.

Use environment variables to inject keys into your server-side applications.

Rotate keys periodically or immediately if you suspect a key has been compromised.