> ## Documentation Index
> Fetch the complete documentation index at: https://help.slashy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Privacy

> How Slashy protects your data -- certifications, encryption, AI provider contracts, and data deletion.

Slashy handles your email, calendar, and contacts. Security is the foundation, not a feature.

<Frame>
  <img src="https://mintcdn.com/karvixinc/QNSZwc_JHcGXiTZF/images/screenshots/security-privacy-at-slashy.png?fit=max&auto=format&n=QNSZwc_JHcGXiTZF&q=85&s=1be7498ba6c0762db9fa897b51fb33dc" alt="Slashy security overview showing SOC 2, encryption, and privacy certifications" width="2844" height="1346" data-path="images/screenshots/security-privacy-at-slashy.png" />
</Frame>

## Certifications

| Certification           | Status                                                 |
| ----------------------- | ------------------------------------------------------ |
| **SOC 2 Type II**       | Audited annually                                       |
| **CASA Tier 2**         | Google Cloud Application Security Assessment -- passed |
| **Penetration Testing** | Quarterly, independent third-party firm                |
| **Encryption**          | AES-256 at rest, TLS 1.2+ in transit                   |

Full compliance docs: [slashy.com/security](https://slashy.com/security)

## AI and Your Data

**Does the AI train on my emails?** No.

Every AI provider is contractually bound to a zero-training agreement. Your data is processed to generate a response and then discarded.

| AI Provider        | Used For                      | Trains on Your Data?           |
| ------------------ | ----------------------------- | ------------------------------ |
| Anthropic (Claude) | Drafts, agent, automations    | No -- contractually prohibited |
| OpenAI             | Drafts, editing, autocomplete | No -- contractually prohibited |
| Google (Gemini)    | Categorization, search        | No -- contractually prohibited |
| Groq               | Fast inference tasks          | No -- contractually prohibited |

Only the minimum necessary context (email thread, memories, calendar if relevant) is sent to providers.

## Prompt Injection Protection

Malicious emails can contain hidden instructions to trick AI assistants. Slashy sanitizes and isolates incoming email content from system instructions before it reaches any model. The agent cannot take unauthorized actions and flags suspicious content.

## What Data Slashy Stores

* **Email metadata and content** -- cached for fast access
* **Calendar events** -- synced from Google Calendar
* **Agent conversations** -- your AI sidebar chat history
* **Memories** -- preferences, contacts, writing style
* **Automation logs** -- what ran and when
* **Usage analytics** -- anonymous, via PostHog

All stored data: AES-256 at rest, TLS 1.2+ in transit.

## OAuth Access Model

* Slashy never sees or stores your Google password
* You grant specific permissions you can revoke anytime at [myaccount.google.com/permissions](https://myaccount.google.com/permissions)
* OAuth tokens stored encrypted, refreshed automatically
* Same model applies to optional integrations (Zoom, Granola)

## Data Deletion Timeline

| Step          | Timing          | What Happens                                             |
| ------------- | --------------- | -------------------------------------------------------- |
| Revoke access | Immediate       | OAuth tokens invalidated. No more email/calendar access. |
| Hard delete   | Within 24 hours | All data permanently deleted from production.            |
| Backup purge  | Within 7 days   | Data removed from encrypted backups.                     |

Delete your account from **Settings > Account** or email [founders@slashy.com](mailto:founders@slashy.com).

## Trust at a Glance

<CardGroup cols={3}>
  <Card title="SOC 2 Type II" icon="shield-check">
    Audited annually by an independent firm
  </Card>

  <Card title="Zero-Training Guarantee" icon="lock">
    No AI provider trains on your data
  </Card>

  <Card title="AES-256 Encryption" icon="key">
    Data encrypted at rest and in transit
  </Card>
</CardGroup>

## Common Security Questions

<AccordionGroup>
  <Accordion title="Where is my data stored?">
    Encrypted servers in the United States, hosted on AWS with SOC 2 compliance. All data encrypted with AES-256 at rest and TLS 1.2+ in transit.
  </Accordion>

  <Accordion title="Do Slashy employees read my emails?">
    No. Employee access to production data is restricted, logged, and auditable. No one reads your email unless you explicitly share it for debugging.
  </Accordion>

  <Accordion title="Can I get your SOC 2 report?">
    Yes. Visit [slashy.com/security](https://slashy.com/security) to request the full report, pen test summary, and compliance documents.
  </Accordion>

  <Accordion title="Do you have a bug bounty program?">
    Yes. Email [founders@slashy.com](mailto:founders@slashy.com) with details. We respond within 24 hours.
  </Accordion>

  <Accordion title="Is Slashy safe for my company's data?">
    Yes. Slashy is built for professionals handling sensitive email. SOC 2 Type II audited, quarterly pen-tested, and all AI providers contractually prohibited from training on your data. Many VC firms, startups, and enterprise teams use Slashy for confidential communications.
  </Accordion>

  <Accordion title="What happens if Slashy is breached?">
    Slashy maintains an incident response plan tested quarterly. In the event of a breach, affected users are notified within 72 hours per GDPR requirements. Encrypted data at rest means raw email content is not exposed even if infrastructure is compromised.
  </Accordion>

  <Accordion title="Can I use Slashy with a Google Workspace admin policy?">
    Yes. Slashy uses standard Google OAuth 2.0 with scoped permissions. Your Workspace admin can approve Slashy as a trusted app and control which users can connect. See [Connecting Gmail](/getting-started/connecting-gmail) for permission details.
  </Accordion>
</AccordionGroup>

***

## Related Articles

<CardGroup cols={2}>
  <Card title="AI Privacy" icon="shield-halved" href="/getting-started/ai-privacy">
    How AI providers handle your data
  </Card>

  <Card title="Data Storage" icon="database" href="/getting-started/data-storage">
    What Slashy stores and your controls
  </Card>

  <Card title="Connecting Gmail" icon="envelope" href="/getting-started/connecting-gmail">
    OAuth permissions and what Slashy accesses
  </Card>

  <Card title="Does the AI send on its own?" icon="paper-plane" href="/getting-started/ai-sending-control">
    How sending and Read Mode work
  </Card>

  <Card title="Subprocessors" icon="server" href="/getting-started/subprocessors">
    Full list of infrastructure providers
  </Card>
</CardGroup>
