Trust
OneBoxflow is built for organisations that take email security seriously. Every layer — from token storage to admin access — is designed assuming hostile networks and curious insiders.
TLS 1.3 in transit. AES-256 at rest. Per-tenant token encryption with hot key rotation (PREV key support).
Postgres RLS on every table. user_roles table separated from profiles. Service-role keys never reach the browser.
SAML 2.0 SSO, SCIM 2.0 provisioning, WebAuthn / passkeys for admins. Step-up auth for sensitive actions.
Browser-side OpenPGP for compose & decrypt. Public keys cached per contact, audited key requests.
Primary data hosted in EU (Cloudflare + Supabase EU). Custom DPA on request. GDPR-aligned by default.
Hash-chained audit log. SIEM export to Splunk, Datadog, Elastic. Role-grant approval workflow.
We share them under NDA with prospects evaluating Enterprise plans.