Security

Access model

• Read-only mailbox access. We never send, edit, or delete mail.
• Scoped by admin. Only mailboxes your admin connects are monitored.
• Client allowlist. We only analyze email exchanged with domains on your allowlist — internal and personal mail is filtered at ingest.
• Revocable. Disconnect any mailbox or domain in one click.

Infrastructure

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Hosted on SOC 2 Type II infrastructure with least-privilege IAM.
• Row-level isolation per organization in our datastore.
• Continuous monitoring, vulnerability scanning, and quarterly penetration testing.

AI and data use

Customer email content is not used to train third-party foundation models. All model calls are routed through providers with zero-retention agreements.

Compliance

GDPR and CCPA aligned. DPA available — see Data Processing Addendum. SOC 2 Type II in progress.

Disclosure

Report vulnerabilities to security@sonargenius.com. We commit to acknowledging within 2 business days.