Security

Last updated: May 27, 2026

Security is a core design principle at OutReach — not an afterthought. Here's an overview of the measures we take to protect your data and your connected mailboxes.

OAuth-only authentication

We never store passwords. Sign-in is exclusively through Google OAuth and Microsoft OAuth. Your credentials never touch our servers.

Tokens encrypted at rest

All OAuth access and refresh tokens are encrypted using AES-256-GCM with a unique IV per token before being stored in the database.

TLS everywhere

All data in transit is encrypted using TLS 1.2 or higher — between your browser and our servers, and between our services.

Minimal scopes

We request only the Gmail and Microsoft Graph scopes needed to operate the service. We do not request access to your full Google account or Drive.

Multi-tenant isolation

Every database query is scoped to your organization ID. Data from one workspace can never be accessed by another.

Responsible disclosure

We take security reports seriously and respond within 48 hours. Researchers who report vulnerabilities in good faith will not face legal action.

Authentication

OutReach uses Better Auth for session management. Authentication is handled exclusively through Google OAuth 2.0 and Microsoft OAuth 2.0 — we have no email/password authentication path. Sessions are stored as secure, HttpOnly cookies.

Mailbox Token Security

When you connect a Gmail or Outlook mailbox, the OAuth access token and refresh token are immediately encrypted using AES-256-GCM before being written to our database. The encryption key is stored separately from the database and is never logged. Tokens are decrypted in memory only when needed to make an API call and are never returned to the client.

You can revoke OutReach's access to your mailbox at any time by disconnecting it in the app (Settings → Mailboxes) or directly through your Google Account or Microsoft Account security settings.

Data Isolation

OutReach is a multi-tenant platform. Every tRPC procedure enforces organization membership before accessing any data — there is no path through which one user's data can be accessed by another organization. Prospect lists, campaigns, mailboxes, and replies are all scoped to a single organization ID at the database query level.

Infrastructure

OutReach runs on cloud infrastructure with the following practices:

  • Encrypted volumes for database and object storage
  • Private networking between services (database and Redis are not publicly exposed)
  • Automated backups with point-in-time recovery
  • Environment secrets managed via secrets manager, not in code or environment files
  • Dependency vulnerability scanning on every CI build

Google API Limited Use Compliance

OutReach's use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Gmail data to provide and improve the OutReach features you use
  • We do not use Gmail data to serve advertisements
  • We do not allow humans to read your Gmail data unless you explicitly share it with us for support purposes
  • We do not transfer Gmail data to third parties except as necessary to provide the service, with your consent, or as required by law

Responsible Disclosure

If you discover a security vulnerability in OutReach, please report it to us privately at security@outreach.io before disclosing it publicly. Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce or a proof of concept
  • Your contact information

We commit to acknowledging your report within 48 hours and providing a substantive response within 5 business days. We will not take legal action against researchers who report vulnerabilities in good faith and comply with this policy.

Contact

Security issues: security@outreach.io
General data questions: privacy@outreach.io