Security

Your data security is our priority. Learn about the measures we implement to protect your information.

At a glance

OAuth-based accessRevocable anytimeVerified Publisher
Microsoft Verified Publisher
Genassistant is a Microsoft Verified Publisher. When connecting your email, you will see a blue verified badge on Microsoft's consent screen, indicating that our business identity and domain have been validated by Microsoft for secure OAuth and Microsoft 365 integrations, including organizational tenants.

Authentication and Authorization

Secure OAuth Integration

• Industry-standard OAuth 2.0 authentication with Microsoft Azure AD

• PKCE (Proof Key for Code Exchange) to prevent authorization code interception attacks

• State validation protects against CSRF attacks

• All access is revocable and requires explicit user or admin consent

Token Security

• OAuth refresh tokens encrypted at rest

• Token validation for authenticity, expiration, and proper audience

• Tenant-aware verification ensures tokens are intended for your organization

• Data isolation between organizations

Data Access Boundaries

• Genassistant cannot read emails unless explicitly authorized via Microsoft consent

• We cannot access mailboxes without an active, user-granted token

• All data access requires explicit user permission through Microsoft's OAuth consent flow

• Access is fully revocable at any time, including by ending a subscription or through the Microsoft apps dashboard

Data Protection

Encryption

In Transit: All data transmitted is encrypted using TLS (Transport Layer Security)

At Rest: Sensitive data, including authentication credentials, is encrypted when stored

Secure Storage

• Credentials and secrets are never hardcoded

• Sensitive configuration managed through secure, encrypted storage

• Secrets centrally managed and rotated where supported

Data Minimization

• We only access data you explicitly authorize

• Data retained only as long as necessary

• Automatic cleanup when no longer needed

Infrastructure Security

Cloud Security

• Hosted on industry-leading cloud platforms

• Principle of least privilege for all system access

• Network security controls restrict access

• Regular security updates and patches

Monitoring and Logging

• Security events are logged and monitored using automated systems

• Audit trails for administrative actions

• Automated alerting for potential issues

• Logs retained per operational needs

Availability and Resilience

Our infrastructure is designed for high availability. Systems are distributed across multiple availability zones, and regular backups are performed to protect against data loss.

Application Security

Rate Limiting

API endpoints are protected by rate limiting to prevent abuse and ensure fair usage, helping protect against denial-of-service attacks.

Input Validation

All user inputs are validated and sanitized before processing. We use parameterized queries and secure coding practices to prevent injection attacks.

CORS and Origin Validation

Cross-origin requests are restricted to authorized domains only. Origin validation ensures requests come from legitimate sources.

Security Highlights

Key security strengths of our platform

Strong Authentication

OAuth 2.0 with PKCE and state validation

Encryption

TLS for data in transit, encryption for sensitive data at rest

Secure Secrets Management

No hardcoded credentials, centralized secret management

Access Controls

Least privilege principles, organizational tenant isolation

Monitoring

Security event logging and alerting

Microsoft Verification

Verified Publisher status demonstrates commitment to security

Regular Updates

Security patches and improvements are applied regularly

Audit Logging

Administrative actions and security events are logged for review and investigation

What We Don't Claim

To maintain transparency and accuracy, we want to be clear about what we do not claim:

We do not claim compliance with specific regulatory frameworks such as HIPAA, GDPR, PCI DSS, or other specialized data protection regimes unless explicitly stated in a written agreement.

We do not guarantee absolute security. No system is 100% secure, and we continuously work to improve our security posture.

Our service is not designed for regulated data subject to specialized compliance requirements (as detailed in our Terms of Service).

Your Role in Security

While we implement strong security measures, you also play an important role

Protect your credentials: Never share your Microsoft account credentials with anyone, we will never ask for them

Review permissions: Regularly review the permissions you've granted to any connected applications through Microsoft's app consent management

Report issues: If you notice any suspicious activity or security concerns, please contact us immediately at support@genassistant.ai with "Security" in the subject

Keep software updated: Ensure your devices and browsers are kept up to date with security patches

Responsible Security Disclosure
We welcome responsible security disclosures. If you believe you have identified a potential security issue, please contact us at support@genassistant.ai with "Security" in the subject line.

We request that you:

Provide a detailed summary of the vulnerability, including steps to reproduce it

Allow us a reasonable amount of time to remediate the issue before any public disclosure

Avoid any actions that could impact the data or privacy of other users

Questions About Security?
If you have questions about our security practices or wish to report a security concern, please contact us:
support@genassistant.ai

For security-related issues, please include "Security" in your subject line.

This document provides a high-level overview of our security practices. For detailed information about how we handle your data, please see our Privacy Policy and Terms of Service.

Last Updated: January 2026