Executive Summary
Nylas uses AI-enabled functionality in specific product features and operational workflows. Nylas does not use customer data to train general-purpose machine learning models. Nylas does not develop or operate proprietary foundation models. Where AI functionality is present, Nylas applies data minimization principles, reviews third-party AI vendors, and designs features to be configurable rather than on by default. This page explains how those commitments work in practice.
Organizations should consult legal counsel regarding their specific regulatory obligations. Nothing on this page constitutes legal advice.
Email, calendar, contacts, and scheduling systems sit at the center of most business operations. They contain business correspondence, customer interaction records, scheduling data, authentication credentials, and internal decision-making artifacts. When AI features interact with those systems, they can process sensitive data, automate outbound actions, and operate across connected accounts at a speed and scale that manual review cannot match.
That context shapes how Nylas thinks about AI governance. The risks associated with AI in communications environments are not limited to the models themselves. They extend into the surrounding ecosystem: the permissions granted to AI systems, the third-party providers involved, the integrations those systems connect to, and the processes in place when something goes wrong.
Core principles
Customer data and model training
Nylas does not use customer data to train general-purpose machine learning models.
Nylas does not develop or operate proprietary foundation models. Where AI functionality is used in Nylas products, it relies on third-party providers. Customers evaluating Nylas should understand that their email, calendar, contacts, and scheduling data processed through Nylas features is not used to improve or train general-purpose AI models.
Data minimization
Nylas applies data minimization principles to AI-related processing. In practice, that means evaluating what data is required for a given workflow, whether sensitive data exposure can be reduced, how permissions are scoped, and which third-party providers are involved in processing.
Communications systems can contain highly sensitive operational and business information. Minimizing unnecessary data exposure is a baseline expectation, not an optional optimization.
Vendor oversight
AI-enabled workflows at Nylas involve third-party AI providers, cloud infrastructure services, and related vendors. Nylas reviews these providers to evaluate security, privacy, operational, and contractual risks. Those reviews consider access controls, retention practices, security safeguards, subprocessor involvement, operational maturity, and data handling practices.
As AI ecosystems continue to expand, vendor governance is one of the more consequential parts of managing operational and security risk. An AI feature embedded in a communications API may rely on a foundation model provider, a subprocessor for parsing, and a third-party service for data normalization. Each connection is a point where data flows and where governance matters.
Transparency
Organizations evaluating AI-enabled functionality should be able to understand when AI is being used, what data it processes, which third-party providers are involved, how outputs are generated, what controls exist, and where human oversight remains appropriate. Transparency is an important part of enterprise governance, vendor evaluation, and regulatory compliance.
Human accountability
AI systems can assist workflows, but accountability for decisions and actions remains with the organizations deploying and using those systems. AI-generated outputs can contain inaccuracies, incomplete information, or unexpected results.
Organizations should evaluate where human review, escalation, or approval is appropriate for their workflows. The level of oversight needed varies based on:
- the sensitivity of the data being processed
- the level of automation involved
- the potential business impact of incorrect outputs or unintended actions
- whether the workflow touches external communications or customer-facing processes
AI-enabled features are configurable
Not every customer uses AI-enabled functionality, and not every workflow requires the same types of data processing. Nylas designs AI-enabled features to be configurable. Organizations can evaluate which features apply to their use case, how those features interact with their data, and whether to enable them for specific accounts, tenants, or workflows.
AI governance is a shared responsibility
AI governance extends beyond any single technology provider. AI-enabled communications workflows often involve cloud infrastructure providers, AI model providers, communications platforms, application developers, and enterprise customers. Each plays a different role in protecting data, configuring workflows, and governing AI-enabled functionality.
Nylas views governance as a shared responsibility. We design platform capabilities to support secure implementation, while customers determine how AI features are configured, what data they process, and where human oversight is appropriate within their own business processes.
How AI data handling works in Nylas products
Where AI-enabled functionality is present in Nylas products, it may process customer-provided content for purposes such as summarizing information, structuring data, assisting workflow automation, or generating operational insights.
ExtractAI, for example, supports categorizing, tagging, and routing email data using custom rules and keyword or phrase recognition. Organizations can configure how email is classified, what triggers routing decisions, and what outputs are generated. This is different from a general-purpose model operating without guardrails on unscoped data.
Organizations evaluating AI-enabled workflows should also account for how data moves across integrations, vendors, cloud providers, and operational systems connected to those workflows. The full data flow, not just the AI feature in isolation, is the relevant unit of governance.
Operational controls
Effective AI governance extends beyond evaluating models. It includes the operational controls governing how AI systems are configured, monitored, and managed over time.
Relevant controls for AI-enabled workflows include:
- Access restrictions on what data AI systems can reach
- Logging and monitoring of AI-assisted actions
- Vendor reviews covering AI providers and subprocessors
- Security testing of AI-enabled features and integrations
- Data handling controls for content processed by AI systems
- Least-privilege permission scoping for AI-enabled workflows
- Policy and procedural oversight of AI workflow design
- Incident response processes for AI-related misuse or unexpected outputs
- Workflow governance and approval mechanisms for automated actions
The controls appropriate for a specific workflow depend on the sensitivity of the data involved, the level of automation, customer configuration choices, and the surrounding operational environment. A workflow that drafts internal email summaries requires different oversight than one that routes external customer communications.
Risks organizations should evaluate
AI systems operating in communications environments introduce specific risks that security and compliance teams should account for in their vendor evaluation process:
Prompt injection: Malicious content in email or calendar data may attempt to manipulate AI systems into taking unintended actions or producing harmful outputs.
