Security at Nylas

Security is built into the fabric of our products, infrastructure, and processes, so you can rest assured that your data is safeguarded.

Security at Nylas


Security is at the cornerstone of our applications and services and we’re committed to ensuring the unwavering safety of your company’s data. With security built into the core of our products, you can rest assured knowing your data will always be safe, secure, and protected.

Infrastructure security

Nylas utilizes Web Application Firewalls to strengthen infrastructure security. Our infrastructure is continuously monitored for security vulnerabilities and cloud misconfigurations. Any identified vulnerabilities are remediated in a timely manner in accordance with our vulnerability and risk management practices.

Operational resilience

Nylas ensures operational resiliency requirements are built into our architecture design and development processes. Nylas performs Business Continuity, Disaster Recovery and Incident Response tests on at least an annual basis.

Product security

Nylas’ products are built with a security-first mindset. The Nylas Architecture Review process requires mandatory peer reviews, and the SDLC process ensures all new code is scanned using static analysis tools to detect any vulnerabilities in code. Nylas maintains a private Bug Bounty program and ensures third-party penetration tests are conducted annually.

Data isolation

Nylas logically separates account data with the concept of ‘Nylas Applications’. Each Nylas Application has a separate client ID and client secret that requires accounts to be authenticated individually.

Data security

Nylas encrypts data at rest as well as in transit. Nylas utilizes TLS v1.2 or greater for all data in transit. All stored data is encrypted at rest using a minimum of AES-256 or equivalent.

Security monitoring

Nylas continuously monitors network traffic for malicious activities. Nylas uses a security threat detection and SOAR platform to monitor and automate high priority security alerts.

Physical security

Nylas is a fully remote company. All physical security controls are the responsibility of our data center providers: Amazon Web Services (AWS) and Google Cloud Platform (GCP).


We are committed to ensuring the privacy of your data. We’re further committed to preventing unauthorized access to that data. Our Privacy Policy details what data is collected, how we use it, and how it is stored.


General Data Protection Regulation (GDPR)

We ensure our data collection and handling practices comply with the General Data Protection Regulation (GDPR) and its rules on data protection, privacy, and transfer. Nylas is GDPR compliant.

Data Processing Addendum (DPA)

We use a Data Processing Addendum (DPA) to ensure adequate safeguards are put in place to protect customer personal data processed by Nylas. The DPA obliges us to implement appropriate security measures, limit access to personal data, alert customers to incidents and data requests involving their data, and more.

Data Privacy Framework

The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. Nylas is self-certified with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S DPF. You can find more information in our Privacy Policy.


California Consumer Privacy Act (CCPA)

We comply with the California Consumer Privacy Act (CCPA), which outlines privacy requirements related to data collection, storage, access, and more. We do not sell the personal information we collect to other parties.

GLBA Privacy Rule

As a partner to our clients in the financial sector, we comply with the Gramm-Leach-Bliley Act Privacy Rule.


We’ve engaged respected third-party firms to audit our infrastructure and security practices, resulting in a System and Organization Controls (SOC) 2 Type II audit report, HIPAA/HITRUST report, ISO 27001 and ISO 27701 certification.

SOC 2 Type II

SOC 2 Type II

SOC 2 is a means for ensuring a service provider adequately secures customer data, and the SSAE 18 audit standard assures customers that a provider’s security apparatus is working smoothly. Our SOC 2 Type II report covering the security, availability, and confidentiality trust service criteria is available under NDA to current and prospective customers.

ISO 27001

ISO 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet. It provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. You can request a copy of our ISO 27001 certificate in our Trust Center.

ISO 27701

ISO 27701 is the world’s best-known standard for privacy information management systems (PIMS). It defines requirements a PIMS must meet, and this standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving a privacy information management system. You can request a copy of our ISO 27701 certificate in our Trust Center.

CSA Star

CSA Cloud Security Alliance

The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings. This publicly accessible registry allows cloud customers to assess their security providers. View Nylas’s listing here.



The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ensures that the proper security and privacy controls are in place to secure protected health information (PHI). Our report is available under NDA to current and prospective customers.

Cloud compliance

The Nylas Platform runs on Amazon Web Services (AWS) and Google Cloud Platform (GCP). We recommend you also review their compliance information by clicking on their links.

Everything connected. Everything secure.

Our first priority is to keep you safe and secure. We are committed to transparency which is why we are trusted by the world’s leading organizations.

The latest in Nylas security

Best practices for protecting API keys
2023 Compliance Audits
Nylas’ 2023 compliance audits: A benchmark in trust and security
Nylas Security White Paper
Nylas Security White Paper

Let’s talk

Contact us to schedule a technical consultation. We’ll review your goals and help you identify the best solution with the Nylas platform.