Security, Subprocessors & Integrated Services
Effective: June 8, 2026 · Last updated: June 8, 2026
SignalBox handles sensitive business relationship data, including mailbox metadata, CRM context, AI-generated signals, draft replies, OAuth credentials, and optional LinkedIn relationship data. This schedule explains the controls and third-party services that support the commitments in the Data Processing Addendum.
1. Security Principles
SignalBox is designed around six operating principles:
- Customer-authorized access. SignalBox connects to Google, Microsoft, HubSpot, LinkedIn, and other systems only when authorized by Customer, a Customer admin, or an authorized user.
- Zero-trust by design. SignalBox treats no network, component, or session as implicitly trusted. Every request is authenticated and authorized, each organization's data is isolated with database row-level security, backend jobs run under scoped service roles, and access follows least privilege — so a problem in one place doesn't open the door to another. With customer-managed keys, you can place protected data cryptographically beyond even our reach.
- Minimum necessary processing. SignalBox processes the data needed to provide sync, classification, relationship intelligence, and optional drafting. Full mailbox bodies are not kept as mailbox history.
- Encryption and isolation. High-value email personal data is protected with application-level encryption where implemented, database encryption at rest, encrypted vault storage for secrets, and organization-scoped access controls.
- Customer control. Customers can disconnect integrations, revoke access, delete organization data, and use customer-managed encryption keys where available.
- Plain-language trust. We avoid claiming certifications we have not completed. We can provide security documentation and questionnaires appropriate to the customer's review process.
2. What SignalBox Reads
SignalBox may read email headers and metadata such as sender, recipient, subject, timestamps, thread identifiers, message identifiers, mailbox identifiers, and attachment metadata.
Message body content may be accessed when needed for AI classification, relationship signals, voice capture, or AI-assisted drafting. SignalBox does not keep full email bodies as mailbox history. Bodies may be temporarily stored in encrypted form during AI processing and are purged after classification unless needed for an AI-assisted draft or another enabled feature.
For AI-assisted drafting, SignalBox may retain encrypted draft-related content while the draft is being generated, reviewed, deposited, reconciled, or deleted according to Customer's configured retention settings.
3. Core Security Controls
| Control | Current practice |
|---|---|
| Transport security | HTTPS/TLS for browser, API, provider, and webhook traffic |
| Database security | Managed PostgreSQL with encryption at rest and row-level security for org-scoped data |
| Application encryption | Per-organization envelope encryption for high-value email personal data where implemented |
| Secret storage | OAuth tokens, refresh tokens, API keys, IMAP credentials, and session secrets stored in encrypted vault storage |
| Customer-managed keys | BYOK and external KMS options for eligible enterprise configurations, including customer-owned AWS KMS, Google Cloud KMS, or Azure Key Vault keys where configured |
| Access control | Organization membership, role checks, authenticated edge functions, service-role isolation for backend jobs, and scoped database policies |
| OAuth controls | Least-privilege scope selection where provider APIs allow it; admin consent where required; disconnect and revocation flows |
| Logging | Audit and security-relevant events for account deletion, data deletion, sync operations, provider disconnects, and operational failures |
| Deletion | Immediate, irreversible organization deletion flow for SignalBox-held customer data, with documented carveouts for customer-owned external systems and lawful retention |
4. Account and Data Deletion
Customer admins can delete an organization from SignalBox. Deletion is designed to be immediate and irreversible, not a soft-delete queue.
During organization deletion, SignalBox removes:
- email sync records, deduplication hashes, sync logs, and attachment references;
- AI outputs, draft replies, decision queue entries, insights, and AI-generated content;
- CRM cache used for signal matching;
- LinkedIn relationship data, enrichment records, monitored entities, session credentials, and snapshots;
- generated email drafts, including best-effort deletion from Gmail or Microsoft 365 Drafts folders where possible;
- signals, events, activity history, mailbox configurations, OAuth tokens, provider credentials, organization settings, notification preferences, and user profile metadata associated with the organization;
- vault secrets for HubSpot, Gmail, Microsoft 365, IMAP, LinkedIn, BYOK AI provider keys, and org-scoped encryption material where applicable.
SignalBox also attempts external cleanup before destroying credentials. This may include uninstalling the HubSpot app, revoking supported HubSpot and Google OAuth tokens, and deleting SignalBox-created provider-side drafts.
The following are not deleted by default because they are outside SignalBox's control or serve a distinct lawful purpose:
- original emails in Customer mailboxes;
- HubSpot contacts, companies, deals, and default synced CRM records in Customer's HubSpot portal;
- HubSpot email engagements and uploaded attachments unless Customer selects an available optional cleanup flow;
- Supabase Auth identity records needed for a user to log in again or join a future organization;
- de-identified deletion confirmation records, security records, legal records, tax/accounting records, billing records, fraud-prevention records, dispute records, or other records we are required or permitted to retain;
- infrastructure backups and provider logs until they expire under ordinary retention schedules.