Phishing and impersonation: AI features that compose or route communications can be exploited to generate convincing phishing content or impersonate legitimate senders at scale.
Workflow automation misuse: AI-assisted automation can execute actions across connected accounts and systems. Without appropriate scope controls and human review checkpoints, those actions can propagate errors or misuse at high speed.
Inaccurate outputs: AI-generated summaries, classifications, and routing decisions may be incorrect. Organizations should evaluate what happens downstream when an AI output is wrong.
Cross-system propagation: AI-assisted workflows often span email, calendar, CRM, ticketing, and workflow automation platforms. Misconfigured permissions or incorrect outputs can propagate rapidly across connected systems, making operational governance and auditability particularly important.
Excessive permissions: AI agents operating across email, calendar, and contacts may request or accumulate permissions beyond what specific tasks require. Scoping permissions to the minimum needed for a workflow reduces exposure.
Sensitive data exposure: Communications systems contain data that varies significantly in sensitivity across a single account, let alone across enterprise tenants. AI features that process communications broadly may touch data that should be subject to tighter controls.
Interconnected vendor ecosystems: AI functionality in a communications platform may involve multiple third-party AI providers, cloud services, and data processors. Organizations should understand the full vendor chain, not only the primary vendor.
Communication platforms require specific attention in this context because they connect to trusted business workflows, external stakeholders, and multiple integrated systems simultaneously.
How Nylas approaches ongoing AI governance
AI governance is an ongoing operational discipline rather than a one-time compliance exercise. As AI capabilities, customer expectations, and regulatory frameworks continue to evolve, organizations should regularly evaluate not only what AI systems can do, but also what data they can access, what actions they can take, and how those activities are governed.
At Nylas, we view AI governance as an extension of the same security, privacy, and compliance principles that underpin our communications platform. That means applying data minimization, least-privilege access, vendor oversight, transparency, and operational accountability to AI-enabled features just as we do across the broader platform.
Organizations using Nylas should evaluate not only which AI-enabled features they choose to adopt, but also how those features are configured, what data they process, where human oversight is appropriate, and how they align with internal governance requirements. The combination of the controls Nylas provides and the governance decisions customers make determines the overall AI governance posture.
Questions about Nylas’s AI governance practices, third-party AI providers, feature configuration options, or data handling practices should be directed to the Nylas team.
Frequently asked questions
Does Nylas use customer data to train AI models?
No. Nylas does not use customer data to train general-purpose machine learning models. Nylas also does not develop or operate proprietary foundation models. AI-enabled functionality in Nylas products relies on third-party providers, and customer communications data processed through Nylas features is not used to improve or train those models.
Does Nylas build or operate its own foundation models?
No. Nylas does not develop or operate proprietary foundation models. AI-enabled functionality relies on third-party providers where applicable.
Which third-party AI providers does Nylas use?
Nylas relies on third-party providers for AI-enabled functionality where applicable. Organizations requiring specific information about which AI providers or subprocessors are involved in a given feature should contact Nylas directly. Third-party providers are subject to vendor review covering security, privacy, operational, and contractual risk.
Can organizations disable AI-enabled features?
Yes. Not every customer uses AI-enabled functionality, and Nylas designs AI-enabled features to be configurable. Organizations can evaluate which AI-enabled features apply to their workflows, how those features interact with their data, and whether to enable them based on their business, security, and governance requirements.
What data do Nylas AI features process?
This varies by feature. Where AI functionality is present, it may process customer-provided content such as email messages, calendar events, contact records, or metadata associated with those objects, for purposes such as summarization, classification, or workflow assistance. Organizations should evaluate which features they use and what data each feature processes.
How does Nylas handle AI vendor oversight?
Nylas reviews third-party AI providers and related vendors to evaluate relevant security, privacy, operational, and contractual risks. These reviews cover access controls, retention practices, security safeguards, subprocessor involvement, and data handling practices. Vendor governance is a continuous process, not a one-time review.
Where does human oversight exist in Nylas AI workflows?
The appropriate level of human oversight depends on the specific workflow, the data involved, and the customer’s configuration choices. Nylas designs AI-enabled features to support customer-controlled configuration, which includes the ability to insert review, approval, or escalation steps into automated workflows. Organizations should evaluate where human oversight is appropriate for their specific use cases.
What controls exist to prevent prompt injection in email AI features?
Prompt injection is a risk in any AI system that processes external content such as email. Nylas evaluates this risk as part of its security testing of AI-enabled features. Organizations should also apply their own controls: scoping permissions to the minimum required, reviewing AI outputs before automated actions execute, and monitoring for unexpected behavior in AI-assisted workflows.
How does Nylas approach incident response when AI features produce unexpected outputs?
Nylas maintains incident response processes covering AI-related misuse and unexpected outputs. Organizations with specific questions about incident response procedures should contact Nylas directly. Organizations should also maintain their own incident response processes for AI-enabled workflows, particularly those that touch external communications or business-critical data.
Does Nylas comply with the EU AI Act?
The EU AI Act assigns obligations based on the role an organization plays in the AI ecosystem (provider, deployer, or importer) and the risk tier of the AI system in question. Organizations using Nylas products are generally acting as deployers and should evaluate their own obligations under the Act. Nylas does not make generalized claims that use of its features automatically satisfies specific regulatory requirements.
How should enterprise security teams evaluate Nylas AI features?
Enterprise security teams evaluating Nylas should focus on: which AI features are active in their deployment, what data those features can access, whether AI features are scoped to minimum necessary permissions, what logging and monitoring is available for AI-assisted actions, which third-party AI providers are involved, and what configuration options exist to align feature behavior with internal policies. Nylas is available to support this evaluation process directly.