CSB Group SARL
Email2Chat

Security at Email2Chat

We access your email to deliver notifications — so we take security seriously. Here is exactly what we do to protect your data.

🔒
OAuth Only
No passwords stored
🚫
No Email Storage
Processed in memory
🛡️
HTTPS + Headers
HSTS, CSP, X-Frame
✉️
DKIM + DMARC
Authenticated email

OAuth 2.0 — We Never See Your Password

All email connections use OAuth 2.0 (Google, Microsoft). You authenticate directly with Google or Microsoft — we receive only a scoped access token. Your email password is never sent to or stored by Email2Chat.

  • Google: gmail.readonly scope — read-only access
  • Microsoft: delegated OAuth via Azure B2C
  • IMAP: credentials encrypted in database at rest

Email Content Is Never Stored

When a new email arrives, we fetch it, process it through our AI pipeline, forward the notification to your chat app, and discard the content from memory. We store only minimal metadata:

  • Message ID and timestamp — for deduplication only
  • Email subject — displayed in your dashboard "last sent"
  • No email body, attachments, or sender details are saved

OAuth Tokens Stored Securely

Access and refresh tokens are stored in a PostgreSQL database with restricted access. Tokens are scoped to the minimum permissions required. If a token is revoked or expires, monitoring stops immediately and you are notified via Telegram to re-authorize.

HTTPS Everywhere + Security Headers

All traffic is encrypted via TLS. We enforce strict security headers on every response:

Strict-Transport-Security
Content-Security-Policy
X-Frame-Options: DENY
X-Content-Type-Options
Referrer-Policy
Permissions-Policy

Authenticated Email Sending

All transactional emails (verification codes) are sent via Brevo with full domain authentication:

  • SPF — authorizes Brevo to send on behalf of email2chat.com
  • DKIM — cryptographic signature on every email
  • DMARC — policy enforcement against spoofing

Passwords Hashed with scrypt

For IMAP accounts using local login, passwords are hashed using scrypt (via Werkzeug) — a memory-hard algorithm designed to resist brute-force attacks. Plain-text passwords are never stored.

Rate Limiting & Abuse Protection

All endpoints are rate-limited to prevent abuse. Webhook endpoints validate signatures before processing. Cloudflare sits in front of our infrastructure providing DDoS protection and bot filtering.

Infrastructure

Email2Chat runs on dedicated cloud infrastructure with:

  • PostgreSQL database with restricted network access
  • Environment variables for all secrets (never in code)
  • Cloudflare CDN + WAF in front of all traffic
  • Daily database backups

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure. Please contact us privately before publishing.

[email protected]

Questions about security?

We are happy to answer any security questions before you connect your inbox.

Get Started Free Contact Us