How we protect your data
We take a transparent, defense-in-depth approach: strong encryption for credentials, modern authentication standards, and clear documentation of what we do and do not store.
Encryption in Transit & at Rest
All traffic to DayHelm is served over TLS. OAuth tokens and 2FA secrets are encrypted at the application layer with AES-256-GCM before they touch the database, and the underlying database storage is encrypted by our infrastructure provider.
Secure Authentication
Multi-factor authentication, OAuth 2.0, and industry-standard authentication protocols ensure only authorized access to your account.
Data Minimization
We avoid storing sensitive content we don't need. Email bodies are fetched on demand from your provider rather than copied into our database — only metadata and short snippets are cached. You can export or delete your data at any time.
Hardened Backend
Passwords are hashed with bcrypt (12 rounds) and blocked if they appear on our common-weak-password list. Errors are captured via Sentry, and every API request carries a correlation ID for traceable structured logging.
Privacy Rights
GDPR-aligned data practices with self-serve export and erasure. California residents: see our California Privacy Rights notice for CCPA/CPRA disclosures.
Access Controls
Admin and user roles are separated, and session-based auth scopes every request to the owning user. Sensitive actions are recorded in your audit log.
Data Handling Practices
Data Minimization
We only collect and process the minimum data necessary to provide the service. Email bodies are fetched on demand from your provider rather than copied locally.
Scoped OAuth Access
We request only the OAuth scopes needed for each integration and never ask for write access we don't use. You can disconnect any integration at any time.
Audit Logging
Sensitive actions — sync events, integration changes, data exports, and deletions — are recorded in a per-user audit log.
Incident Response
Error Monitoring
Application errors are captured via Sentry with request correlation IDs so issues can be traced end-to-end.
Rate Limiting
Authentication, OAuth, and AI endpoints are protected by Redis-backed rate limits to slow brute-force and abuse attempts.
Breach Notification
In the event of a confirmed personal-data breach, we'll notify affected users and the relevant supervisory authority in line with GDPR's 72-hour requirement.
Standards & Compliance
The cryptographic primitives, authentication standards, and privacy regulations we build against. We do not currently hold third-party certifications such as SOC 2 — we'll publish them here when we do.
AES-256-GCM
Industry-standard encryption for data at rest and in transit
OAuth 2.0
Token-based authentication. PKCE applied to Google and Microsoft sign-in flows.
GDPR Compliant
Full compliance with EU data protection regulations
Security FAQ
Common questions about our security practices and data protection.
How is my data encrypted?
Traffic between you and DayHelm is served over TLS. OAuth tokens and 2FA secrets are encrypted at the application layer with AES-256-GCM before they're written to the database. The underlying database storage is also encrypted at rest by our infrastructure provider.
What email content do you store?
We store metadata (sender, recipients, subject, labels, timestamps) and a short snippet for previews. Full email bodies are not copied into our database — when you open a message, we fetch it on demand from Gmail or Outlook using your OAuth token.
Who has access to my data?
Access is restricted to the small number of operators required to run the service. Sensitive actions on your account are recorded in your audit log, which you can review.
How do you handle security incidents?
If we confirm a personal-data breach, we'll notify affected users and the relevant supervisory authority in line with GDPR's 72-hour requirement, and publish a post-incident summary.
Is my data backed up?
Your data lives in a managed PostgreSQL database whose backups are handled by our infrastructure provider with their standard retention policy. Because we don't store email bodies, the source of truth for your email content remains your provider account.
Can I export or delete my data?
Yes. You can export a JSON archive of your account data and request full deletion from your settings page at any time, in line with GDPR's data portability and erasure rights.
Security Concerns or Questions?
Our security team is here to help. Report vulnerabilities responsibly or get answers to your security questions.