// Trust & Security Report

    Spark Mail Limited logo

    Spark Mail Limited

    Spark Mail: cross-platform email client (Mac, Windows, iOS, Android, Apple Watch) for individuals and teams. Free, Plus, and Pro consumer/prosumer tiers plus a custom-priced Enterprise tier ('Security & Controls', dedicated success manager). Includes Spark +AI, an AI email-writing/summarization assistant built on Azure OpenAI, and Spark for Teams collaborative inbox features.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    'Spark is fully GDPR and CCPA compliant.' Also: 'The personal data we collect is stored on the US servers, which participate in the Data Privacy Framework, and European Economic Area servers.' A Data Processing Agreement is referenced for controllers: 'please refer also to our Data Processing Agreement (DPA).'

    Verify on sparkmailapp.com
    CCPA (compliance posture)
    HELD

    'Spark is fully GDPR and CCPA compliant.'

    Verify on sparkmailapp.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    No SOC 2 report, auditor name, or trust center for Spark Mail Limited itself was found. Spark's own help content states: 'Our cloud infrastructure is hosted by Google in the US, which is fully SOC-2 and ISO 27001 certified' - this is the cloud HOST's certification, not Spark's own. Separately, Spark's pricing page markets the Enterprise tier with the line 'Enhance account security with measures like SOCII compliance,' but no report or scope is provided anywhere on the vendor's site, which is inconsistent with the detailed help-center language crediting Google Cloud. Treated as held=false; flagged as a possible over-claim.

    source: sparkmailapp.com
    ISO 27001
    NOT CONFIRMED

    'Our cloud infrastructure is hosted by Google in the US, which is fully SOC-2 and ISO 27001 certified.' This certification is attributed explicitly to Google Cloud (the host), not to Spark Mail Limited. No independent ISO 27001 certificate for Spark was found.

    source: sparkmailapp.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA, protected health information, or a Business Associate Agreement appears anywhere in Spark's Privacy Policy, Terms of Service, or Help Center. Absence of any HIPAA/BAA language across the vendor's legal pages is the basis for grading this false; no public evidence Spark will sign a BAA.

    source: sparkmailapp.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on any Spark-owned page; billing/subscriptions are handled through app-store and standard payment processors rather than Spark storing cardholder data directly, but this is not explicitly documented by the vendor.

    source: sparkmailapp.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence. Spark's AI documentation (Spark +AI security/data page) discusses data handling with its AI subprocessor but makes no certification claim.

    source: sparkmailapp.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any Spark-owned page.

    source: sparkmailapp.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US servers (participating in the EU-US Data Privacy Framework) and European Economic Area servers, per Spark's privacy policy; underlying infrastructure runs on Google Cloud.

    Privacy policy states plainly: 'We do not use your data to train any AI model.' The Spark +AI security page adds that prompts/content sent to the AI provider are used solely to generate the requested output: 'Azure OpenAI does not use this data to train models, and will not retain the data for more than 30 days' and 'Spark does not store this data or train or [sic] models, either.' No tier-based opt-out is documented because the vendor's stated default is already no training; no contradiction with older ToS language was found during this check.

    // Security controls

    Encryption in transit

    All connections to Spark's servers use TLS.

    sparkmailapp.com

    Encryption at rest

    Server-side databases are encrypted; passwords are additionally encrypted in the database; notification payload encryption keys are kept only on the user's device ('The encryption key is saved locally on your device, so only you have access to it').

    sparkmailapp.com

    Infrastructure host

    Spark does not run its own servers; it runs on Google Cloud, described by Spark as 'one of the most secure solutions available in the industry.' Google Cloud's own SOC 2/ISO 27001 certification and Data Privacy Framework participation are the host's, not Spark's.

    sparkmailapp.com

    Data minimization / retention

    Encrypted push-notification content is deleted from Spark's servers roughly 4 hours after delivery; scheduled ('Send Later') messages are deleted immediately after sending; payment and support records are retained 6 years.

    sparkmailapp.com

    AI subprocessor

    Spark +AI is powered by Azure OpenAI Service; content is passed to it solely to generate the requested output, is not used for model training, and is not retained by the subprocessor beyond 30 days.

    sparkmailapp.com

    Responsible disclosure

    Spark maintains a public responsible-disclosure/vulnerability-reporting page.

    sparkmailapp.com

    Third-party data sharing

    'Your data is solely used for product optimization and is never shared with third parties.'

    sparkmailapp.com

    // Products & data scope

    Spark Freeconsumer email client

    data: Connects and syncs personal/work IMAP, iCloud, Exchange, Outlook, Yahoo, and Google mail accounts on Spark's infrastructure.

    No AI features, no team collaboration, no admin/security controls.

    Spark Plus / Proprosumer / small-team email client

    data: Same mail sync as Free plus Spark +AI (email drafting/summarization/translation via Azure OpenAI), meeting notes, team collaboration and integrations.

    Introduces the AI subprocessor (Azure OpenAI) into the data flow; Spark states this data is not retained for training.

    Spark for Teams / Enterprisebusiness email collaboration

    data: Adds shared/delegated inboxes, role-based access (Owner/Admin/Member), and, per Spark's own pricing copy, additional 'Security & Controls' and 'SOCII compliance' claims that are not substantiated elsewhere on the vendor's site.

    Custom pricing, contact-sales only; this tier carries the unverified SOC 2 marketing language flagged above.

    // What to watch

    • No SOC 2 report, auditor, or trust center could be found for Spark Mail Limited itself. Spark's own Enterprise pricing page says 'Enhance account security with measures like SOCII compliance,' which reads as a SOC 2 claim, but this is unsupported anywhere else on the vendor's site and contradicts the more careful help-center language that credits Google Cloud (the host) with SOC 2/ISO 27001, not Spark. Recommend not listing SOC 2 as held until Spark provides a report or a real trust center.
    • Identity-conflation risk avoided: trust.spark.re and trust.sparkhq.ai both surfaced in search results for 'Spark trust center' but belong to unrelated companies (a real-estate 'Spark' and 'Spark Systems Inc.' / sparkhq.ai, an energy-permitting AI company). Neither was used as evidence for this vendor (sparkmailapp.com, Spark Mail Limited).
    • Google Cloud's SOC 2/ISO 27001/Data Privacy Framework status is repeatedly cited by Spark as covering its infrastructure; this is the cloud host's certification, correctly attributed by Spark in help-center copy, but AIFOXX should not surface it as 'Spark is SOC 2 / ISO 27001 certified.'
    • HIPAA/BAA availability is undocumented by the vendor; treat Spark as not suitable for PHI workflows.
    • No independent vendor trust center exists (has_trust_center=false); certifications and security claims are scattered across a privacy policy, a help-center article, an AI-specific data page, and marketing pricing copy rather than a single verifiable source.

    // At a glance

    Pricing model

    Freemium: Free tier, then per-seat monthly/annual Plus and Pro tiers (EUR pricing observed), plus a custom-quoted Enterprise tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Spark Mail Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    sparkmailapp.com

    > Browse all vendor trust reports