Legal

Security & Trust

Last updated May 12, 2026

This page documents how U-Mail protects workspace data, what the product does and does not process, and how to report something suspicious.

CASA security assessment badge

Independently security-assessed

UMail passed a Google CASA (Cloud Application Security Assessment) Tier 2 review through an authorized third-party lab — covering authentication, data handling, and our OAuth integration with Gmail and Microsoft.

9.7/10CASA score

Encryption & storage

How data stays protected in transit and at rest.

  • 01

    Do you persist my email content?

    No. Messages stay inside your provider account. U-Mail streams content only long enough to complete the requested action, then discards it. Bodies, attachments, and inline images are not written to our database or backups.
  • 02

    How is traffic secured?

    Requests terminate on TLS 1.2+ with standard edge protections including HSTS, strict referrer handling, and frame/content-type protections. Mutating API calls require authenticated server-side token verification and an allowed origin.
  • 03

    How are provider tokens protected?

    Provider refresh tokens are encrypted with AES-256-GCM before storage. Access is restricted to server-side paths, audited, and unavailable to client reads.
  • 04

    What happens to temporary processing inputs?

    Temporary processing happens in memory and is released when the response completes unless a feature explicitly requires saved user configuration.

Provider layer & threat signals

What U-Mail adds on top of Gmail and Microsoft.

  • 01

    Why a second layer at all?

    Providers already handle infrastructure, spam, and malware defense. U-Mail adds a behavioral layer on top so unusual sender patterns, reply-to drift, and relationship context can be reviewed without changing provider truth.
  • 02

    How are suspicious senders detected?

    The engine compares sender domain, reply-to, cadence, attachment behavior, and timing patterns against established history and raises named reason codes when drift appears.
  • 03

    Does it read my email body?

    No. Threat and prioritization signals come from lightweight metadata such as headers, addresses, timestamps, attachment shape, and behavioral history. There is no language model in the threat path.
  • 04

    Can I override the engine?

    Yes. Your safe/threat decisions and sender corrections outrank inferred signals for your account and do not affect other users.

Access control

Who can see what inside U-Mail.

  • 01

    How are privileged roles separated?

    Role-based access control defines what admins, reviewers, and contributors can do. Privileged actions are logged and auditable.
  • 02

    Is MFA supported?

    Yes. SSO plus MFA are supported and encouraged. Idle sessions expire after seven days, and suspicious sign-ins can trigger forced re-authentication.

Infrastructure & monitoring

Where U-Mail runs and how it is monitored.

  • 01

    Where is U-Mail hosted?

    Google Cloud Platform with regional failover, built-in DDoS protection, edge rate limiting, and automated encrypted backups.
  • 02

    Do you use third-party monitoring?

    Yes. Sentry handles error tracking with PII scrubbing enabled. Internal telemetry monitors uptime, latency, and abuse detection patterns.

Compliance & disclosure

Independent assessment, regulations, and reporting.

  • 01

    Have you been independently security-assessed?

    Yes. U-Mail passed a Google CASA Tier 2 review with a 9.7/10 score through an authorized third-party assessor.
  • 02

    Which regulations and vendors matter here?

    U-Mail is GDPR and UK GDPR aligned, CCPA compliant, and uses Google Cloud, Stripe, Resend, and Sentry under strict data processing agreements.
  • 03

    How do I report a vulnerability?

    Email support@u-mail.ai with reproduction steps, observed impact, and affected environment. We acknowledge within 24 hours and share status updates every 72 hours until resolved.

Report a vulnerability

Need to reach the security team?

Email support@u-mail.ai with reproduction steps and impact details. We acknowledge within 24 hours and stay in touch until resolution.