Security at Pullsy
Last updated: January 13, 2026
Security and privacy are core to how Pullsy is built. We know you’re trusting us with one of your most sensitive assets—your inbox—and we take that responsibility seriously.
This page outlines our current security and compliance practices and will evolve as we improve our systems.
1. Security Principles
Pullsy is designed around a few simple principles:
- Minimize access: We request and store only the data needed to provide the service.
- Encrypt data: We protect data in transit and at rest using modern cryptography.
- Limit internal access: Production access is restricted and controlled by least-privilege.
- Continuous improvement: Security is an ongoing program—not a one-time checkbox.
2. Compliance and Assessments
2.1 SOC 2
SOC 2 Type II (In Progress): Pullsy is actively working toward SOC 2 Type II compliance. We are aligning our policies, procedures, and technical controls with SOC 2 requirements and plan to undergo independent audits.
If you’d like updates on our SOC 2 program or need security review materials, contact us at [email protected].
2.2 GDPR
For users and customers in the European Economic Area (EEA) and United Kingdom (UK), Pullsy is built to support GDPR requirements:
- We can act as a data processor for email and related data processed on behalf of customers.
- We support data subject rights (access, rectification, deletion, portability) subject to appropriate authentication.
- We enter into Data Processing Agreements (DPAs) with customers where required.
- When transferring personal data outside the EEA/UK, we rely on appropriate safeguards (such as Standard Contractual Clauses, where applicable).
For GDPR or DPA inquiries, contact [email protected].
2.3 Google OAuth Verification & CASA
Pullsy integrates with Google services using OAuth. Our Google integration is approved through Google’s verification process, and we have completed the Cloud Application Security Assessment (CASA) required for applications that access sensitive Google user data.
CASA is an industry-standard assessment framework (under the App Defense Alliance) designed to strengthen security controls for cloud-to-cloud applications and protect user data.
3. Encryption
3.1 Encryption in Transit
Communications between your device and Pullsy are encrypted in transit using TLS (HTTPS), helping protect data from interception or tampering over the network.
3.2 Encryption at Rest
Data stored in production databases, backups, and file storage is encrypted at rest using industry-standard algorithms. Encryption keys are managed securely with restricted access and rotation practices where applicable.
4. Architecture and Hosting
Pullsy is hosted on reputable cloud infrastructure providers that maintain strong physical, network, and environmental security controls. Our architecture is designed for security and availability.
- Segregated environments: Production, staging, and development environments are separated to reduce risk.
- Network controls: Firewalls, security groups, and access restrictions limit connectivity to sensitive services and databases.
5. Access Controls and Authentication
- Least-privilege access: Only authorized team members can access production systems, and access is limited by role.
- Strong admin authentication: Administrative access uses strong authentication and is audited where appropriate.
- Customer authentication: We support secure sign-in and encourage strong, unique passwords and additional security controls where available.
- Session management: Sessions may expire after inactivity, and suspicious sessions may be invalidated as part of monitoring.
6. Application Security
- Secure development lifecycle: Security is considered during design, implementation, code review, and deployment.
- Testing and review: Changes are reviewed and tested to reduce common risks (injection, XSS, auth flaws, etc.).
- Dependency management: We monitor and update third-party libraries to address known vulnerabilities.
7. Data Access, Email Permissions, and AI Processing
7.1 Scoped permissions
Pullsy requests only the permissions necessary to deliver the features you enable. You can revoke access at any time through your provider (Google/Microsoft) or through Pullsy settings.
7.2 Drafts, not surprise sends
Pullsy is designed to organize and label messages, surface priorities, and generate draft replies. You stay in control: Pullsy does not send messages on your behalf without your review and clear action.
7.3 AI processing
Email content and related metadata may be processed by AI to classify and prioritize messages, suggest labels and categories, and generate draft replies or recommended actions.
- Purpose-limited: AI processing is used to provide the Pullsy experience (organization, summaries, and draft replies).
- Protected processing: We apply technical and organizational safeguards to protect data during processing.
7.4 Data use and model training
Pullsy does not sell your data. We use your data to provide the service, and we do not permit vendors that process customer content on our behalf to use it for their own purposes outside of delivering Pullsy’s functionality.
8. Data Retention and Deletion
- Retention: We retain account information and email-derived data only as long as necessary to provide the Services, operate the business, or comply with legal obligations.
- Account closure: When you close your account, we take steps to delete or anonymize your data within a reasonable timeframe, subject to backup retention and legal requirements.
- User controls: Where available, you can view, update, or delete certain information in-product. You may also request deletion or export at [email protected].
9. Vendor and Subprocessor Management
We use carefully selected third-party vendors (subprocessors) to help deliver the Services (e.g., cloud hosting, logging/monitoring, payments, and customer support).
- We evaluate vendor security practices relative to the data they handle.
- We use data protection terms where appropriate.
- We maintain an internal subprocessor list and can provide details upon request.
10. Monitoring and Incident Response
- Monitoring: We monitor key systems for uptime, performance, and anomalous behavior.
- Incident response: If we become aware of a security incident affecting customer data, we investigate, contain, assess impact, remediate, and—where required—notify customers and regulators within applicable timeframes.
11. Responsible Disclosure
We welcome responsible reports from security researchers and customers who believe they have discovered a vulnerability or security issue.
To report a potential issue, email [email protected] and include a description, steps to reproduce, and any relevant technical details. Please refrain from public disclosure until we’ve had a reasonable opportunity to investigate and remediate.
12. Contact
If you have questions about our security program, compliance posture, or data protection practices, contact us:
