Inbox2Sheet Logo

Inbox2Sheet

Sign In

Inbox2Sheet Security

Technical and organizational measures to protect your data

Last updated: Aug 30, 2025

At Inbox2Sheet, security is at the core of our service. We protect the data you forward to us using industry-standard technical and organizational measures ("TOMs") in line with GDPR Art. 32 and international best practices.

🔐 Encryption

  • In transit: All data is transmitted using TLS 1.2+.
  • At rest: Data stored in our systems (emails, extracted fields, backups) is encrypted with AES-256.
  • Keys: Encryption keys are managed securely via cloud KMS (Key Management Services).

👩‍💻 Access Controls

  • Role-based access (RBAC): Staff access is limited to the minimum necessary.
  • Multi-factor authentication (MFA): Required for all internal admin systems.
  • Audit logging: All access to production systems is logged and monitored.
  • Principle of least privilege: No standing developer access to customer data.

🗄 Data Retention & Deletion

  • Default retention: Raw emails ≤30 days, logs ≤30 days, backups ≤90 days.
  • Self-service controls: Customers can configure mailbox-level retention (0/1/7/30/90 days) and delete data at any time.
  • Final deletion: Secure erasure is applied at contract termination.

🚨 Incident Response

  • Monitoring: Continuous monitoring for anomalies and intrusions.
  • Response time: Security incidents are escalated within 24 hours.
  • Notifications: Customers and regulators notified within 72 hours in case of a personal data breach.
  • Testing: Regular incident response simulations.

💾 Backup & Resilience

  • Backups: Encrypted daily backups retained ≤90 days.
  • Disaster recovery: Redundant hosting infrastructure with regional failover.
  • Recovery testing: Periodic restore tests to ensure RPO/RTO targets.

✅ Vendor & Subprocessor Security

We only work with subprocessors that demonstrate strong security (SOC 2, ISO 27001, or equivalent). See our Subprocessors list. Examples:

  • Google Cloud (ISO 27001, SOC 2)
  • Stripe (PCI-DSS Level 1)
  • OpenAI (SOC 2, EU data residency)
  • Mailgun (EU region) (ISO 27001)

🧩 Compliance

  • GDPR Art. 28 Data Processing Agreement available at /legal/dpa.
  • EU Standard Contractual Clauses (SCCs) for international transfers.
  • UK International Data Transfer Addendum (IDTA).
  • EU-US Data Privacy Framework (where applicable).

📧 Contact

If you have security concerns or need a security questionnaire answered, contact us at: security@inbox2sheet.com.

Need more details?

View DPAView SubprocessorsContact Security Team