Skip to content

Security & Privacy

Your data, your boundaries.

Salience reads your inbox so it can act on it. Here is precisely how that access is scoped, where the data goes, and what we will never do with it.

Local AI

Email content runs on a model we host, not on OpenAI or Anthropic.

Hosted in Australia

Data stays in your region. Sub-processors listed publicly.

Encrypted

TLS 1.3 in transit, AES-256 at rest.

Minimal OAuth scope

Read access only. We never send mail without explicit per-action consent.

AI architecture

Email content stays on hardware we own.

Salience does not call OpenAI, Anthropic, Google Gemini, or any other third-party AI provider for classification. Every email is processed by a local large language model running on a server we own and operate on our own network. The model is Qwen 35B, an open-weight model loaded onto a dedicated GPU host. No content leaves that server during classification.

The flow is the same for every email we process:

Inbox
Gmail / Outlook
OAuth
Read scope only
Local Qwen 35B
Hardware we own
Action
Label, draft, alert

Inbox content arrives over an authenticated OAuth session with Gmail or Microsoft Graph. The body and any attachments are parsed in memory; original files are not written to disk or to object storage. The parsed text is fed to the local Qwen model, which returns a structured classification (category, confidence, extracted fields). That structured output is what triggers actions and is what we persist.

We cache short AI-generated summaries in Postgres so the inbox can render fast. Those summaries are encrypted at rest along with the rest of the database. The original email body, attachments, and raw model intermediates are never written to long-term storage.

Data residency

Hosted in Australia. Sub-processors named publicly.

Production application servers, the Postgres database, and the local LLM host all run in Australia. We do not replicate customer data to other regions.

We use a small number of sub-processors. None of them are AI providers. We will not introduce a new sub-processor without updating this list and notifying account holders.

AWS (ap-southeast-2, Sydney)
Application servers, database, object storage
All persisted account data
AWS SES
Transactional email (trial reminders, security notices)
Recipient email address, message body
Stripe
Billing, subscription management, tax
Customer ID, subscription state, payment metadata
Google (Gmail / Workspace OAuth)
Inbox access for Gmail-connected accounts
OAuth tokens, message metadata pulled at runtime
Microsoft (Outlook / Graph OAuth)
Inbox access for Outlook-connected accounts
OAuth tokens, message metadata pulled at runtime

Retention. Classification results, workflow configurations, action logs, and cached AI summaries are retained for the lifetime of your account. They are deleted in full when you delete your account (see Account deletion). Audit logs are retained for thirty days after account deletion for fraud and compliance purposes, then purged.

OAuth scopes

We ask for the minimum we need to do the job.

Salience connects to Gmail and Outlook through OAuth. You see the full scope list on the consent screen at the moment you connect, and you can revoke access at any time from your Google or Microsoft account settings. Here is what the scopes mean in plain English.

We ask for
  • Read inbox messages
    We fetch new mail in the folders you select so we can classify it.
  • Apply labels and folders
    We assign the workflow category as a label or move messages into the matching folder.
  • Create drafts
    When a workflow has a draft-reply action, we write the draft into your drafts folder for your review.
We never ask for
  • Compose-and-send
    We never request the scope that lets us send mail on your behalf without you pressing send.
  • Contacts
    We do not read your address book or social graph. We work only from the messages you receive.
  • Drive, calendar files, or attachments storage
    We do not browse your Drive or OneDrive. Calendar event creation goes through a separate, opt-in connector.

Draft replies are written into your drafts folder for your review. Salience does not press send. Sending happens only when you open the draft yourself and click send in your mail client.

Encryption

Encrypted in transit and at rest.

In transit. All connections to Salience use TLS 1.3. Older TLS versions are disabled at the load balancer. The same applies to outbound connections we make on your behalf to Gmail, Microsoft Graph, Stripe, Slack, and any webhook destination you configure.

At rest. The Postgres database that stores classification results, workflow definitions, OAuth refresh tokens, and cached summaries is encrypted at the storage layer using AES-256. OAuth tokens are additionally encrypted at the application layer with a separate key before being written to the database, so a stolen database file is not enough on its own to read tokens.

Key management. Application-layer encryption keys are held in a managed key store and are not checked into source control. Keys can be rotated when needed; rotation re-encrypts existing records under the new key.

Account deletion

Self-service. No email ticket. No waiting.

You can delete your Salience account at any time from inside the app. The path is:

  1. Settings
    Open Settings from the avatar menu in the top right.
  2. Account
    Switch to the Account tab.
  3. Your Data
    Scroll to the Your Data section. Export first if you want a copy.
  4. Delete account
    Click Delete account, type your email to confirm, and submit. The action runs immediately.

On confirmation, the following are purged immediately: classifications, cached AI summaries, workflow configurations, action logs, watchlists, contact records, OAuth tokens, and connected app credentials. Any drafts already written to your mail provider stay in your provider account; they are no longer ours to remove.

Audit logs are retained for thirty days after deletion for fraud prevention and compliance, then purged. We retain a non-reversible tombstone (a salted SHA-256 hash of your email address) to prevent trial abuse. The tombstone contains no personal data and cannot be reversed to identify you.

If you would prefer we delete your account on your behalf, email privacy@salience.so from the address on file and we will action it within one business day.

Reporting a vulnerability

Found something? Tell us first.

We treat security reports seriously and respond to every good-faith disclosure. Please give us reasonable time to fix issues before any public discussion.

Response time
Within 48 hours
Acknowledgement first. Triage and remediation timeline shared in the first reply.

In scope. Production hosts at *.salience.so, the Salience API, the customer dashboard, the admin portal, and the marketing site.

Out of scope. Denial-of-service tests, social engineering of staff or customers, physical attacks, vulnerabilities in third-party services we use (report those to the upstream vendor), and issues that require a previously compromised user account or device.

We do not currently run a paid bug bounty programme. We will credit researchers who report valid issues, with permission, on a published acknowledgements page.