Trust & Security
Security
VerbaPulse is built for enterprise teams where communications are sensitive. Here is exactly how we handle your data, who has access to it, and what we do to protect it.
🔒
No email storage
Email content is processed in memory and discarded immediately after analysis. Never written to disk.
🔐
Encrypted in transit
All data moves over HTTPS/TLS 1.2+. No plaintext communication at any layer.
📊
No person-level tracking
Analytics are aggregated at the team and department level. We never surface individual user behavior.
How Email Content Is Processed
When you trigger an analysis in the Chrome Extension or Outlook Add-in, the following happens:
Your device
→ HTTPS/TLS
VerbaPulse API
→ HTTPS/TLS
OpenAI API
Text extracted from active compose window only, never background reading
Text held in memory → analysis returned → memory discarded. Nothing written to database.
Only anonymized event metadata (risk type, risk level, accept/dismiss action) is stored, never the email content itself.
- The extension reads only the text field currently in focus, it does not scan other tabs, your inbox, or sent mail.
- Analysis is triggered explicitly by you (on keystroke pause), not passively in the background.
- Email text is never logged, cached, or written to any database at any stage.
- Analysis results (risk positions, suggestions) are held only in browser memory and cleared when you close the compose window.
Transport Security
- All client-to-server communication is enforced over HTTPS with TLS 1.2 minimum (TLS 1.3 preferred).
- HTTP requests are automatically redirected to HTTPS.
- All server-to-OpenAI communication is over HTTPS via OpenAI's official API endpoint.
- HSTS (HTTP Strict Transport Security) is configured on verbapulse.com.
Authentication & Access Control
- Passwords are hashed with bcrypt (cost factor 12, unique per-password salt). Plaintext passwords are never stored or logged.
- Session tokens are cryptographically random and expire after 30 days of inactivity.
- Organization administrators manage team access, they can add and remove users at any time from the Admin panel.
- Role separation: members see only their own usage; admins see organization-level analytics.
- VerbaPulse staff do not have access to your organization's email content, it is never stored.
Infrastructure
- Backend hosted on AWS in the EU (Frankfurt, eu-central-1) on a dedicated server with automated security updates.
- Database contains only account data, anonymized event logs, and organization policy guidelines, never email content.
- Server access is restricted by SSH key authentication only, no password-based login.
- Firewall rules restrict inbound traffic to HTTPS (443) and SSH (22) only.
- Automated daily database backups with 7-day retention.
OpenAI Integration
VerbaPulse uses OpenAI's API (gpt-4o) to perform language risk detection. Key facts about this integration:
- OpenAI's API data usage policy explicitly states that content submitted via API is not used to train OpenAI models.
- Email text is sent to OpenAI solely to generate a risk analysis response, no other use.
- VerbaPulse does not attach account identifiers (your name, login email, or company name) to the text sent for analysis, only the text itself is transmitted. Note that the message you choose to analyze may itself contain personal data; teams handling regulated or highly sensitive communications should contact us about EU-region processing and zero-retention options.
- OpenAI retains API inputs for up to 30 days for abuse monitoring, after which they are deleted. See OpenAI's API data usage policy →
Sub-processors
| Provider |
Purpose |
Data shared |
Region |
| Amazon Web Services |
Application and database hosting |
Account data, anonymized event logs, policy guidelines |
EU (Frankfurt, eu-central-1) |
| OpenAI |
Language risk analysis |
Email body text only (no PII) |
United States |
| SendGrid (Twilio) |
Transactional email delivery |
Recipient email address, first name |
United States |
| Google Analytics |
Website traffic measurement |
Anonymized page views (no PII) |
United States |
We maintain a complete and up-to-date list of sub-processors. Enterprise customers may request notification of sub-processor changes by contacting [email protected].
Data Residency
VerbaPulse's application and database are hosted on AWS in the EU (Frankfurt, eu-central-1). Account data, anonymized event logs, and uploaded policy guidelines are stored in the EU. Email content is processed transiently and never stored, so data residency requirements related to persistent storage do not apply to email content.
Language risk analysis is performed by OpenAI in the United States (see Sub-processors above). Teams handling regulated or highly sensitive communications can contact us about EU-region AI processing and zero-retention options.
Vulnerability Disclosure
If you discover a security vulnerability in VerbaPulse, please report it responsibly to [email protected] with the subject line "Security Disclosure". We commit to:
- Acknowledge your report within 2 business days.
- Provide an initial assessment within 5 business days.
- Keep you informed of remediation progress.
- Credit researchers who report valid vulnerabilities (with their permission).
We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.