Email and Contacts API
Calendar API & Scheduler
Notetaker API
Agent Accounts
Sales & CRM 
Recruiting & ATS 
Healthcare
Financial
Legal
Real Estate
Education
Field Services
Docs
SDKs
Guides
Integrations
API status
Changelog
Support
EnterpriseNYLAS INFORMATION SECURITY STANDARDS 
Last updated: June 2026
These Nylas Information Security Standards form part of the terms of use for Nylas products and services. Defined terms used but not otherwise defined herein have the meanings given in the terms applicable to each order (“Terms”).
Information Security Standards. These Information Security Standards apply to Nylas’ processing of Licensee Personal Data. Nylas shall implement and maintain an information security program (“Information Security Program”) that: (i) is consistent with industry standard practices taking into consideration the sensitivity of the Licensee Personal Data processed, and the nature and scope of the Product(s) to be provided; and (ii) includes commercially reasonable technical and organizational measures designed to protect Licensee Personal Data. At a minimum, the Information Security Program shall include:
1. Information Security Organization: Nylas has established a management framework for information security and risk which is signed off by management, and ensures the necessary resources to provide required controls.
a. Policies: Nylas maintains information security policies, standards and procedures that include but are not limited to the controls set forth herein, and addresses: Access Control, Acceptable Use, Application Security, Business Continuity, Backup, Information Classification, Clear Desk and Clear Screen, Incident Response, Mobile Device Security, Physical Security, Privacy and Vulnerability Management. Nylas will review these documents at least annually.
2. Human Resources: Nylas’s personnel are subject to background checks, depending upon their roles and access levels. Nylas personnel sign confidentiality agreements and acknowledge Nylas policies during the onboarding process.
Information security and privacy awareness, training and education is provided to ensure employees understand their responsibilities regarding the confidentiality, integrity, availability and privacy of Customer information provided to Nylas.
3. Physical Environment: Customer Information or systems processing Customer Information are protected against unauthorised physical access, damage or theft.
a. Data Center Security: Nylas relies on third-party cloud providers for physical infrastructure and ensures such providers maintain appropriate physical and environmental security controls.
4. Network Security: Nylas implements multi-layered network security infrastructure that provides continuous monitoring, restricts unauthorized network traffic, and detects and limits the impact of attacks, including: firewalls or other filtering devices, and intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).
a. Remote Access: Nylas authenticates remote users with two-factor authentication prior to access to Nylas networks containing Customer information.
b. Firewalls: Nylas ensures that firewall protection systems are implemented on both internal and external traffic. Firewalls have real-time logging and alerting capabilities. Nylas reviews firewall rules on at least a quarterly basis.
5. Monitoring and auditing: Nylas maintains logs from information systems, network devices, and applications that process, store, or transmit Customer Information and share them with Customer, when requested. Logs ensure traceability and provide answers to questions: Who, When, What, Where and if the action was successful or not. Monitoring and alerting systems are configured to detect anomalous or unauthorized activity, and alerts are reviewed and triaged by appropriate personnel.
a. Review audit logs: Nylas reviews event logs through automated monitoring and alerting mechanisms on a continuous basis, supplemented by periodic manual review.
b. System Clocks: Information systems and network devices are synchronized to a trusted time server.
c. Audit Log Retention: Audit logs are retained by Nylas for at least 12 months from creation.
d. Audit log integrity and confidentiality: Nylas implements technical and organizational measures to ensure the integrity and confidentiality of the audit logs.
6. Access Control: Nylas configures access to information systems that process, transmit, or store Customer Information utilizing defense in depth, principle of least privilege, including role-based access controls and authentication mechanisms to allow authorized access for Nylas personnel. Access to sensitive customer data and PII is restricted to authorized personnel under least privilege principles and subject to access logging. Personal information processed by AI-enabled functionality is handled in accordance with Nylas’ information classification and data protection standards and is not repurposed beyond service delivery.
a. User Access Management: Nylas utilizes a formal user access management and review process to provision and deprovision user accounts and assign or revoke access rights for all Nylas personnel to all systems and services that process, transmit, or store Customer Information.
b. Unique Accounts: Nylas’s personnel using such systems are uniquely identified and authenticated.
c. Revocations: The access rights of all Nylas personnel to information and information processing facilities are removed upon termination of employment or aligned to a change in role.
d. Access Review: Nylas performs access reviews on a periodic basis, at least quarterly, or more frequently based on risk.
e. Password Management and Authentication Controls: Nylas maintains policies and/or procedures for the proper use and protection of authentication information.
f. Systems and shared accounts: Nylas utilizes a formal account management process to manage systems and shared accounts.
g. System accounts: any accounts that are not intended to be directly accessed by users, but are required for systems and applications to function properly, are not be used by humans to log into systems or applications.
h. Shared accounts are any accounts that are intended to be shared among multiple users using a single set of authentication credentials. Nylas manages shared accounts by a process that requires approval and limits the time the shared account credentials may be used. Actions performed by users utilizing shared accounts must be logged and attributable to an individual.
i. Logical segregation mechanisms are implemented in multi-tenant environments to prevent unauthorized access between Customer environments.
