// Trust & Security Report
Spark Mail Limited
Spark Mail: cross-platform email client (Mac, Windows, iOS, Android, Apple Watch) for individuals and teams. Free, Plus, and Pro consumer/prosumer tiers plus a custom-priced Enterprise tier ('Security & Controls', dedicated success manager). Includes Spark +AI, an AI email-writing/summarization assistant built on Azure OpenAI, and Spark for Teams collaborative inbox features.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on sparkmailapp.com“'Spark is fully GDPR and CCPA compliant.' Also: 'The personal data we collect is stored on the US servers, which participate in the Data Privacy Framework, and European Economic Area servers.' A Data Processing Agreement is referenced for controllers: 'please refer also to our Data Processing Agreement (DPA).'”
> Show 6 unconfirmed / not-held certifications
source: sparkmailapp.comNo SOC 2 report, auditor name, or trust center for Spark Mail Limited itself was found. Spark's own help content states: 'Our cloud infrastructure is hosted by Google in the US, which is fully SOC-2 and ISO 27001 certified' - this is the cloud HOST's certification, not Spark's own. Separately, Spark's pricing page markets the Enterprise tier with the line 'Enhance account security with measures like SOCII compliance,' but no report or scope is provided anywhere on the vendor's site, which is inconsistent with the detailed help-center language crediting Google Cloud. Treated as held=false; flagged as a possible over-claim.
source: sparkmailapp.com'Our cloud infrastructure is hosted by Google in the US, which is fully SOC-2 and ISO 27001 certified.' This certification is attributed explicitly to Google Cloud (the host), not to Spark Mail Limited. No independent ISO 27001 certificate for Spark was found.
source: sparkmailapp.comNo mention of HIPAA, protected health information, or a Business Associate Agreement appears anywhere in Spark's Privacy Policy, Terms of Service, or Help Center. Absence of any HIPAA/BAA language across the vendor's legal pages is the basis for grading this false; no public evidence Spark will sign a BAA.
source: sparkmailapp.comNo public evidence of PCI DSS certification on any Spark-owned page; billing/subscriptions are handled through app-store and standard payment processors rather than Spark storing cardholder data directly, but this is not explicitly documented by the vendor.
source: sparkmailapp.comNo public evidence. Spark's AI documentation (Spark +AI security/data page) discusses data handling with its AI subprocessor but makes no certification claim.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US servers (participating in the EU-US Data Privacy Framework) and European Economic Area servers, per Spark's privacy policy; underlying infrastructure runs on Google Cloud.
Privacy policy states plainly: 'We do not use your data to train any AI model.' The Spark +AI security page adds that prompts/content sent to the AI provider are used solely to generate the requested output: 'Azure OpenAI does not use this data to train models, and will not retain the data for more than 30 days' and 'Spark does not store this data or train or [sic] models, either.' No tier-based opt-out is documented because the vendor's stated default is already no training; no contradiction with older ToS language was found during this check.
// Security controls
Encryption at rest
Server-side databases are encrypted; passwords are additionally encrypted in the database; notification payload encryption keys are kept only on the user's device ('The encryption key is saved locally on your device, so only you have access to it').
sparkmailapp.comInfrastructure host
Spark does not run its own servers; it runs on Google Cloud, described by Spark as 'one of the most secure solutions available in the industry.' Google Cloud's own SOC 2/ISO 27001 certification and Data Privacy Framework participation are the host's, not Spark's.
sparkmailapp.comData minimization / retention
Encrypted push-notification content is deleted from Spark's servers roughly 4 hours after delivery; scheduled ('Send Later') messages are deleted immediately after sending; payment and support records are retained 6 years.
sparkmailapp.comAI subprocessor
Spark +AI is powered by Azure OpenAI Service; content is passed to it solely to generate the requested output, is not used for model training, and is not retained by the subprocessor beyond 30 days.
sparkmailapp.comResponsible disclosure
Spark maintains a public responsible-disclosure/vulnerability-reporting page.
sparkmailapp.comThird-party data sharing
'Your data is solely used for product optimization and is never shared with third parties.'
sparkmailapp.com// Products & data scope
data: Connects and syncs personal/work IMAP, iCloud, Exchange, Outlook, Yahoo, and Google mail accounts on Spark's infrastructure.
No AI features, no team collaboration, no admin/security controls.
data: Same mail sync as Free plus Spark +AI (email drafting/summarization/translation via Azure OpenAI), meeting notes, team collaboration and integrations.
Introduces the AI subprocessor (Azure OpenAI) into the data flow; Spark states this data is not retained for training.
data: Adds shared/delegated inboxes, role-based access (Owner/Admin/Member), and, per Spark's own pricing copy, additional 'Security & Controls' and 'SOCII compliance' claims that are not substantiated elsewhere on the vendor's site.
Custom pricing, contact-sales only; this tier carries the unverified SOC 2 marketing language flagged above.
// What to watch
- No SOC 2 report, auditor, or trust center could be found for Spark Mail Limited itself. Spark's own Enterprise pricing page says 'Enhance account security with measures like SOCII compliance,' which reads as a SOC 2 claim, but this is unsupported anywhere else on the vendor's site and contradicts the more careful help-center language that credits Google Cloud (the host) with SOC 2/ISO 27001, not Spark. Recommend not listing SOC 2 as held until Spark provides a report or a real trust center.
- Identity-conflation risk avoided: trust.spark.re and trust.sparkhq.ai both surfaced in search results for 'Spark trust center' but belong to unrelated companies (a real-estate 'Spark' and 'Spark Systems Inc.' / sparkhq.ai, an energy-permitting AI company). Neither was used as evidence for this vendor (sparkmailapp.com, Spark Mail Limited).
- Google Cloud's SOC 2/ISO 27001/Data Privacy Framework status is repeatedly cited by Spark as covering its infrastructure; this is the cloud host's certification, correctly attributed by Spark in help-center copy, but AIFOXX should not surface it as 'Spark is SOC 2 / ISO 27001 certified.'
- HIPAA/BAA availability is undocumented by the vendor; treat Spark as not suitable for PHI workflows.
- No independent vendor trust center exists (has_trust_center=false); certifications and security claims are scattered across a privacy policy, a help-center article, an AI-specific data page, and marketing pricing copy rather than a single verifiable source.
// At a glance
Pricing model
Freemium: Free tier, then per-seat monthly/annual Plus and Pro tiers (EUR pricing observed), plus a custom-quoted Enterprise tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Spark Mail Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
sparkmailapp.com