Trust

Security & compliance

OneBoxflow is built for organisations that take email security seriously. Every layer — from token storage to admin access — is designed assuming hostile networks and curious insiders.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Per-tenant token encryption with hot key rotation (PREV key support).

Tenant isolation

Postgres RLS on every table. user_roles table separated from profiles. Service-role keys never reach the browser.

SSO + SCIM + MFA

SAML 2.0 SSO, SCIM 2.0 provisioning, WebAuthn / passkeys for admins. Step-up auth for sensitive actions.

PGP end-to-end

Browser-side OpenPGP for compose & decrypt. Public keys cached per contact, audited key requests.

EU residency

Primary data hosted in EU (Cloudflare + Supabase EU). Custom DPA on request. GDPR-aligned by default.

Tamper-evident audit

Hash-chained audit log. SIEM export to Splunk, Datadog, Elastic. Role-grant approval workflow.

Need our DPA, sub-processors list or pen-test report?

We share them under NDA with prospects evaluating Enterprise plans.