// Trust & Security Report

    SaneBox, Inc. logo

    SaneBox, Inc.

    AI-assisted email triage SaaS for individuals and small/mid-size businesses. Core product analyzes email headers/metadata to sort mail (SaneLater, BlackHole, Daily Digest, Reminders, Snooze); optional add-ons SaneFwd and SaneAttachments temporarily process full email content/attachments for forwarding and attachment offloading. Single web/mobile product with a "For Business" tier (centralized billing/admin, BAA/DPA available on request); no separate self-hosted or enterprise-API product line.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HIPAA
    HELD

    "Absolutely! We understand the importance of HIPAA compliance. You can find our BAA here" and "Absolutely! SaneBox operates as part of a HIPAA-compliant organization" with a signable BAA offered via DocuSign.

    Verify on sanebox.com
    GDPR (posture)
    HELD

    "We only process email header information, not the body content of your emails" and business customers "can sign a Data Processing Addendum (DPA)"; ToS states legal entities are "prohibited from Processing Client Personal Data regulated by EU Data Protection Laws" unless SaneBox's DPA is in force.

    Verify on sanebox.com
    Independent third-party security audit
    HELD

    "We have passed external security audits by Leviathan Security Group." Also: "Our security is annually assessed as a part of Google's Restricted Scopes verification process" and SaneBox "maintains a vulnerability disclosure program via HackerOne."

    Verify on sanebox.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. SaneBox's own security page, security FAQ, privacy policy and ToS never mention SOC 2. A generic web-search summary claimed 'SaneBox is SOC 2 Compliant' but this could not be corroborated on sanebox.com and appears to be unverified third-party/aggregator content.

    source: sanebox.com
    ISO 27001
    NOT CONFIRMED

    SaneBox's security page states data centers maintain 'ISO accreditation' with 24/7 CCTV and biometric access, but this describes the physical data-center host, not an ISO 27001 certificate held by SaneBox itself. No SaneBox-held ISO 27001 certificate is referenced anywhere on sanebox.com.

    source: sanebox.com
    PCI DSS
    NOT CONFIRMED

    No public evidence on sanebox.com. Billing/payment card handling is not described on the vendor's security or privacy pages; not applicable to SaneBox's own systems as far as could be verified.

    source: sanebox.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not mentioned on sanebox.com anywhere; an aggregator search result claimed 'FedRamp Compliant' but this is implausible for a small consumer/SMB email add-on and could not be verified on the vendor's own domain.

    source: sanebox.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on sanebox.com. An aggregator search result claimed 'CSA Star Level 1 Compliant' but this is not corroborated anywhere on the vendor's own domain.

    source: sanebox.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence. Not mentioned on any SaneBox-owned page reviewed.

    source: sanebox.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    SaneBox, Inc. is a US company; the privacy policy states service providers/subprocessors 'may be located outside of the United States' with equivalent confidentiality requirements, but no specific data region/hosting provider is named on the pages reviewed.

    SaneBox describes its core sorting feature as using 'sophisticated algorithms and machine learning' but this reads as per-user inference/classification, not disclosed use of customer email content to train shared or foundational AI models. No page on sanebox.com states one way or the other whether customer data is used for model training; the architecture (headers/metadata only for the core product, full body never stored) makes broad training on email content unlikely for the default product, but SaneFwd/SaneAttachments do temporarily touch full email content and no training disclaimer is given for those either. Treat as unconfirmed rather than assume false.

    // Security controls

    Encryption in transit

    TLS/SSL with an A+ grade from Qualys SSL Labs.

    sanebox.com

    Encryption at rest

    Account credentials 'encrypted with proven public key cryptography and stored on servers that are unreachable from the public Internet'; encryption keys held in hardware security modules.

    sanebox.com

    Data minimization

    Core product analyzes only sender, subject line and date; "We never store full emails or attachments." Full email bodies are not downloaded except by opt-in features (SaneFwd, SaneAttachments) via encrypted connections.

    sanebox.com

    Third-party penetration testing

    External security audits performed by Leviathan Security Group.

    sanebox.com

    Vulnerability disclosure / bug bounty

    Ongoing program via HackerOne ("automated and human hackers").

    sanebox.com

    Google API Services assessment

    Annual Cloud Application Security Assessment required by Google's Restricted Scopes verification process for Gmail API access.

    sanebox.com

    Access control

    "Only select senior engineering personnel are allowed to access our production servers, and access logs are kept at all times."

    sanebox.com

    Data retention

    Email activity logs deleted after 30 days on active accounts; customer data removed after 90 days of account inactivity; cancellation-driven deletion process for canceled accounts.

    sanebox.com

    // Products & data scope

    SaneBox (core inbox management)AI email triage / inbox management

    data: Email headers, sender, subject, and date only; full email body is not downloaded or stored by default.

    Works via IMAP/OAuth across Gmail, Microsoft 365, iCloud, Yahoo, Fastmail, Exchange/ActiveSync. No self-hosted option.

    SaneFwd / SaneAttachments (optional add-ons)Email forwarding / attachment offloading

    data: Temporarily processes full email content and/or attachments over an encrypted connection for the specific forwarding or offload action.

    Broader data access than the default header-only architecture; opt-in per user.

    SaneBox for BusinessTeam/business email management

    data: Same header-only default architecture as consumer product, with centralized billing/admin.

    BAA and DPA available on request (DocuSign) for customers with HIPAA/GDPR obligations; not an independently audited enterprise tier.

    // What to watch

    • Third-party/aggregator web content (surfaced via search, not on sanebox.com) claims SaneBox is 'SOC 2 Compliant, ISO 27001 Compliant, PCI Compliant, HIPAA Compliant, GDPR Compliant, FedRAMP Compliant, and CSA STAR Level 1 Compliant.' Only the HIPAA (BAA) and GDPR (DPA) postures could be corroborated on the vendor's own domain; the SOC 2, ISO 27001, PCI DSS, FedRAMP, and CSA STAR claims have zero vendor-domain support and should not be surfaced to users without direct vendor confirmation.
    • Security page's mention of 'ISO accreditation' for data centers refers to the hosting facility, not a SaneBox-held ISO 27001 certificate - do not conflate host-level facility accreditation with vendor certification.
    • Privacy policy references the EU-U.S. Privacy Shield Framework, which was invalidated in 2020 and superseded by the EU-U.S. Data Privacy Framework (DPF) in 2023 - this is stale/legacy language suggesting the policy has not been fully refreshed.
    • No formal trust center (e.g., Vanta/SafeBase/Drata-style portal); security posture is spread across a marketing security page and help-center FAQ articles only.
    • AI/ML training use of customer email data is not explicitly addressed on any vendor page; product copy references 'machine learning' for per-user sorting but does not state whether customer content feeds shared model training, and this is not clarified for the content-touching SaneFwd/SaneAttachments features.

    // At a glance

    Pricing model

    Subscription tiers (individual and business plans) with a 14-day free trial; no credit card required to start.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on SaneBox, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    sanebox.com

    > Browse all vendor trust reports