Security and Trust Compliance
For University IT Administrators, Security Teams, and any security-conscious users of the system
Email Cheat Code is a product operated by Cuff Technology Solutions, LLC. This document confirms the security posture of the service across the EmailCheatCode.com and WatchMyInbox.com domains.
1. Data Access & Minimization
| Area | Policy | Technical Implementation |
|---|---|---|
| Email Access | Strictly Read-Only Access (Gmail: gmail.readonly, Microsoft: Mail.Read). We are physically unable to send, delete, or modify any content in a user's inbox. | Confirmed via Google OAuth Scope and Microsoft Graph API scope. |
| Data Stored | Metadata/Summary ONLY. We store encrypted alert history (sender, recipient/To field, subject, date/time, read/unread status at evaluation time, labels, importance flags, and AI-generated summaries). Our system uses Claude (by Anthropic) to create short alert summaries and may store multiple candidates per email to refine quality. The raw email body is never stored. | Data is stored in managed PostgreSQL via Supabase. |
| PII Handling | Redacted Before Processing. PII detection and redaction is the first operation in the message processing pipeline - SSNs, credit card numbers, and similar sensitive data are stripped before any analysis, summarization, or storage occurs. | Implemented in our email processing pipeline. |
| Token Storage | Encrypted at Rest. OAuth access and refresh tokens are encrypted using a strong, verified key. | Supabase, Row-Level Security (RLS) enforced. |
Sub-processors & AI Data Handling
For our complete sub-processor list (including Anthropic/Claude, AWS, and Supabase), AI data handling details, and data deletion policy, see our Privacy Policy.
We're Not Your Email Archive
Our purpose is to help you catch time-critical emails, not to replace or archive your inbox. We only store the minimal metadata and AI-generated summaries needed to show you alert history and provide context for action. Your email inbox remains your source of truth for all email content.
2. Security Posture & Compliance
- ✓Application Security Scanning (CI/CD): Our development pipeline includes automated Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Software Bill of Materials (SBOM) generation.
- ✓AI-Powered Processing: Email content is processed through AWS Lambda infrastructure using Claude (Anthropic) for intelligent alert classification. All processing follows strict data minimization principles - only alert-worthy emails generate stored summaries.
- ✓CASA Tier 2 Verified: We are Cloud Application Security Assessment (CASA) Tier 2 verified by an independent third-party assessor.
- ✓Student Data & FERPA: Email Cheat Code operates on student-direct OAuth consent - we do not receive data from your institution and have no data-sharing relationship with it. FERPA governs how your school handles education records; it is not implicated by apps students authorize directly through Google or Microsoft. Our Payer-Privacy Model ensures parents cannot access email content or alert history even when funding a subscription.
- ✓OWASP Compliance: Controls against the OWASP Top 10 are enforced, including Rate Limiting (A07) on all login endpoints and security headers.
- ✓Email Authentication: All outbound emails are authenticated with DMARC, SPF, and DKIM to ensure domain integrity and prevent phishing.
- ✓Vulnerability Disclosure: We welcome responsible security research. See our Vulnerability Disclosure Policy for safe harbor terms and reporting guidelines.
3. Contact Information
Legal Entity: Cuff Technology Solutions, LLC
Official Mailing Address:
23 Willow St
West Harwich, MA 02671
Email: contact@watchmyinbox.com
Phone: +1 978 267 0411