Documentation Navigation

Security at InflowMail

Last updated: March 15, 2026

Your email is protected at every layer — from encryption to phishing detection.

SOC 2 Type II Ready AES-256 Encrypted Secure OAuth DDoS Protected GDPR Compliant

Encryption

Bank-Grade Encryption (AES-256)

All your data is encrypted at rest using AES-256 — the same standard used by banks and governments. Each organization gets its own unique encryption key for full isolation.

Encrypted in Transit (TLS)

Every connection is encrypted with modern TLS. Your browser always shows the padlock icon. We enforce HTTPS-only connections — no unencrypted access is possible.

Account Security

Two-Factor Authentication

  • Authenticator app support (Google Authenticator, Authy, etc.)
  • Backup codes in case you lose your device
  • Remember trusted devices for 30 days
  • Email verification for new devices

Login Protection

  • Automatic lockout after failed login attempts
  • Rate limiting blocks brute-force attacks
  • View and revoke active sessions anytime
  • Alerts when a new device signs in

Email Connection Security

We never see your email password. When you connect Gmail or Microsoft 365, you sign in directly with Google or Microsoft. We only receive a secure token — never your password. You can revoke access at any time from your provider's settings.

  • Secure OAuth with PKCE protection against interception attacks
  • Connection tokens encrypted with your organization's unique key
  • Minimal permissions requested — only what's needed to read and send email
  • Disconnect an account anytime — tokens are immediately revoked

Threat Protection

Phishing Detection

  • Every email is scored for phishing risk
  • Detects suspicious links and fake sender names
  • Warns you before you click dangerous links
  • Always on — no setup required

Attachment Safety

  • Flags risky file types (.exe, macros, scripts)
  • Visual warnings before you open attachments
  • Protects against common malware delivery
  • Always on — no setup required

DDoS & Network Protection

  • All traffic filtered through Cloudflare
  • Web Application Firewall blocks attacks
  • Automatic rate limiting on all endpoints
  • Global CDN for fast, reliable access

Data Isolation

  • Each organization's data is fully isolated
  • No cross-tenant access is possible
  • Complete audit trail of all actions
  • SOC 2 Type II ready compliance

Privacy by Default

We never sell your data
No third-party tracking or analytics
No tracking pixels in your emails
Export or delete your data anytime (GDPR)
BYOAI keys encrypted with AES-256

Learn more about how we protect your data:

Data Protection Privacy Policy
Was this page helpful?