7. Cryptography: Nylas has created policies and/or procedures for the use of cryptography and defines secure generation, storage, distribution and destruction of encryption keys. Audio recordings and transcript data are encrypted in transit and at rest in accordance with the encryption standards described herein.
a. Cryptography of Data at rest: Nylas implements minimum AES 256 encryption for data at rest.
b. Cryptography of Data in transit: Nylas implements industry-standard encryption protocols (e.g., TLS 1.2 or higher) for data transmitted over public networks.
8. Change Management: Nylas’ documented change management process is used for all systems or applications processing Customer Information.
9. Vulnerability Management and Penetration tests: Nylas maintains a vulnerability management program to: prioritize assets by risk, test for vulnerabilities of operating systems and applications, analyze and classify the criticality of vulnerabilities, and report, remediate, and verify remediation. Nylas remediates vulnerabilities based on risk and severity, with defined timelines for high and critical vulnerabilities, and implements compensating controls where immediate remediation is not feasible. Nylas ensures compensation controls are in place if a security patch cannot be promptly applied.
a. Pentest: Nylas conducts independent penetration tests on the infrastructure used to process Customer Information at least annually. The results of these tests are communicated to the Customer, through the Nylas Trust Center.
10. Secure Development: Nylas implements a system development life cycle. Any testing configurations are removed prior to production deployment, and Customer Information is not used for testing and development. Nylas enforces separation of duties between Nylas Personnel assigned to the development/test environment and those assigned to the production environment to the extent reasonably practical.
a. Privacy by Design and Privacy by Default: Nylas adopts privacy by design and privacy by default guidelines and ensures the system development life cycle considers those guidelines and principles.
b. Model Training Restrictions: Customer Information processed through Nylas services, including AI-enabled functionality such as Nylas Notetaker, is not used to train, retrain, fine-tune, or improve generalized machine learning models. Where third-party AI providers are used, model training on Customer Information is contractually and technically disabled.
11. Incident Procedure: Nylas maintains documented incident response procedures that define processes for detection, reporting, classification, containment, investigation, and remediation of security incidents. Incidents are tracked and managed through to resolution, and appropriate escalation and notification procedures are followed.
a. Security incidents include incidents involving AI-enabled functionality that may impact confidentiality, integrity, availability, or accuracy of Customer Information.
12. Business Continuity and Disaster Recovery Plan: Nylas maintains a documented organizational Business Continuity Plan (“BCP”) and Disaster Recovery (“DR”) procedures designed to ensure that Nylas continues to provide services in case a disruptive incident could negatively impact operations. Nylas performs annual business continuity and disaster recovery tests. Test results and corrective actions are documented.
13. Data Backup: Customer Information is backed up on a periodic basis in accordance with defined retention policies. Backups are encrypted, access-controlled, and tested regularly for restoration.
a. Audio recordings and generated transcripts processed by Nylas Notetaker are retained for a maximum of 30 days unless otherwise configured by the Customer. After expiration of the retention period, such data is securely deleted in accordance with documented deletion procedures.
14. Third-Party Risk Management: Nylas maintains a third-party risk management program that includes due diligence, contractual security requirements, and ongoing monitoring of subprocessors and vendors. This includes service providers offering machine learning or AI infrastructure.
15. Asset Management: Nylas maintains an inventory of current information system assets that includes: the business function of the asset, asset accountability, and sufficient detail to facilitate tracking and reporting of assets. Nylas updates information system asset inventories daily.
a. Classification of information: Nylas defines and implements an information classification system and explicitly considers personal information as part of the schema.
b. Temporary files: information systems can create temporary files in the normal course of their operations. Nylas ensures that temporary files created as a result of the processing of personal data are disposed of following documented procedures.
c. Media handling: Nylas only uses removable media and/or devices that allow encryption.
16. Data Minimization. Nylas limits the collection, processing, and retention of Customer Information to what is necessary for the provision of services.
17. Compliance: Nylas undergoes independent third-party audits (e.g., SOC 2 Type II) to assess the effectiveness of its controls related to security, availability, and confidentiality.
a. PCI: Nylas does not store, process or transmit credit card information on behalf Customer. PCI-DSS is not in scope for Nylas.
18. Pseudonymisation: Nylas applies pseudonymization or data minimization techniques where appropriate to reduce the risk associated with processing personal data.