Email API
Calendar API
Contacts API 
Scheduler
Notetaker API
Google email & calendar integration
Outlook email & calendar integration
IMAP integration
Google Meet integration
Zoom integration
Microsoft Teams integration
Calendar management
Embedded contextual email
Scheduling automation
Automated outreach
Expense management
Customer relationship management
Applicant tracking system
Communications platform
Marketplaces
Document management
Docs
SDKs
Tutorials
API status
Changelog
Support
Blog
Events
Guides
Inspiration gallery
Build vs. buy
Customer stories
Security & Compliance
Why Nylas
Newsroom
How Nylas leads with cutting-edge API security and privacy practices
Learn about Nylas’ commitment to advanced API security and privacy as we release our latest product enhancements.
Everything connected. Everything secure.
Our first priority is to keep you safe and secure. We are committed to transparency which is why we are trusted by the world’s leading organizations.
Security at Nylas
Security is at the cornerstone of our applications and services and we’re committed to ensuring the unwavering safety of your company’s data. With security built into the core of our products, you can rest assured knowing your data will always be safe, secure, and protected.
Security Measures & Terms
Information Security Standards that apply to Nylas’ processing of Licensee Personal Data.
Privacy Policy
How Nylas collects, uses, and shares Customer Data to operate, improve, develop, and protect Nylas’ Services.
Data Encryption
Nylas encrypts all data at rest with AES-256 (or equivalent) and data in transit with TLS v1.2+ to ensure data confidentiality across our systems.
Infrastructure Security
Nylas’ infrastructure is proactively monitored for threats, including vulnerabilities, misconfigurations, and suspicious behavior.
Application Security
Nylas embeds security throughout the software development lifecycle and reinforces this with a Vulnerability Disclosure Program, a private Bug Bounty initiative, and independent penetration testing conducted annually.
Access Control & Authentication
Nylas implements fine-grained access controls, SSO, and multi-factor authentication to ensure that both internal teams and integrated applications access only the data they’re authorized to handle.
Physical Security
Nylas is a fully remote company, with no physical offices globally. All physical security controls are the responsibility of our data center providers: Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Compliance
We’ve engaged respected third-party firms to audit our infrastructure and security practices, resulting in multiple compliance certifications and attestations.
SOC 2 Type II
- SOC 2 is a means for ensuring a service provider adequately secures customer data, and the SSAE 18 audit standard assures customers that a provider’s security apparatus is working smoothly.
- Our SOC 2 Type II report covering the security, availability, and confidentiality trust service criteria is available under NDA to current and prospective customers via the Nylas Trust Center
ISO 27001
- ISO 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
- It provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
- You can request a copy of our ISO 27001 certificate in our Trust Center.
ISO 27701
- ISO 27701 is the world’s best-known standard for privacy information management systems (PIMS).
- It defines requirements a PIMS must meet, and this standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving a privacy information management system.
- You can request a copy of our ISO 27701 certificate in our Trust Center.
HIPAA
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ensures that the proper security and privacy controls are in place to secure protected health information (PHI).
- Our report is available under NDA to current and prospective customers.
CSA Cloud Security Alliance
- The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards.
- Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
- This publicly accessible registry allows cloud customers to assess their security providers. View Nylas’s listing here.
PCI-DSS SAQ A
- The Payment Card Industry Data Security Standard (PCI-DSS) Self-Assessment Questionnaire A (SAQ A) is designed for merchants that have fully outsourced all cardholder data functions to PCI DSS-compliant third-party service providers and do not electronically store, process, or transmit any cardholder data on their systems or premises.
- Our completed SAQ A and supporting documentation are available under NDA to current and prospective customers.
Privacy
We are committed to ensuring the privacy of your data. We’re further committed to preventing unauthorized access to that data. Our Privacy Policy details what data is collected, how we use it, and how it is stored.
General Data Protection Regulation (GDPR)
- We ensure our data collection and handling practices comply with the General Data Protection Regulation (GDPR) and its rules on data protection, privacy, and transfer.
- Nylas is GDPR compliant.
Data Processing Addendum (DPA)
- We use a Data Processing Addendum (DPA) to ensure adequate safeguards are put in place to protect customer personal data processed by Nylas.
- The DPA obliges us to implement appropriate security measures, limit access to personal data, alert customers to incidents and data requests involving their data, and more.
- Reach out to your Nylas Sales Contact for a DPA
Data Privacy Framework
- The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF was developed to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.
- Nylas is self-certified with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S DPF.
- You can find more information about Nylas’ listing here
California Consumer Privacy Act (CCPA)
- We comply with the California Consumer Privacy Act (CCPA), which outlines privacy requirements related to data collection, storage, access, and more.
- We do not sell the personal information we collect to other parties.
GLBA Privacy Rule
- As a partner to our clients in the financial sector, we comply with the Gramm-Leach-Bliley Act Privacy Rule.
Report a vulnerability
Explore related resources
Implementing security by design at startups
Building security by design is crucial, especially for startups and small businesses, where resources are often limited, and the pace of development is.
Building a security-first culture in your organization
Learn to build a security-first culture in your organization with strategies for leadership, employee engagement, and embedding security into every process.
FAQs
Need more help? Let’s talk!
What data is stored?
Data stored depends on the Nylas API being used and how the authentication is configured on your application.
- For email API, Nylas will store all email data only for IMAP provider type. For other provider types, Nylas will only store / process the email addresses / grant information.
- For calendar API, Nylas will store event data in addition to email addresses of event participants.
- For Notetaker API, Nylas will store meeting recordings and transcripts as well as event information.
Additionally, if your application is using Nylas hosted authentication, Nylas will store credentials of connected accounts.
Where is data stored?
Data Storage regions can be specified on the Nylas Dashboard. Data will be stored in the US or the UK, depending on your selection
Is data encrypted?
Yes, all data is encrypted at rest using AES-256. Data in transit uses TLSv1.2 or above.
How do I request a Data Processing Agreement (DPA)?
- If you are a contract customer, reach out to your Nylas Account Executive / Sales contact.
- If you are a pay-as-you-go customer, a DPA is already included in your standard order terms.
- If you are an end customer using our product through a vendor or partner, please contact your vendor directly for a DPA. We do not enter into DPAs directly with end customers.
How do I request a Business Associate Agreement (BAA)?
- If you are a contract customer, reach out to your Nylas Account Executive / Sales contact.
- If you are an end customer using our product through a vendor or partner, please contact your vendor directly for a BAA. We do not enter into BAAs directly with end customers.
How do I request access to security reports (SOC 2, penetration test reports, policies, architecture diagrams)?
You can request access to security reports by visiting the Nylas Trust Center
Where can I find the subprocessors list?
The subprocessors list is available here: https://www.nylas.com/security/subprocessors/. You can subscribe to Subprocessor notifications via status-v3.nylas.com
Is Nylas complaint with CCPA, GDPR and EU-US DPF?
Yes, Nylas is compliant with CCPA, GDPR and EU-US Data Privacy Framework. You can view the self-certified DPF listing here: https://www.dataprivacyframework.gov/list
How do I report a vulnerability?
You can report a vulnerability via Nylas’ Vulnerability Disclosure form here. Reach out to [email protected] for more information about our Bug Bounty Program.