// DOC: TRUST_CENTER

SECURITY · PRIVACY · RELIABILITY

Trust Center

Our security posture, data handling practices, and infrastructure specifications. We believe security documentation should be readable, not buried in legalese.

🔒

AES-256

Encryption at rest & transit

⚡

Fail-Open

Zero mail flow dependency

☁

Cloudflare

US-East edge network

✓

SOC 2

Audit planned Q4 2025

01 / DATA PROCESSING & LOCATION

IntegrityLayer processes email metadata and body content in ephemeral Cloudflare Workers. No email content is stored permanently on our infrastructure. All data handling is scoped to the minimum necessary for intent classification.

Primary Processing

Infrastructure Cloudflare Workers

Region US-East (primary)

Edge regions Global CDN failover

Data retention (content) 0 days — ephemeral

Audit logs 90 days (configurable)

Quarantine metadata 30 days post-release

AI Classification

Provider OpenAI (GPT-4o-mini)

Region US data residency

Retention (OpenAI) 0 days (API, no training)

Data sent Subject + body snippet

PII handling Stripped before send

Opt-out Available on request

# Data flow summary

M365/GWS → Cloudflare Worker → GPT-4o-mini (classify) → quarantine/release

# Email body: processed ephemerally, never persisted on IL servers

02 / ENCRYPTION STANDARDS

Layer

Standard

Scope

Transit (API calls)

TLS 1.3

Worker ↔ Graph API, Worker ↔ OpenAI

Transit (user-facing)

TLS 1.3 (Cloudflare)

Admin portal, MFA challenge pages

At Rest (audit logs)

AES-256 (Cloudflare D1)

All stored audit log records

At Rest (quarantine meta)

AES-256 (Cloudflare R2)

Quarantine folder metadata

API tokens

Encrypted at rest

OAuth tokens stored encrypted

MFA secrets

TOTP (RFC 6238)

32-byte HMAC-SHA1 base32 seeds

03 / FAIL-OPEN ARCHITECTURE

Design Principle

IntegrityLayer's availability is not a dependency for your clients' email flow. If the Cloudflare Worker is unreachable for any reason, mail delivers directly to the inbox — uninterrupted. Your client's operations are never blocked by our uptime.

# Reliability policy (config.yml)

on_timeout: deliver# fail-open: deliver to inbox if intercept times out

latency_budget: 500ms# worker must respond within this window

retry_on_failure: false# no retry — fail fast, fail open

Scenario

Worker unreachable

Outcome

Mail delivers normally

✓ Safe

Scenario

Classification timeout

Outcome

Mail delivers (no intercept)

✓ Safe

Scenario

MFA service down

Outcome

Configurable: block or deliver

Configurable

04 / ACCESS CONTROLS & API PERMISSIONS

IntegrityLayer requests the minimum necessary API permissions. We use the principle of least privilege — no access to calendars, contacts, files, or other mailbox data beyond what is required for message interception.

Microsoft Graph API Scopes

Mail.ReadWrite

Move mail to quarantine folder

Mail.Send

Release quarantined mail

MailboxSettings.Read

Read timezone / locale

User.Read.All

Resolve sender identity

Google Gmail API Scopes

gmail.modify

Archive/label messages

gmail.send

Release quarantined mail

pubsub.subscribe

Real-time message webhooks

directory.readonly

Resolve sender identity

05 / AUDIT LOGGING

Every interception, quarantine action, MFA challenge, and release is recorded in an immutable audit log. MSPs can export these logs for client reporting, insurance documentation, or compliance audits.

# Sample audit log entry (JSON)

{

"event": "MAIL_QUARANTINED",

"timestamp": "2025-11-14T09:14:56.221Z",

"msg_id": "7F3A-9C12",

"risk_score": 0.94,

"intent_class": "WIRE_TRANSFER",

"mfa_status": "PENDING",

"tenant_id": "acme-corp"

}

Security Disclosure

Found a security issue? We maintain a responsible disclosure policy. Please email us directly — do not open a public GitHub issue.

security@integritylayer.io →