Security at Qbox

    Last updated: July 9, 2026

    Qbox connects to your mailbox, calendar, and other communication accounts, so the security of that data is core to the product. This page describes the technical and organizational measures that are in place today. We only list controls that are actually implemented in the running service.

    Encryption

    • In transit: all traffic between your browser, our application, and our providers is encrypted with TLS.
    • At rest: data stored in our database, file storage, and backups is encrypted at the infrastructure layer using AES-256.
    • OAuth tokens: the access and refresh tokens that let Qbox reach your mailbox and calendar are additionally encrypted at the application layer with pgcrypto, above the infrastructure encryption. The encryption key is held in Supabase Vault, tokens are readable only through a small set of audited, server-side database functions, and access is monitored for anomalous patterns.

    Tenant isolation

    Every tenant-scoped table in our database is protected by Postgres row-level security, so a signed-in user can only ever read or write their own account's rows. This isolation is enforced by the database itself rather than only in application code, which means it holds even if application logic has a bug.

    Data retention and deletion

    • Account deletion: when you delete your account, deletion is scheduled with a 30-day grace period during which you can cancel. After that, your data is permanently removed and you receive a deletion receipt.
    • Complete removal: our account-deletion routine purges every table that holds your data. This full-table coverage is verified by an automated test in our CI pipeline, so a newly added table cannot silently escape deletion.
    • Disconnected accounts: when you disconnect a mailbox, calendar, or LinkedIn connection, the data synced from it is permanently deleted within 30 days.
    • Attachments: email attachment files kept in storage for processing are automatically deleted after 24 hours.

    AI and your content

    We use third-party AI models to draft and analyze email on your behalf. We do not train, fine-tune, or improve any AI model on your content, and we do not pool one customer's data with another's. Our AI providers process your content only to return a result to you, under contractual terms that likewise prohibit training on that data.

    Our use of Google Workspace APIs (Gmail and Google Calendar) adheres to the Google API Services User Data Policy, including the Limited Use requirements.

    Subprocessors

    We use a small set of vetted third-party providers to run the service. Each is listed, with its purpose and data-transfer safeguards, on our Subprocessors page. We update that page at least 30 days before adding or replacing a subprocessor that processes customer personal data.

    Reporting a vulnerability

    If you believe you have found a security vulnerability in Qbox, please report it to security@qbox-ai.com. Please give us enough detail to reproduce the issue and a reasonable amount of time to respond before any public disclosure. We do not currently run a paid bug-bounty program, but we appreciate and acknowledge good-faith reports.

    For more about how we handle your data, see our Privacy Policy.