NewsBriefly AI
Sign inGet NewsBriefly AI

Security

Effective May 10, 2026

This page describes the technical and organisational measures we take to protect your data. It supplements our Privacy Policyand is intended for both end users and Google's OAuth verification reviewers.

1. Encryption

  • In transit: All connections to the Service use TLS 1.2 or higher. HSTS is enabled with a long max-age.
  • At rest: Google OAuth refresh tokens are encrypted using Fernet (AES-128-CBC + HMAC-SHA256) with a key stored in our secrets manager and never committed to source control. Passwords are hashed with Argon2id (default cost parameters from theargon2-cffi library).
  • Object storage: Raw email HTML and article Markdown are stored in private Cloudflare R2 buckets. Bucket policies disable public access; object-level keys use unguessable UUIDs.

2. Gmail scope & access boundary

  • We request only the read-only scope https://www.googleapis.com/auth/gmail.readonly. We do not request gmail.send, gmail.modify, gmail.compose, gmail.labels, or any other write-capable scope.
  • Our ingestion pipeline reads only messages whose sender matches a sender you have explicitly added to your approved list in the app. Other messages are not fetched, parsed, or stored.
  • Refresh tokens are decrypted only inside ingestion worker processes, for the duration of a single Gmail API call.

3. Authentication & account security

  • We support Google OAuth (with PKCE), email + password sign-in (Argon2id), and magic-link sign-in (single-purpose 15-minute JWTs carrying an explicit purposeclaim and the user's email).
  • Sessions are managed via short-lived JWT access tokens and rotated refresh tokens.
  • Email verification is required before connecting Gmail for accounts created via password sign-up.
  • Account-enumeration defense: /forgot-password and /request-link endpoints always return a generic success response.

4. Infrastructure

  • Compute and database run on managed cloud providers in the United States.
  • Production secrets are stored in a managed secrets manager; access is restricted to authorised personnel via SSO and audit-logged.
  • Source code is stored in a private Git repository with branch protection and required code review.
  • Dependencies are monitored continuously for known vulnerabilities; security-impacting updates are applied within 7 days of disclosure for high-severity issues.

5. Logging and monitoring

  • We log application errors and request metadata (route, status, latency). We do not log message bodies, headers beyond standard troubleshooting fields, or AI prompt/response payloads.
  • Errors are surfaced to Sentry with PII redaction enabled.

6. Incident response

If we become aware of a security incident affecting your data, we will notify affected users without undue delay and in any case within 72 hours where required by law. Report a suspected vulnerability to security@newsbrieflyai.com. We follow a 90-day coordinated disclosure window.

7. Sub-processors

We use the following sub-processors for service delivery:

  • Cloudflare (R2 object storage, CDN, DDoS protection) — USA
  • Stripe (payments) — USA
  • Resend (transactional email) — USA
  • Google (Gmail API, Pub/Sub, OAuth) — USA
  • Anthropic and/or OpenAI (AI processing) — USA

8. CASA Tier 2

Because NewsBriefly requests the restricted gmail.readonlyscope, the Service is undergoing a Cloud Application Security Assessment (CASA) Tier 2 review as required by Google's OAuth verification process. Status: [CASA_STATUS — e.g. "In progress via App Defense Alliance self-scan"].

9. Contact

Security disclosures: security@newsbrieflyai.com
Privacy & data requests: privacy@newsbrieflyai.com