Security & trust

Opening soon — what you're reading here is the architecture Skub will launch with.

Last updated: 20 April 2026

Plain-English summary: We treat access to your mailbox like money. EU-hosted, tokens held in a key-management vault with audit logging, encrypted in transit and at rest, passkey sign-in. DPA, breach process, and DPIA available on request.

How your data actually flows

Most AI email tools store everything they learn about you in their own databases. We don't.

When a new email arrives:

Skub fetches it from your mailbox using your OAuth token.
The email content is processed in memory — never written to our disks.
Our AI provider classifies it under a zero-retention contract.
Skub decides what to do (notify you, ignore, route to a folder).
The original email content is discarded from memory.

What we hold

Your OAuth token (headless vault, scope-bounded, audit-logged, revocable)
Your login session (passkey-based)
Your subscription status (for billing)

What we don't hold

Your email content
Your preferences or rules
Your VIPs or learned patterns
Your history with Skub

This isn't a policy. It's the architecture.

Known limitations

Google still sees your email. It lives on Gmail.
Our AI provider sees email content briefly during processing. Zero-retention contract.
Telegram sees the notifications we send. Not end-to-end encrypted.
OAuth tokens are technically readable by Skub. Protected by vault, scope minimization, audit logging, one-click revocation.

For stronger guarantees, Skub is self-hostable.

Infrastructure

Hosted in Amsterdam, EU. All application instances run in the EU. No customer data is transferred outside the EEA.
TLS everywhere. Every connection between you and Skub, and between Skub and our subprocessors, uses modern TLS. Certificates are auto-renewed.
Headless vault. Reachable only over our hosting provider's private network; no public listener. No human can log into it — access only through deployed code, every use audit-logged.

Access control

Passkey authentication. Sign-in uses passkeys — no passwords to leak, no password-reuse blast radius. Optional recovery email is off by default.
2FA on all maintainer accounts. Everyone with access to production infrastructure signs in with hardware-backed 2-Step Verification.
Principle of least privilege. Application services hold scoped credentials; no single environment variable unlocks full customer data.

How your mail-provider tokens are protected

OAuth tokens are held in a dedicated EU-hosted key-management vault — isolated from the application runtime. Every decryption is audit-logged.
Encryption keys never leave the vault; the application requests wrap/unwrap per operation using short-lived, least-privilege credentials.
Keys are split so that no single compromised system can unlock the vault. Recovery material is held offline, outside our cloud footprint.
Keys can be rotated without re-encrypting historical data.
Email bodies are not persisted on our servers. Content is processed in memory and discarded immediately after a notification is dispatched.
You can revoke Skub's access to any Gmail account at any time from myaccount.google.com/connections.

Specific algorithms, vendors, and configuration are documented in our DPIA, available under NDA on request.

Vault options — where your OAuth tokens live

By default, every connected mailbox's OAuth token is wrapped into Skub Vault — the EU-hosted key-management vault described above. No configuration required; this is what you get on skub.me.

Self-hosted Enterprise installs, regulated tenants, or anyone who wants OAuth blast-radius to end inside their own infrastructure can choose a different vault at connect time:

Skub Vault (default, recommended) — EU-hosted, audit-logged, scope-bounded. Zero configuration.
Google Cloud Secret Manager — your GCP project, your IAM. You grant Skub's service account secretmanager.secretAccessor on a specific secret path.
AWS Secrets Manager — your AWS account, your IAM role.
Azure Key Vault — your subscription, your access policy.
Self-hosted HashiCorp Vault (or compatible) — for the Enterprise self-hosted install.

Honest note. In multi-tenant SaaS mode, Skub still needs a small credential to reach your external vault — that credential itself lives in Skub Vault. True “your keys, your infrastructure” only exists in a self-hosted Enterprise install, where Skub runs entirely inside your environment.

At launch: Skub Vault default for SaaS; the others available today in self-hosted installs. Google Cloud Secret Manager is next on the SaaS roadmap; others ship on demand — ask us.

Monitoring & incident response

Rate limiting on authentication-adjacent endpoints to absorb enumeration and brute-force attempts.
Webhook authentication with signature / shared-secret verification using constant-time comparison.
Audit trail. Every user-initiated action (reply, move, archive, rule-edit, delete) is recorded and visible to the user.
Breach notification. If we identify a personal-data breach, we notify Datatilsynet within 72 hours and affected users without undue delay, per GDPR Art. 33 & 34.

