Everything connected. Everything Secure

Our first priority is to keep you safe and secure. We are committed to transparency which is why we are trusted by the world’s leading organizations.

Security Whitepaper Trust Centre

Security at Nylas

Security is at the cornerstone of our applications and services and we’re committed to ensuring the unwavering safety of your company’s data. With security built into the core of our products, you can rest assured knowing your data will always be safe, secure, and protected.

Security Measures & Terms

Information Security Standards that apply to Nylas’ processing of Licensee Personal Data.

Privacy Policy

How Nylas collects, uses, and shares Customer Data to operate, improve, develop, and protect Nylas’ Services.

Nylas Subprocessors

Important information about the identity, location, and role of Subprocessors.

How we keep your data safe.

Security is a foundational feature of the Nylas platform. Whether your data is at rest or in transit, our defense-in-depth approach utilizes rigorous encryption, continuous monitoring, and strict access controls to keep your systems secure.

Data Encryption

Nylas encrypts all data at rest with AES-256 (or equivalent) and data in transit with TLS v1.2+ to ensure data confidentiality across our systems.

Infrastructure Security

Nylas’ infrastructure is proactively monitored for threats, including vulnerabilities, misconfigurations, and suspicious behavior.

Application Security

Nylas embeds security throughout the software development lifecycle and reinforces this with a Vulnerability Disclosure Program, a private Bug Bounty initiative, and independent penetration testing conducted annually.

Access Control & Authentication

Nylas implements fine-grained access controls, SSO, and multi-factor authentication to ensure that both internal teams and integrated applications access only the data they’re authorized to handle.

Physical Security

Nylas is a fully remote company, with no physical offices globally. All physical security controls are the responsibility of our data center providers: Amazon Web Services (AWS) and Google Cloud Platform (GCP).

Compliance

We’ve engaged respected third-party firms to audit our infrastructure and security practices, resulting in multiple compliance certifications and attestations.

AICPA SOC 2

SOC 2 Type II

  • SOC 2 is a means for ensuring a service provider adequately secures customer data, and the SSAE 18 audit standard assures customers that a provider’s security apparatus is working smoothly.
  • Our SOC 2 Type II report covering the security, availability, and confidentiality trust service criteria is available under NDA to current and prospective customers via the Nylas Trust Center.
ISO 27001

ISO 27001

  • ISO 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
  • It provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
  • You can request a copy of our ISO 27001 certificate in our Trust Center.
ISO 27701

ISO 27701

  • ISO 27701 is the world’s best-known standard for privacy information management systems (PIMS).
  • It defines requirements a PIMS must meet, and this standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving a privacy information management system.
  • You can request a copy of our ISO 27701 certificate in our Trust Center.
CSA STAR Level One

CSA Cloud Security Alliance

  • The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards.
  • Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
  • This publicly accessible registry allows cloud customers to assess their security providers. View Nylas’s listing here.
PCI DSS

PCI- DSS SAQ A

  • The Payment Card Industry Data Security Standard (PCI-DSS) Self-Assessment Questionnaire A (SAQ A) is designed for merchants that have fully outsourced all cardholder data functions to PCI DSS-compliant third-party service providers and do not electronically store, process, or transmit any cardholder data on their systems or premises.
  • Our completed SAQ A and supporting documentation are available under NDA to current and prospective customers.

Privacy

We are committed to ensuring the privacy of your data. We’re further committed to preventing unauthorized access to that data. Our Privacy Policy details what data is collected, how we use it, and how it is stored.

GDPR

General Data Protection Regulation (GDPR)

Data Processing Addendum

Data Processing Addendum (DPA)

  • We use a Data Processing Addendum (DPA) to ensure adequate safeguards are put in place to protect customer personal data processed by Nylas.
  • The DPA obliges us to implement appropriate security measures, limit access to personal data, alert customers to incidents and data requests involving their data, and more. Reach out to your Nylas Sales Contact for a DPA.
Data Privacy Framework

Data Privacy Framework

  • The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF was developed to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.
  • Nylas is self-certified with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S DPF. You can find more information about Nylas’ listing here.
CCPA

California Consumer Privacy Act (CCPA)

  • We comply with the California Consumer Privacy Act (CCPA), which outlines privacy requirements related to data collection, storage, access, and more.
  • We do not sell the personal information we collect to other parties.

Report a vulnerability

Vulnerability Disclosure Program Contact Security

Explore related resources

How Nylas leads with cutting-edge API security and privacy practices

How Nylas leads with cutting-edge API security and privacy practices

Learn about Nylas’ commitment to advanced API security and privacy as we release our latest product enhancements.

Listen Now
Implementing security by design at startups

Implementing security by design at startups

Building security by design is crucial, especially for startups and small businesses, where resources are often limited, and the pace of development is.

Read the Blog
Building a security-first culture in your organization

Building a security-first culture in your organization

Learn to build a security-first culture in your organization with strategies for leadership, employee engagement, and embedding security into every process.

Find an Event
 

Frequently asked questions

Need more help? Let’s Talk!

Nylas secures the Gmail API integration with OAuth 2.0, encrypts all data at rest with AES-256 and in transit with TLS v1.2+, and enforces fine-grained access controls so your application only accesses the data it is authorized to handle.

Create a free Nylas account, generate an API key, and connect a Google account through the Nylas hosted authentication flow. From there you can read, send, and sync email through a single unified API without managing Google’s OAuth scopes and tokens yourself.

Beyond Gmail, Nylas connects to Microsoft Outlook and Microsoft 365, Exchange (EWS), IMAP/SMTP providers, and any standards-based email, calendar, and contacts provider — all through the same API surface.