Looking to supercharge your email workflow? Learn more

Security & Privacy

Your inbox is sensitive.
We treat it that way.

Curie reads your emails to help you work faster. That requires trust. Here's how we earn it.

Read-only by default

Curie connects to Gmail with read-only access. We can see your emails to prioritize them, but we cannot send, delete, or modify anything without explicit action from you.

Your data stays yours

Your emails power your team's experience only. We never share your data with other customers or use it to improve services for anyone else.

Encrypted everywhere

All data encrypted at rest with AES encryption and in transit with TLS. OAuth tokens are encrypted with Fernet symmetric encryption before storage. OAuth 2.0 authentication with Google. No passwords stored.

Team-level isolation

Each team's data is logically isolated. Your emails, insights, and learned patterns are never visible to or influenced by other organizations.

Continuously tested

Every release is scanned with OWASP ZAP across 140+ security rules covering injection, XSS, authentication flaws, and more. Automated security testing runs in our CI/CD pipeline on every deployment.

Pursuing certification

We're actively working toward Cyber Essentials Plus and Google CASA Tier 2 certification to meet the highest standards for applications handling sensitive data.

Defense in depth

Multiple layers of protection at every level.

Authentication

  • Google OAuth 2.0
  • No password storage
  • CSRF protection with signed state
  • Revocable access tokens
  • Token blacklisting on logout
  • HttpOnly secure cookies

Application

  • Role-based access control
  • Team admin permissions
  • Input validation & sanitization
  • API rate limiting
  • Security headers (CSP, HSTS)
  • OWASP DAST scanning in CI/CD

Infrastructure

  • TLS everywhere in transit
  • AES encryption at rest
  • Multi-tenant isolation
  • Automated backups
  • VPC network isolation
  • WAF protection

Working toward certification

We're building Curie to meet the standards required by enterprise security teams and industry certifications.

In progress

Cyber Essentials Plus

The UK government-backed scheme for protecting against the most common cyber threats. We're implementing all five technical controls: firewalls, secure configuration, access control, malware protection, and patch management.

In progress

Google CASA Tier 2

The Cloud Application Security Assessment required for apps accessing sensitive Google user data. Our application has passed preliminary OWASP DAST scanning with zero failures across 140+ security rules.

How we handle your data

Transparency about what we access and what we don't.

What we access

  • Email metadata (sender, recipient, subject, timestamp)
  • Email body content for prioritization and drafts
  • Thread history for context
  • Calendar events (if connected) for scheduling context

What we never do

  • Send emails without your explicit approval
  • Share your data with other customers
  • Use your emails to improve other customers' experience
  • Store email content longer than necessary
  • Access emails outside your connected accounts

Verified

Google OAuth

Verified application with Google

Automated

Security Testing

OWASP ZAP DAST scanning on every release

Always-on

Encryption

TLS in transit, AES at rest, tokens encrypted

Role-based

Access Control

Admin and member permissions per team

Pursuing

CE+ & CASA

Working toward formal certification

Common questions

Can Curie send emails on my behalf?

Only if you explicitly approve each email. We generate draft suggestions, but you always review and click send. We never auto-send.

Who can see my emails?

Only you. Curie employees cannot access your email content. Our systems process data programmatically.

How do you test for security vulnerabilities?

Every release is scanned with OWASP ZAP, an industry-standard dynamic application security testing (DAST) tool that tests for 140+ vulnerability categories including SQL injection, cross-site scripting, authentication flaws, and more. We also run dependency vulnerability scanning and static analysis in our CI/CD pipeline.

What certifications are you pursuing?

We're actively working toward Cyber Essentials Plus (UK government-backed cybersecurity standard) and Google CASA Tier 2 (Cloud Application Security Assessment for apps handling sensitive Google user data). Our preliminary assessments show strong readiness across both frameworks.

How long do you store my data?

Email content is processed in real-time and cached temporarily for performance. We retain aggregated insights and learned patterns while your account is active. Upon account deletion, all data is purged within 30 days.

Can I revoke access?

Yes, instantly. Disconnect from your Google account settings or within Curie. We immediately lose access and begin data deletion.

Does Curie learn from my emails?

Yes, but only for your team. Curie learns from your team's patterns (what you reply to, how you write, which actions you take) to improve suggestions for your team only. Your data never influences other customers' experience.

What happens if there's a breach?

We have documented incident response procedures including automated alerting, containment protocols, and a dedicated response team. Affected customers are notified within 72 hours as required by data protection regulations. We carry cyber liability insurance and conduct regular breach simulations.

Questions about security?

We're happy to discuss our security practices, provide documentation for your security review, or walk through our architecture with your team.

Contact security teamRequest security review

Security documentation

Architecture docs and security overview available upon request.

Responsible disclosure

Found a vulnerability? Email security@curiehq.com. We respond within 24 hours.