You decide where your data lives
and which AI touches it.
InboxIQ gives you three deployment models and explicit control over which AI provider processes your emails. No surprises. No lock-in.
Pick the deployment that fits your security requirements
All plans start on Cloud. BYOL is available today. Self-hosted and Air-gapped are on the roadmap for compliance-heavy industries.
Cloud
InboxIQ manages infrastructure. Your emails are processed in our secure multi-tenant environment.
- TLS 1.3 in transit
- AES-256 at rest
- EU/US region selection
- SOC 2 (in progress)
BYOL — Bring Your Own LLM
Connect your own OpenAI, Anthropic, or Azure OpenAI key. AI calls go from your browser to your provider — we never see the payload.
- Zero data retention at InboxIQ for AI payloads
- Works with any OpenAI-compatible endpoint
- Rotate or revoke keys at any time
- Per-inbox key isolation
Self-hosted
Deploy InboxIQ inside your own VPC or private cloud. Full control over data residency and network egress.
- Docker + Kubernetes manifests
- Bring your own Postgres & Redis
- No outbound calls except to configured AI provider
Air-gapped
Fully isolated deployment with no internet connectivity. Purpose-built for regulated industries and government.
- Offline AI model support (Ollama compatible)
- Signed artefact bundles
- Audit-ready installation guide
Built for teams that take security seriously
Infrastructure
-
Encryption in transit (TLS 1.3)
All data in flight is encrypted using TLS 1.3.
-
Encryption at rest (AES-256)
Database and object storage encrypted at rest with AES-256.
-
Isolated file serving
User uploads served from files.kalevent.com — isolated from the main application domain.
Access Control
-
JWT-based authentication
Short-lived signed tokens. No session cookies stored on the server.
-
Passkey / WebAuthn support
Phishing-resistant hardware-bound login via FIDO2 passkeys.
-
Role-scoped API credentials
Developer API keys are scoped to specific permissions (intake:write, tickets:read).
Application Security
-
Dependency scanning
Dependabot monitors all packages for known CVEs.
-
Secret scanning
GitHub Advanced Security scans every commit for accidentally committed credentials.
-
Container image scanning
Every container build is scanned for OS-level CVEs before deployment.
-
SAST / code analysis
Static analysis runs on every pull request.
Compliance & Observability
-
Audit log
Every authenticated action is logged with user, timestamp, and IP. Visible to account owners in Settings.
-
Rate limiting on all public endpoints
Flask-Limiter enforces per-IP rate limits on every public-facing route.
-
GDPR-ready data controls
Account deletion, data export, and right-to-erasure requests supported.
-
Vulnerability disclosure programme
Responsible disclosure policy with 24-hour acknowledgement SLA.
We tell you exactly which AI sees your emails
| Provider | Used for | Data retention | Opt-out |
|---|---|---|---|
| OpenAI (default) | Email triage, draft replies | 0 days (Zero Data Retention policy) | Use BYOL to replace |
| Your provider (BYOL) | All AI features | Your own policy | N/A — you control it |
OpenAI Zero Data Retention
InboxIQ calls OpenAI's API with ZDR enabled. OpenAI does not use your emails to train models and retains no data after responding.
OpenAI ZDR policy →Compliance Roadmap
- SOC 2 Type I In progress
- GDPR Ready
- HIPAA Planned
- ISO 27001 Planned
Vulnerability Disclosure
We operate a responsible disclosure programme. If you discover a vulnerability, please report it to security@kalevent.com. We aim to acknowledge within 24 hours and resolve critical issues within 72 hours.
Report a vulnerability →Security Team
Questions about our security posture, penetration test results, or compliance documentation? Reach our security team directly.
security@kalevent.com →Ready to take control of your inbox data?
Start free — no credit card required. Configure BYOL in under 5 minutes.