Relieve Inbox
Security

Security at Relieve Inbox

Email is sensitive. We treat it that way. This page explains how we protect your account, your mailbox tokens, and the small amount of metadata we store.

Last updated: May 5, 2026

Authentication

  • Passwords are hashed with a modern, salted algorithm. We never see, store, or log them in plaintext.
  • Sessions use signed, encrypted cookies with strict same-site and secure flags.
  • Mailbox connections use your provider's OAuth flow — we never see or store your provider password.

Data protection

  • In transit: all traffic is served over TLS 1.2+ with HSTS.
  • At rest: OAuth tokens are encrypted with envelope encryption before being written to the database.
  • Minimization: we never store the body, subject, or attachments of any message — see our privacy policy.
  • Backups: encrypted and rotated. Recovery procedures are tested.

Application security

  • CSRF protection on all state-changing requests.
  • Strict Content Security Policy and modern security headers.
  • Dependency updates and automated vulnerability scanning in CI.
  • Principle of least privilege for production access.

Reporting a vulnerability

Found something? Please email security@relieveinbox.com. We'll acknowledge within one business day and keep you updated as we triage and remediate. We don't threaten or pursue legal action against good-faith researchers who follow this policy.

Please don't test against other people's mailboxes, don't exfiltrate user data, and give us a reasonable window to fix the issue before public disclosure.

← Back to home