Security & Trust

Hugrun Cloud reads your inbox. We treat that responsibility seriously. This page lays out exactly how we protect your data, who can see what, and what your legal rights are — written in plain English instead of corporate boilerplate.

Last reviewed: April 2026 · Independently audited

Our security principles

Encryption everywhere

Your OAuth tokens and credentials are encrypted at rest with Fernet (AES-128-CBC + HMAC). All traffic to and from Hugrun is HTTPS only, with HSTS forcing the browser to refuse insecure connections for two years.

Tenant isolation

Every database query is scoped to your tenant ID. There is no shared bucket of customer data — your records are unreachable to anyone except authenticated members of your organisation.

Minimum data, maximum control

We only request the Gmail / Outlook scopes we actually need to read inboxes and create drafts. We never send on your behalf. Every AI draft sits in your drafts folder until you press send.

Human-in-the-loop by default

Hugrun never sends an email without your explicit approval. The AI drafts, you decide. You can review, edit, reject, or rewrite any draft before it goes anywhere.

Technical controls

Strict-Transport-Security (HSTS) with 2-year max-age and preload
Content-Security-Policy with frame-ancestors 'none' (clickjacking blocked)
X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy on every response
OAuth state tokens (cryptographically random, single-use, 10-minute TTL) for all integrations
JWT access tokens with audience + issuer validation, plus a Redis-backed revocation denylist
Per-IP rate limiting on login, signup, password reset, and AI chat
Account lockout after 5 failed logins within 15 minutes
Bcrypt password hashing (cost factor 12, never reversible)
Stripe webhook signatures verified on every event
SQL queries built exclusively through SQLAlchemy parameterised statements (no string concatenation)
Dependency vulnerabilities scanned with pip-audit on every build
All secrets stored in DigitalOcean encrypted environment variables, never in source control

Global compliance

Hugrun Cloud is sold worldwide. Wherever you are, your data rights apply.

European Union (GDPR)

We honour every data subject right under Articles 15–22: access, rectification, erasure, restriction, portability, and objection. Export your data at /api/auth/me/export. Delete your account at any time — instantly and permanently — from your settings page.

United Kingdom (UK GDPR)

Same as EU. Customers in the UK have full data subject rights and can complain to the ICO if anything is mishandled.

United States (CCPA / CPRA)

California residents have the right to know, delete, correct, and limit the use of their personal information. We do not sell or share personal information for cross-context behavioural advertising.

Australia (Privacy Act 1988 + APPs)

Hugrun Pty Ltd is an Australian company subject to the Australian Privacy Principles. Notifiable Data Breaches are reported to the OAIC and to affected customers within 72 hours.

Google API Services User Data Policy

Hugrun Cloud's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Subprocessors

Third-party services Hugrun Cloud uses to deliver the product. We disclose these so you know exactly where your data may travel.

Subprocessor	Purpose	Region
Anthropic (Claude)	AI email triage and drafting	United States
OpenAI (GPT)	Fallback AI drafting	United States
Google AI (Gemini)	Fallback AI drafting	United States
Stripe	Payments processing	United States / Australia
DigitalOcean	App and database hosting	Sydney, Australia
Google Workspace	Hugrun's transactional email	United States

Found a security issue?

We want to know. Email [email protected] with the details and we'll respond within 24 hours. We do not pursue legal action against good-faith security researchers who follow our responsible disclosure guidelines.

Contact our team