Security & Privacy

You decide where your data lives and which AI touches it.

Most AI tools give you one option: their cloud, their models, their rules. InboxIQ is different — you can run it fully managed, bring your own LLM keys, or deploy the entire stack on your own infrastructure. Your support email is sensitive. You should control where it goes.

Last updated: March 2026

Choose your deployment model

Available now ☁️

Cloud

Fully managed by Kalevent

  • Zero setup — works out of the box
  • AWS us-west-2, AES-256 at rest
  • AI via InboxIQ's OpenAI account
  • Data processed by OpenAI API (no training on inputs)

Default for all accounts

Available now 🔑

Bring Your Own LLM

Your API key, your AI endpoint

  • OpenAI, Anthropic, Ollama, or any OpenAI-compatible endpoint
  • Your email content goes to your AI account, not InboxIQ's
  • API key stored encrypted, never logged
  • Switch or remove at any time
Configure in Settings →
Coming soon 🏢

Self-hosted

Your infrastructure, Kalevent license

  • Deploy InboxIQ on your own cloud or data centre
  • Your data never leaves your infrastructure
  • Helm chart + Docker Compose provided
  • Use your own LLM or self-hosted Ollama
Notify me when ready →
Coming soon 🔒

Air-gapped

Zero outbound. Fully offline.

  • No external network calls — ever
  • AI via local Ollama (runs on your hardware)
  • Meets the strictest government & defence requirements
  • Offline license validation
Contact us →
Active Encryption in Transit TLS 1.2+ everywhere
Active Encryption at Rest AWS RDS AES-256
Active BYOL AI Routing Settings → AI Provider
Active Threat Detection AWS GuardDuty
Active Dependency Scanning GitHub Dependabot
Active Secret Scanning Gitleaks — every commit
Active Code Analysis Semgrep OWASP Top 10
Active Container Scanning Trivy — every deploy
Active Audit Trail Activity Log — Settings
Active Right to Erasure GDPR Article 17 — Settings
Active Incident Response Plan 72hr breach notification
In Progress SOC 2 Type II Pursuing 2026

Infrastructure & Storage

  • Hosted on AWS (us-west-2) — all data stored within Amazon Web Services infrastructure. AWS maintains ISO 27001, SOC 2, and GDPR compliance at the infrastructure level.
  • Encryption at rest — PostgreSQL database uses AWS RDS with AES-256 encryption. File attachments are stored in S3 with server-side encryption.
  • Encryption in transit — all communication between your browser, our servers, and third-party APIs uses TLS 1.2 or higher.
  • File attachment isolation — uploaded files are served from a dedicated isolated domain (files.kalevent.com) with strict security headers, preventing cross-site data exposure.
  • Customer data isolation — every database query is scoped to your account. No customer can access another's tickets, leads, or email data, enforced at the application layer.

AI Sub-processors

By default (Cloud tier), InboxIQ uses OpenAI's API to power email triage, draft replies, and lead scoring. Switch to BYOL in Settings → AI Provider and your email content goes to your chosen endpoint instead — InboxIQ's OpenAI account is never used for that traffic.

Sub-processor Purpose Data sent
OpenAI (API) Email triage, draft replies, lead scoring (Cloud tier only) Email subject & body text
Amazon Web Services Compute, database, file storage, email delivery (SES) All customer data (stored)
OpenAI API data policy: OpenAI's API Data Processing Agreement prohibits using API inputs to train models. Your email content is processed to generate a response and is not retained beyond the request. See OpenAI's API data usage policy.

Access Control

  • Role-based access — team members are assigned roles (Owner, Admin, Agent, Viewer). Each role limits what data and settings a user can access or change.
  • JWT authentication — sessions use short-lived signed tokens. No persistent session cookies that could be silently hijacked.
  • Passkey & TOTP support — team members can secure accounts with hardware passkeys or authenticator app 2FA in addition to passwords.
  • Argon2 password hashing — passwords are hashed with Argon2id, the winner of the Password Hashing Competition and current OWASP recommendation. Argon2 is intentionally slow and memory-hard, making offline brute-force attacks impractical even if the database were ever compromised.
  • Immutable activity log — every security-relevant action (sign-in, 2FA changes, inbox connections, role changes, AI provider updates) is written to an append-only audit log scoped to your account. View your full history anytime at Settings → Activity Log, and export it as CSV for compliance or audit purposes.
  • Right to erasure (GDPR Article 17) — account owners can permanently delete their account and all associated data directly from Settings → Security → Delete account. Billing records are anonymised and retained for 7 years as required by law. All other data is hard-deleted immediately.

Vulnerability Management & Secure Development

  • Static application security testing (Semgrep) — every pull request is automatically scanned with Semgrep using the OWASP Top 10, Flask security, and secrets detection rule sets. The pipeline is configured to block merges if any finding is reported — no defective code can reach production.
  • Secret scanning (Gitleaks) — every commit is scanned for accidentally committed API keys, tokens, private keys, and credentials. The check runs in CI before any code is merged, preventing secrets from ever entering the codebase history.
  • Container image scanning (Trivy) — the production Docker image is scanned for OS-level and library CVEs on every build before it is pushed to the container registry. High or critical vulnerabilities block the deploy pipeline.
  • Automated dependency scanning (Dependabot) — GitHub Dependabot scans all Python dependencies weekly and automatically opens pull requests to patch vulnerable packages before they can be exploited.
  • Branch protection & required checks — the main branch is protected. All three security scans (Semgrep, Gitleaks, Trivy) plus dependency validation must pass before any code merge is permitted. No one — including administrators — can bypass these gates.
  • Infrastructure threat detection — AWS GuardDuty continuously monitors CloudTrail logs, VPC flow logs, and DNS traffic for suspicious activity such as credential abuse, port scanning, or communication with known malicious IPs.
  • Incident Response Plan — we maintain a documented IRP with P1/P2/P3 severity classification, 72-hour GDPR breach notification procedures, and post-incident review requirements.

Observability & Monitoring

All tracing and LLM observability runs on our own infrastructure — self-hosted Arize Phoenix inside our Kubernetes cluster. Traces, including LLM inputs and outputs, never leave our servers to a third-party analytics platform.

Compliance Roadmap

  • SOC 2 Type II — in progress. We are building the controls and evidence program required for a SOC 2 Type II audit. We expect to complete our first audit in 2026.
  • GDPR — we publish a Data Processing Agreement (DPA) for EU customers on request. Email support@kalevent.com to receive a signed DPA.
  • HIPAA — not yet supported. Do not use InboxIQ for processing Protected Health Information (PHI) until HIPAA controls are published.

Vulnerability Disclosure

If you discover a security vulnerability in InboxIQ, please report it responsibly to support@kalevent.com with the subject line "Security vulnerability". We will acknowledge your report within 48 hours and keep you updated as we investigate and remediate. We ask that you give us reasonable time to fix the issue before public disclosure.

Questions?

For security, privacy, data deletion requests, or to request a signed DPA — reach us via support@kalevent.com or use the feedback form inside the app (Dashboard → Feedback tab) to report bugs, billing issues, or anything else.

Ready to take control of your support inbox?

Your data stays where you want it. Start with our managed cloud — or bring your own LLM key from day one.

Start free trial →

No credit card required