Certifications
| Certification | Status |
|---|---|
| SOC 2 Type II | Audited annually |
| CASA Tier 2 | Google Cloud Application Security Assessment — passed |
| Penetration Testing | Quarterly, independent third-party firm |
| Encryption | AES-256 at rest, TLS 1.2+ in transit |
AI and Your Data
Does the AI train on my emails? No. Every AI provider is contractually bound to a zero-training agreement. Your data is processed to generate a response and then discarded.| AI Provider | Used For | Trains on Your Data? |
|---|---|---|
| Anthropic (Claude) | Drafts, agent, automations | No — contractually prohibited |
| OpenAI | Drafts, editing, autocomplete | No — contractually prohibited |
| Google (Gemini) | Categorization, search | No — contractually prohibited |
| Groq | Fast inference tasks | No — contractually prohibited |
Prompt Injection Protection
Malicious emails can contain hidden instructions to trick AI assistants. Slashy sanitizes and isolates incoming email content from system instructions before it reaches any model. The agent cannot take unauthorized actions and flags suspicious content.What Data Slashy Stores
- Email metadata and content — cached for fast access
- Calendar events — synced from Google Calendar
- Agent conversations — your AI sidebar chat history
- Memories — preferences, contacts, writing style
- Automation logs — what ran and when
- Usage analytics — anonymous, via PostHog
OAuth Access Model
- Slashy never sees or stores your Google password
- You grant specific permissions you can revoke anytime at myaccount.google.com/permissions
- OAuth tokens stored encrypted, refreshed automatically
- Same model applies to optional integrations (Zoom, Granola)
Data Deletion Timeline
| Step | Timing | What Happens |
|---|---|---|
| Revoke access | Immediate | OAuth tokens invalidated. No more email/calendar access. |
| Hard delete | Within 24 hours | All data permanently deleted from production. |
| Backup purge | Within 7 days | Data removed from encrypted backups. |
Enterprise Security FAQ
Where is my data stored?
Where is my data stored?
Encrypted servers in the United States, hosted on AWS with SOC 2 compliance.
Do Slashy employees read my emails?
Do Slashy employees read my emails?
No. Employee access to production data is restricted, logged, and auditable. No one reads your email unless you explicitly share it for debugging.
Can I get your SOC 2 report?
Can I get your SOC 2 report?
Yes. Visit trust.delve.co/slashy to request the full report, pen test summary, and compliance documents.
Do you have a bug bounty program?
Do you have a bug bounty program?
Yes. Email founders@slashy.com with details. We respond within 24 hours.
Connecting Gmail
OAuth permissions and what Slashy accesses.
Your First Week
Day-by-day onboarding guide.