5. Subprocessors
The following vendors may process Customer Personal Data for SignalBox. Actual use depends on Customer's configuration, plan, and enabled features.
| Provider | Role | Purpose | Data processed |
|---|---|---|---|
| Supabase | Core subprocessor | Database, authentication, edge functions, vault/secrets, storage of service records, operational logs | Account data, Customer Data, encrypted email PII, OAuth credentials, security and audit records |
| Vercel | Hosting/CDN subprocessor, if used for the product app or customer-facing service | Hosting, frontend delivery, edge/network logs | Limited request metadata, IP addresses, headers, browser metadata, and any customer data routed through hosted product surfaces |
| Twilio | Optional communications subprocessor | SMS, voice capture, mobile links, inbound messaging, and related notifications where enabled | Phone numbers, message metadata, message content, voice/audio-derived content where enabled, delivery records |
| Stripe | Billing provider | Subscription billing, invoicing, payment processing, tax and fraud controls | Billing contact data, payment metadata, invoices, subscription status; SignalBox does not store full card numbers |
| OpenAI | Optional AI subprocessor | AI classification, summarization, entity extraction, draft generation, and related AI features where configured | Email content snippets or bodies, CRM context, AI prompts, generated outputs, and usage metadata needed for enabled AI features |
| Anthropic | Optional AI subprocessor | AI classification, summarization, entity extraction, draft generation, and related AI features where configured | Email content snippets or bodies, CRM context, AI prompts, generated outputs, and usage metadata needed for enabled AI features |
SignalBox does not permit AI subprocessors to use Customer Personal Data to train their general models unless Customer separately enables or instructs that use through a provider account or configuration.
6. Integrated Services
Integrated Services are services Customer connects or instructs SignalBox to access. They are not always SignalBox subprocessors because Customer controls the tenant, portal, mailbox, account, OAuth consent, admin consent, retention settings, and provider relationship.
| Provider | Integrated service role | SignalBox use |
|---|---|---|
| Google / Google Workspace / Gmail | Customer-authorized email provider | Read mailbox metadata and message content needed for sync, classification, signals, and optional drafts; create or delete SignalBox-generated drafts where authorized; receive webhook/push events where configured |
| Microsoft / Microsoft 365 / Microsoft Graph | Customer-authorized email provider | Read mailbox metadata and message content needed for sync, classification, signals, and optional drafts; create or delete SignalBox-generated drafts where authorized; receive subscription events where configured |
| HubSpot | Customer-authorized CRM and sync destination | Read CRM context for matching and relationship intelligence; write selected email activity, AI insights, notes, cards, events, and draft/status activity to Customer's HubSpot portal |
| Customer-authorized relationship source where enabled | Process relationship activity, conversation metadata, message snapshots, focus contacts, enrichment, and optional LinkedIn draft replies according to enabled features | |
| Customer AI provider accounts | Customer-authorized AI provider where Customer supplies its own API key | Route enabled AI work through Customer's chosen provider account under Customer-controlled provider terms and settings |
| Customer cloud KMS | Customer-authorized key service where BYOK/external KMS is enabled | Wrap, unwrap, encrypt, or decrypt data keys according to Customer's key grant; Customer can revoke the grant to make protected data undecryptable by SignalBox |
Customer is responsible for configuring Integrated Services, authorizing appropriate scopes, maintaining the provider account, and managing retention or deletion in those systems.
7. OAuth and Provider Access
SignalBox requests OAuth scopes needed for enabled features. Some providers do not offer a narrow scope for every operation. For example, draft creation or draft management may require broader mail read/write permissions than metadata-only sync.
Customer can revoke provider access through SignalBox settings or through the provider's admin console/account settings. When access is revoked, SignalBox stops using that credential and deletes stored tokens through the applicable disconnect or deletion flow. Some providers do not support immediate token revocation for every token type; in those cases, access expires naturally according to the provider's token lifetime.
8. AI Data Use
AI features may use OpenAI, Anthropic, or a Customer-configured provider. SignalBox sends only the context needed for the enabled feature, such as the message body or snippet, sender context, CRM context, draft preferences, and prompt instructions.
SignalBox uses AI to produce customer-facing outputs such as classifications, summaries, extracted entities, signals, suggested actions, and draft replies. These outputs may be stored in SignalBox and/or written to HubSpot according to Customer settings.
SignalBox does not use Customer Personal Data for targeted advertising and does not sell Customer Personal Data. We do not opt Customer Personal Data into general AI model training.
9. Customer-Managed Keys
Eligible customers may configure customer-managed encryption keys. With external KMS, Customer's key-encryption-key stays in Customer's cloud KMS and SignalBox receives only the ability to use that key under Customer's grant.
Customer can revoke the grant by removing the KMS permission, disabling the key, deleting the role or binding, or otherwise blocking SignalBox's access. Once revoked, protected data becomes undecryptable by SignalBox. Customer is responsible for key durability, backup, soft-delete, purge protection, rotation policy, and recovery. SignalBox does not keep escrow copies of Customer-owned KMS keys.
10. Changes to This Schedule
SignalBox may update this schedule as vendors, infrastructure, or features change. Material changes to subprocessors that process Customer Personal Data will be communicated through a reasonable channel, such as documentation, website updates, email, or in-app notice.
For privacy or security questions, contact us at hello@tendigits.com.