// Trust & Security Report
SaneBox, Inc.
AI-assisted email triage SaaS for individuals and small/mid-size businesses. Core product analyzes email headers/metadata to sort mail (SaneLater, BlackHole, Daily Digest, Reminders, Snooze); optional add-ons SaneFwd and SaneAttachments temporarily process full email content/attachments for forwarding and attachment offloading. Single web/mobile product with a "For Business" tier (centralized billing/admin, BAA/DPA available on request); no separate self-hosted or enterprise-API product line.
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on sanebox.com“"Absolutely! We understand the importance of HIPAA compliance. You can find our BAA here" and "Absolutely! SaneBox operates as part of a HIPAA-compliant organization" with a signable BAA offered via DocuSign.”
Verify on sanebox.com“"We only process email header information, not the body content of your emails" and business customers "can sign a Data Processing Addendum (DPA)"; ToS states legal entities are "prohibited from Processing Client Personal Data regulated by EU Data Protection Laws" unless SaneBox's DPA is in force.”
Verify on sanebox.com“"We have passed external security audits by Leviathan Security Group." Also: "Our security is annually assessed as a part of Google's Restricted Scopes verification process" and SaneBox "maintains a vulnerability disclosure program via HackerOne."”
> Show 6 unconfirmed / not-held certifications
source: sanebox.comNo public evidence. SaneBox's own security page, security FAQ, privacy policy and ToS never mention SOC 2. A generic web-search summary claimed 'SaneBox is SOC 2 Compliant' but this could not be corroborated on sanebox.com and appears to be unverified third-party/aggregator content.
source: sanebox.comSaneBox's security page states data centers maintain 'ISO accreditation' with 24/7 CCTV and biometric access, but this describes the physical data-center host, not an ISO 27001 certificate held by SaneBox itself. No SaneBox-held ISO 27001 certificate is referenced anywhere on sanebox.com.
source: sanebox.comNo public evidence on sanebox.com. Billing/payment card handling is not described on the vendor's security or privacy pages; not applicable to SaneBox's own systems as far as could be verified.
source: sanebox.comNo public evidence. Not mentioned on sanebox.com anywhere; an aggregator search result claimed 'FedRamp Compliant' but this is implausible for a small consumer/SMB email add-on and could not be verified on the vendor's own domain.
source: sanebox.comNo public evidence on sanebox.com. An aggregator search result claimed 'CSA Star Level 1 Compliant' but this is not corroborated anywhere on the vendor's own domain.
source: sanebox.comNo public evidence. Not mentioned on any SaneBox-owned page reviewed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
SaneBox, Inc. is a US company; the privacy policy states service providers/subprocessors 'may be located outside of the United States' with equivalent confidentiality requirements, but no specific data region/hosting provider is named on the pages reviewed.
SaneBox describes its core sorting feature as using 'sophisticated algorithms and machine learning' but this reads as per-user inference/classification, not disclosed use of customer email content to train shared or foundational AI models. No page on sanebox.com states one way or the other whether customer data is used for model training; the architecture (headers/metadata only for the core product, full body never stored) makes broad training on email content unlikely for the default product, but SaneFwd/SaneAttachments do temporarily touch full email content and no training disclaimer is given for those either. Treat as unconfirmed rather than assume false.
// Security controls
Encryption at rest
Account credentials 'encrypted with proven public key cryptography and stored on servers that are unreachable from the public Internet'; encryption keys held in hardware security modules.
sanebox.comData minimization
Core product analyzes only sender, subject line and date; "We never store full emails or attachments." Full email bodies are not downloaded except by opt-in features (SaneFwd, SaneAttachments) via encrypted connections.
sanebox.comThird-party penetration testing
External security audits performed by Leviathan Security Group.
sanebox.comVulnerability disclosure / bug bounty
Ongoing program via HackerOne ("automated and human hackers").
sanebox.comGoogle API Services assessment
Annual Cloud Application Security Assessment required by Google's Restricted Scopes verification process for Gmail API access.
sanebox.comAccess control
"Only select senior engineering personnel are allowed to access our production servers, and access logs are kept at all times."
sanebox.comData retention
Email activity logs deleted after 30 days on active accounts; customer data removed after 90 days of account inactivity; cancellation-driven deletion process for canceled accounts.
sanebox.com// Products & data scope
data: Email headers, sender, subject, and date only; full email body is not downloaded or stored by default.
Works via IMAP/OAuth across Gmail, Microsoft 365, iCloud, Yahoo, Fastmail, Exchange/ActiveSync. No self-hosted option.
data: Temporarily processes full email content and/or attachments over an encrypted connection for the specific forwarding or offload action.
Broader data access than the default header-only architecture; opt-in per user.
data: Same header-only default architecture as consumer product, with centralized billing/admin.
BAA and DPA available on request (DocuSign) for customers with HIPAA/GDPR obligations; not an independently audited enterprise tier.
// What to watch
- Third-party/aggregator web content (surfaced via search, not on sanebox.com) claims SaneBox is 'SOC 2 Compliant, ISO 27001 Compliant, PCI Compliant, HIPAA Compliant, GDPR Compliant, FedRAMP Compliant, and CSA STAR Level 1 Compliant.' Only the HIPAA (BAA) and GDPR (DPA) postures could be corroborated on the vendor's own domain; the SOC 2, ISO 27001, PCI DSS, FedRAMP, and CSA STAR claims have zero vendor-domain support and should not be surfaced to users without direct vendor confirmation.
- Security page's mention of 'ISO accreditation' for data centers refers to the hosting facility, not a SaneBox-held ISO 27001 certificate - do not conflate host-level facility accreditation with vendor certification.
- Privacy policy references the EU-U.S. Privacy Shield Framework, which was invalidated in 2020 and superseded by the EU-U.S. Data Privacy Framework (DPF) in 2023 - this is stale/legacy language suggesting the policy has not been fully refreshed.
- No formal trust center (e.g., Vanta/SafeBase/Drata-style portal); security posture is spread across a marketing security page and help-center FAQ articles only.
- AI/ML training use of customer email data is not explicitly addressed on any vendor page; product copy references 'machine learning' for per-user sorting but does not state whether customer content feeds shared model training, and this is not clarified for the content-touching SaneFwd/SaneAttachments features.
// At a glance
Pricing model
Subscription tiers (individual and business plans) with a 14-day free trial; no credit card required to start.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SaneBox, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
sanebox.com