Security

PureBox runs on Azure Container Apps with TLS 1.2+ for all traffic in transit. Our primary database is hosted on Supabase (SOC 2 Type II certified). All data at rest is encrypted via AES-256 through our cloud providers' managed encryption. Infrastructure is deployed using infrastructure-as-code with automated security scanning on every deployment.

User authentication is handled by Supabase Auth supporting email/password and Google SSO. Gmail access uses OAuth 2.0 with the minimum required scopes—you can revoke access at any time from your Google Account security page or from the PureBox account settings. Multi-factor authentication is required on all operator accounts with access to production infrastructure.

PureBox processes email metadata (sender, subject, labels) for classification purposes. No message bodies are stored long-term. Classification data is retained for up to 30 days after which it is automatically purged. We support Data Subject Access Requests (DSARs)—contact us to exercise your right to access, export, or delete your data.

Row-Level Security (RLS) is enforced on all user-scoped database tables with auth.uid() = user_id policies, ensuring complete user-scoped data isolation. Even in the event of a backend bug, one authenticated user cannot read another user's records. Application secrets are stored in Azure managed secret stores and access is granted on a least-privilege basis.

Real-time structured logging is provided via Better Stack with automated alerts for anomalous activity. Sensitive fields are redacted from logs. User-facing mailbox writes are recorded in an in-app activity log so you can audit every change PureBox makes to your inbox.

If you believe you've found a security vulnerability, please email support@purebox.ai. We ask that you give us a reasonable window to investigate and remediate before public disclosure. We do not currently run a paid bounty program, but we recognize good-faith researchers in release notes on request.