Security at Spinstack

How we protect your data and connected accounts

Spinstack is built around email — which means trust is everything. This page explains how we handle your credentials, protect your data, and give you control over what our agents can do on your behalf.

Authentication via OAuth

When you connect your email account (Gmail, Outlook, or another provider), Spinstack uses OAuth, the industry-standard authorization protocol. This means:

  • Spinstack never sees or stores your password. You authenticate directly with your email provider (Google, Microsoft, etc.), which issues a scoped access token.
  • You choose exactly what permissions to grant. Spinstack only requests the scopes needed for the features you use.
  • You can revoke access at any time through your provider's account settings (e.g. Google Security → Third-party apps).

Credential Storage

OAuth tokens are managed by Composio, a SOC 2-compliant third-party integration platform. Spinstack does not store raw OAuth tokens in its own database. Composio handles token storage, refresh, and rotation following security best practices.

Email Sending Controls

One of the most common concerns is whether Spinstack will send emails on your behalf without your knowledge. Here's how we handle this:

  • Draft approval by default. When a scheduled agent needs to send an email to a third party (a lead, client, contact, etc.), the platform automatically converts the send into a draft for you to review.
  • You receive a notification email with the draft content. You can approve, edit, or skip each draft before anything is sent.
  • This applies to every scheduled run — no email leaves your account without your explicit approval.

What Data Is Accessed

  • Discover (inbox scan): When you opt into the Discover feature, Spinstack reads your inbox once to understand your work and suggest useful automations. This scan is read-only, one-time, and the raw email data is not stored.
  • Deployed automations: Once an agent is deployed, only the specific actions your agent is configured to perform are executed — nothing more. Each tool call uses the scoped permissions you granted during setup.

Data Encryption

  • In transit: All communication between your browser, Spinstack's servers, and third-party services is encrypted via TLS.
  • At rest: Our database is hosted on Supabase with encryption at rest enabled. Backups are encrypted.

Disconnect Anytime

You can revoke Spinstack's access to your connected accounts at any time:

  • Through your email provider's security settings (Google, Microsoft, etc.)
  • By emailing build@spinstackagent.dev and asking us to disconnect your account

Questions?

If you have any questions about our security practices, reach out at build@spinstackagent.dev or visit our contact page.

For full details, see our Privacy Policy and Terms of Service.