Security & Privacy
Built so your inbox never leaves your inbox
Sivient reads, labels, and drafts directly against your email provider. Nothing is mirrored, archived, or training a model behind your back.
Read-in-place, never stored
Sivient classifies, drafts, and routes emails directly against your provider. Message bodies are not persisted to our database — labels and metadata are all we keep.
OAuth 2.0 only
Connect Gmail or Outlook via the official OAuth consent flow. We never see, store, or transmit your password. Revoke access at any time from your Google or Microsoft account.
Encrypted in transit and at rest
All traffic is TLS 1.2+. Tokens, configuration, and structured data are encrypted at rest in Supabase Postgres on the backbone of a SOC 2-compliant cloud.
Least-privilege scopes
We request only the OAuth scopes a feature needs — read for labelling, write for drafts, calendar for scheduling. Skip a feature, and the corresponding scope is never asked for.
Role-based access control
Every workspace has owner, team-admin, and member roles. Sensitive endpoints verify the role server-side on every request. Owners can audit who has access at any time.
Audit-friendly logs
Every label applied, draft created, and route fired is recorded against the user and timestamp. Export the trail when your compliance team asks.
How we handle your data
The questions security teams ask us most often.
Do you train AI models on my email content?
No. Your messages are never used to train shared models. Each classification, draft, or chat call sends only the relevant context to the model provider for that single request.
Where is my data hosted?
Application data is stored in Supabase Postgres. We use US-hosted regions by default; enterprise customers can request alternative regions during onboarding.
What can a Sivient employee see?
Engineers do not have casual access to customer data. Production access is gated, audited, and only used for incident response or with your explicit consent.
How do I delete my data?
Disconnect Gmail/Outlook to revoke our access immediately, then delete your account from settings. We purge associated rows on a 30-day rolling window.
Compliance roadmap
We build to the same controls SOC 2 Type II expects: change management, access reviews, vendor diligence, encryption, and incident response. Formal attestation is in progress — request our latest control summary if your procurement team needs it now.
- GDPR-aligned data handling and DPA available on request.
- Sub-processor list maintained and shared on request.
- Annual penetration testing on the production environment.
Talk to security
Need a control summary, sub-processor list, DPA, or to report a vulnerability? Reach our team directly and we'll get back within one business day.