Enterprise-grade security and privacy controls have always been at the heart of Nylas.

We keep data private and secure through a multilayered physical and network-level security hierarchy, which we've documented below.



Nylas adheres to a high level of operational excellence. Nylas has multiple interlocking policies for incident response, audits, and privacy. We believe security practices should be transparent to customers, and these measures are outlined below.

Incident Response Policy

Privacy Policy

Audit Policy



Nylas fully complies with key government and industry regulations and policies, including US-EU as well as US-Swiss Safe Harbor and PCI DSS as a merchant. Nylas also supports a variety of use cases employed by companies engaged in PCI- and HIPAA-covered activities.

Privacy Shield Compliance

PCI DSS Compliance

HIPAA Compliance



The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy. Under the GDPR, Nylas is considered a data processor. Our customers are considered data controllers. Our customers’ end users are considered data subjects.

For example, let’s say Nylas had a customer called “The World’s Best CRM.” “The World’s Best CRM” would be considered a data controller. Jeremy, a small-business owner, uses “The World’s Best CRM” to send awesome emails and engage his customers. Jeremy is considered a data subject. The Nylas API, which powers “The World’s Best CRM,” is considered the data processor. We define these roles in more detail below.

Data controllers

Data processors

Data subjects

Data processor agreement

Right to be forgotten

Data portability

Personal Data Breach


SOC 2 Type II

The SOC 2 Type II certification is the most comprehensive security certification in the SaaS industry. To achieve SOC 2 Type II certification, Nylas underwent an independent audit and penetration tests of existing security protocols, processes, and systems. The SOC 2 Type II certification demonstrates our data management systems, and processes are designed to keep users’ sensitive information secure while ensuring a high degree of performance and reliability.

SOC 2 Standards of Excellence Used at Nylas:



Processing Integrity




Encryption and Access Control

Nylas uses multiple application-level security mechanisms and features to ensure customer data safety. All customer API calls require proprietary OAuth2 authentication tokens granted only by Nylas, and user data is encrypted using military-grade encryption standards.



Customer Data Backups

Role-Based Access


Network Transport and Storage

Nylas implements best practices for maintaining service-wide network security. We deploy the latest technology to provide uninterrupted service and guard against attack. Internal sync infrastructure is isolated from the public Internet within separate VPCs, blocking all inbound connections and persistence, and storage layers are encrypted and secured behind VPN and firewalls.

Network Firewalls: Nylas adheres to industry-standard practices for securing and maintaining our infrastructure, with additional protection being afforded by our firewalls. Each system uses firewalls to restrict access from external networks and between systems internally. To mitigate both internal and external risk, access is restricted to only the ports and protocols required for specific business needs.

Denial-of-Service (DOS) Prevention

Distributed Denial-of-Service (DDOS) Prevention

Clustered Infrastructure

TLS 1.2 Encryption


Infrastructure and Physical Security

All Nylas physical infrastructure and data centers are housed in state-of-the-art secure facilities with industry, standard access controls and physical security measures. Nylas development machines run on unprivileged networks secured by VPN.

Nylas is hosted at Amazon Web Services (AWS) data centers, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001, and PCI DSS Level 1.

SSAE 16, or more formally, Statement on Standards for Attestation Engagements No.16, is key guidance for reporting on internal controls for service organizations. SSAE 16 is used for reporting on the Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2, and SOC 3. SOC 1 is focused toward an organization’s internal controls over financial reporting, while SOC 2 and SOC 3 cover reporting for the security, availability, processing integrity, confidentiality, and privacy for service organizations, including cloud and data center providers.

AWS is certified to ISO 27001, which describes a systematic approach to managing sensitive information so that it remains secure. ISO 27001 covers a risk management process that encompasses people, processes, and IT systems. AWS is also Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS), enabling customers to run applications on AWS’s PCI-compliant infrastructure for storing, processing, and transmitting credit card information in the cloud.

Additional AWS physical security measures include:

At each AWS hosting site, Nylas servers are secured at all times by trained security guards, and access is authorized strictly on a least-privileged basis. The data centers use state-of-the-art electronic surveillance to monitor any suspicious activity.

Security Logs

Multi-Factor Authentication

Multiple Redundancy Zones


Reliability & SLAs


Status reports