Security & trust

Last updated: 18 April 2026

Plain-English summary: We treat access to your mailbox like money. EU-hosted, tokens held in a key-management vault with audit logging, encrypted in transit and at rest, passkey sign-in. DPA, breach process, and DPIA available on request.

Infrastructure

Hosted in Amsterdam, EU. All application and database instances run in the EU. No customer data is transferred outside the EEA for storage.
TLS everywhere. Every connection between you and Skub, and between Skub and our subprocessors, uses modern TLS. Certificates are auto-renewed.
Internal-only database. Reachable over our hosting provider's private network only; no public listener.

Access control

Passkey authentication. Sign-in uses passkeys — no passwords to leak, no password-reuse blast radius. Optional recovery email is off by default.
2FA on all maintainer accounts. Everyone with access to production infrastructure signs in with hardware-backed 2-Step Verification.
Principle of least privilege. Application services hold scoped credentials; no single environment variable unlocks full customer data.

How your mail-provider tokens are protected

OAuth tokens are held in a dedicated EU-hosted key-management vault — isolated from the application runtime. Every decryption is audit-logged.
Encryption keys never leave the vault; the application requests wrap/unwrap per operation using short-lived, least-privilege credentials.
Keys are split so that no single compromised system can unlock the vault. Recovery material is held offline, outside our cloud footprint.
Keys can be rotated without re-encrypting historical data.
Email bodies are not persisted beyond the short summary used to display a skub.
You can revoke Skub's access to any Gmail account at any time from myaccount.google.com/connections.

Specific algorithms, vendors, and configuration are documented in our DPIA, available under NDA on request.

Monitoring & incident response

Rate limiting on authentication-adjacent endpoints to absorb enumeration and brute-force attempts.
Webhook authentication with signature / shared-secret verification using constant-time comparison.
Audit trail. Every user-initiated action (reply, move, archive, rule-edit, delete) is recorded and visible to the user.
Breach notification. If we identify a personal-data breach, we notify Datatilsynet within 72 hours and affected users without undue delay, per GDPR Art. 33 & 34.

Subprocessors

We use a small set of vetted third parties to deliver the service. Each is bound by a written data-processing agreement. Categories:

Infrastructure / hosting (EU-hosted in Amsterdam)
Passkey authentication provider (EU tenant)
Mail-provider APIs — only for mailboxes you explicitly connect; today Gmail, with more providers planned
AI processing provider — LLM calls to summarise and draft replies. Contractually prohibited from retaining your content beyond the individual request, and from training models on your data.
Messaging platform — for skub delivery
Payments provider (EU data region) — never sees card details; we never store them

The full, named subprocessor list and each DPA is available on request via the privacy request form.

Compliance artefacts on request

Enterprise and business customers can request the following under NDA — email the sales contact form or the privacy request form and mention which you need:

Data Processing Agreement (DPA) — pre-signed by Provenance Tags ApS, activates on counter-signature.
DPIA summary — data protection impact assessment covering Skub's processing scope, risks, and mitigations.
Subprocessor list with their respective DPAs / terms.
Incident response runbook.

Self-hosted option

If your policy rules out SaaS handling of mail — regulated industry, internal-only, or just preference — Skub is available as a self-hosted Enterprise install. In that mode, Provenance Tags ApS is not a data processor; your team operates the deployment in your own infrastructure with your own LLM keys and your own mail-provider credentials.

Security FAQ

Where is our data stored?

All application and database instances run inside the EU, in Amsterdam. No customer data is transferred outside the EEA for storage.

Is data encrypted at rest?

Yes. OAuth tokens for your connected mailboxes are held in a dedicated key-management vault with per-decrypt audit logging. Account data, skubs, and preferences are stored in an EU-hosted Postgres database with encryption at rest provided by the infrastructure layer.

Will Skub use my email content to train AI?

No. Our AI provider is contractually prohibited from retaining your content beyond the individual request and from training any model on your data. Skub itself does not run any model training. We do not aggregate your mail data with other users'.

Do you have a DPA?

Yes — pre-signed by Provenance Tags ApS and activated on your counter-signature. Request via the privacy request form (pick “Other”, write “DPA” in the details) or through the Enterprise form.

Do you have SOC 2 / ISO 27001 / PCI?

Not at our current stage. Our underlying infrastructure and payment processors carry SOC 2, ISO 27001, and PCI DSS certifications in their own right; our processing of personal data is governed by the DPA above and the mitigations described in our DPIA. We are happy to complete vendor security questionnaires on request. Self-hosted Enterprise installs bring the regulatory boundary entirely inside your own environment.

What happens if Skub's vault is unavailable?

Mail operations fail closed — we would rather return an error than serve a stale cached credential. Active Skub delivery would pause until the vault is reachable again. Your data is unaffected.

What happens when I delete my account?

Every row tied to your account is removed within minutes: skubs, preferences, sender states, mail-connection tokens, actions. The Hanko passkey identity is also deleted so the username frees up. See our privacy policy for the full list.

How do I get notified of a security incident?

If we identify a personal-data breach that affects you, we notify the Danish Data Protection Authority (Datatilsynet) within 72 hours and you without undue delay, as required by GDPR Art. 33 & 34.

Which subprocessors do you use?

Categories are listed above. The full, named list with each DPA is available under NDA on request via the privacy form.

Can I audit what Skub has done on my behalf?

Yes. Every action — tap, rule hit, auto-acted message — is recorded in your action log, visible to you in the app. A daily digest of silent automation (rule hits, auto-archives) is on the roadmap.

How do I report a vulnerability?

See below.

DPIA

We maintain a Data Protection Impact Assessment under GDPR Art. 35 covering scope, lawful basis, risks, and mitigations. Full document available under NDA on request via the privacy form — mention “DPIA” in the details.

Reporting a vulnerability

Submit security reports via the request form on our privacy page — pick “Other” and write “Security report” in the details. We acknowledge within 48 hours and aim to remediate critical issues within 30 days. We won't pursue researchers who act in good faith.

Provenance Tags ApS · Denmark