Security Practices
Learn how CallMail protects your data and maintains security standards.
Last updated: February 14, 2026
Security Overview
CallMail is designed with security and privacy at its core. We follow industry best practices to protect your data and maintain the trust you place in our service.
Encryption in Transit
All data encrypted via TLS 1.3
Encryption at Rest
Database encryption via Supabase
Minimal Data Access
Read-only Gmail metadata only
OAuth 2.0
Secure Google authentication
Data Protection
Token Security
- • Google OAuth tokens stored securely in encrypted database
- • Tokens automatically refreshed every 30 minutes
- • Refresh tokens stored in httpOnly, Secure cookies - never exposed to client-side JavaScript
- • OAuth state parameter validation prevents CSRF attacks
- • Users can revoke access anytime via Google Account settings
Database Security
- • PostgreSQL database hosted on Supabase with encryption at rest
- • Row Level Security (RLS) policies ensure users can only access their own data
- • Regular automated backups with point-in-time recovery
- • Database connections encrypted via SSL/TLS
Application Security
- • Hosted on Vercel with automatic DDoS protection
- • HTTPS enforced on all endpoints with HSTS preload
- • Content Security Policy (CSP) with frame-ancestors none
- • Rate limiting on all authentication and data mutation endpoints
- • Input validation and sanitization on all user-facing API routes
- • API routes protected with signature verification (QStash)
- • Comprehensive audit logging for security-relevant events
- • No sensitive data in client-side logs or error messages
Access Controls
Access to user data is strictly controlled and limited to what is necessary for providing the service:
- Gmail Access: Read-only access to email metadata (sender, subject, timestamp). We never read email body content.
- User Data: Users can only access and modify their own VIP contacts, keywords, and settings.
- Admin Access: Administrative access is limited to essential operations and logged for audit purposes.
Incident Response
In the event of a security incident affecting user data, we commit to:
- • Notification: Notify affected users within 72 hours via email
- • Containment: Immediately isolate affected systems and prevent further exposure
- • Investigation: Conduct thorough investigation to determine scope and cause
- • Remediation: Implement fixes and preventive measures
- • Reporting: Provide detailed incident report to affected users
Compliance
Google API Services Compliance
CallMail complies with the Google API Services User Data Policy, including Limited Use requirements. We undergo annual CASA Tier 2 security assessments to maintain compliance with Google verification requirements.
Data Protection
We implement appropriate technical and organizational measures to protect personal data, including: encryption, access controls, regular security reviews, and employee training.
Security Reporting
If you discover a security vulnerability, please report it responsibly:
Contact:
burke@omnisound.xyzPlease include detailed information about the vulnerability and steps to reproduce. We will respond within 48 hours and work with you to address the issue.