Security & privacy

Credentials

IMAP/SMTP passwords and OAuth refresh tokens are encrypted with an asymmetric envelope scheme (RSA envelope encryption with AES-256-GCM) before they're stored. The components that serve the portal and the MCP endpoint only ever hold the public key — they can encrypt new credentials, but never decrypt existing ones. Recovering the credentials from outside is technically impossible.

Mail content

Mail content is never persisted on our side. On a tool call the requested message is loaded directly from your source mailbox (IMAP or Microsoft Graph), returned to the caller, and then dropped. Attachment download URLs are cryptographically signed (HMAC-SHA256) and valid for at most 15 minutes.

Audit log (Business)

Every MCP tool call is recorded with timestamp, tool, mailbox, client and result. Business accounts can view and filter the audit log in the portal. Download / export is on the roadmap.

Hosting

inboxmcp.io runs on our own infrastructure in German data centres and is built for high availability and scale.

Privacy policy & DPA

Privacy policy
Imprint
DPA for Business accounts on request: support@inboxmcp.io

Credentials​

Mail content​

Audit log (Business)​

Hosting​

Privacy policy & DPA​

Credentials

Mail content

Audit log (Business)

Hosting

Privacy policy & DPA