Subprocessors

We use a small set of vetted third parties to deliver the service. Each is bound by a written data-processing agreement. Categories:

Infrastructure / hosting (EU-hosted in Amsterdam)
Passkey authentication provider (EU tenant)
Mail-provider APIs — only for mailboxes you explicitly connect; today Gmail, with more providers planned
AI processing provider — LLM calls to summarise and draft replies. Contractually prohibited from retaining your content beyond the individual request, and from training models on your data.
Messaging platform — for skub delivery
Payments provider (EU data region) — never sees card details; we never store them

The full, named subprocessor list and each DPA is available on request via the privacy request form.

Compliance artefacts on request

Enterprise and business customers can request the following under NDA — email the sales contact form or the privacy request form and mention which you need:

Data Processing Agreement (DPA) — pre-signed by Provenance Tags ApS, activates on counter-signature.
DPIA summary — data protection impact assessment covering Skub's processing scope, risks, and mitigations.
Subprocessor list with their respective DPAs / terms.
Incident response runbook.

Self-hosted option

If your policy rules out SaaS handling of mail — regulated industry, internal-only, or just preference — Skub is available as a self-hosted Enterprise install. In that mode, Provenance Tags ApS is not a data processor; your team operates the deployment in your own infrastructure with your own LLM keys and your own mail-provider credentials.

Security FAQ

Where is our data stored?

Everything Skub holds about you — OAuth tokens, subscription status, connection metadata — runs on EU-hosted infrastructure in Amsterdam. No customer data is transferred outside the EEA. We don't maintain a database of your email content or learned preferences; those stay under your control.

Is data encrypted at rest?

Yes. OAuth tokens for your connected mailboxes are held in a dedicated key-management vault with per-decrypt audit logging. Operational data (subscription status, connection metadata, encrypted OAuth tokens) is stored in an EU-hosted key-management vault; user content (email, preferences, rules, history) is not stored on our servers — see our landing page for the full data flow.

Will Skub use my email content to train AI?

No. Our AI provider is contractually prohibited from retaining your content beyond the individual request and from training any model on your data. Skub itself does not run any model training. We do not aggregate your mail data with other users'.

Do you have a DPA?

Yes — pre-signed by Provenance Tags ApS and activated on your counter-signature. Request via the privacy request form (pick “Other”, write “DPA” in the details) or through the Enterprise form.

Do you have SOC 2 / ISO 27001 / PCI?

Not at our current stage. Our underlying infrastructure and payment processors carry SOC 2, ISO 27001, and PCI DSS certifications in their own right; our processing of personal data is governed by the DPA above and the mitigations described in our DPIA. We are happy to complete vendor security questionnaires on request. Self-hosted Enterprise installs bring the regulatory boundary entirely inside your own environment.

What happens if Skub's vault is unavailable?

Mail operations fail closed — we would rather return an error than serve a stale cached credential. Active Skub delivery would pause until the vault is reachable again. Your data is unaffected.

What happens when I delete my account?

Everything Skub holds is removed within minutes: your OAuth tokens are wiped from the vault, the connection metadata and subscription reference are deleted, and your passkey identity is removed so the username frees up. Derived data you've kept under your own control (preferences, rules, history) stays where you chose to keep it — or is removed with the mailbox if you revoke Skub's access at Google. See our privacy policy for the full list.

How do I get notified of a security incident?

If we identify a personal-data breach that affects you, we notify the Danish Data Protection Authority (Datatilsynet) within 72 hours and you without undue delay, as required by GDPR Art. 33 & 34.

Which subprocessors do you use?

Categories are listed above. The full, named list with each DPA is available under NDA on request via the privacy form.

Can I audit what Skub has done on my behalf?

Yes. Every action — tap, rule hit, auto-acted message — is recorded in your action log, visible to you in the app. A daily digest of silent automation (rule hits, auto-archives) is on the roadmap.

How do I report a vulnerability?

See below.

DPIA

We maintain a Data Protection Impact Assessment under GDPR Art. 35 covering scope, lawful basis, risks, and mitigations. Full document available under NDA on request via the privacy form — mention “DPIA” in the details.

Reporting a vulnerability

Submit security reports via the request form on our privacy page — pick “Other” and write “Security report” in the details. We acknowledge within 48 hours and aim to remediate critical issues within 30 days. We won't pursue researchers who act in good faith.

Provenance Tags ApS · Denmark