Security

We connect to your mail and calendar accounts via OAuth. No IMAP, no passwords. The tokens we receive are scoped to the operations the Service actually performs, and you can revoke them at any time from your provider's account settings or from Settings → Connections in Rowuv.

All traffic between your browser, our infrastructure, and the third-party services we rely on is encrypted in transit using industry-standard TLS. Data persisted on our servers is encrypted at rest. Sensitive secrets, including OAuth tokens, are additionally sealed using authenticated encryption with keys held outside the application database, so a database compromise alone does not yield usable secrets.

Every row in our database is gated by the user or workspace that owns it. Authorisation is enforced at the database layer, not just in application code, so a logic bug in a query cannot accidentally surface another user's data. Service accounts that bypass these checks are scoped narrowly and audited.

We do not use the contents of your mail, calendar, or LinkedIn imports to train AI models. AI features run on third-party model providers under commercial API agreements that contractually prohibit using your inputs for training.

The Service runs on managed cloud infrastructure in the European Union (Paris region). Some processing, AI inference in particular, may transfer data to providers in other jurisdictions under standard contractual clauses or equivalent safeguards.

We maintain access logs for our infrastructure and review them. Access to production systems is restricted to a small number of engineers, requires multi-factor authentication, and is logged. We do not browse customer data; engineers only access specific records when investigating a support request you have filed or an incident.

If you believe you've found a security vulnerability, please email [email protected] with a description and steps to reproduce. We commit to acknowledging within two business days, keeping you informed while we investigate, and crediting you in any public disclosure (unless you prefer to remain anonymous). Please don't test against other people's data; if you need test data, ask us and we'll coordinate.

If we discover a security incident affecting your data, we will notify you without undue delay and provide the information you need to protect yourself, in line with our obligations under GDPR and other applicable laws.

The Service is designed to align with GDPR principles: lawful basis, data minimisation, purpose limitation, storage limitation, and the data-subject rights described in the Privacy Policy. We're working toward broader formal certifications as the company matures and will publish them here when achieved rather than before.

Security questions or reports: [email protected].