What governance frameworks and privacy laws does AgentMail reference?

AgentMail references GDPR, CCPA/CPRA, and CalOPPA as governance frameworks it aligns with.

What legal policies does AgentMail publish?

AgentMail publishes a Terms of Service, Privacy Policy, and a Data Processing Addendum (DPA).

What security certification has AgentMail achieved and when?

AgentMail achieved SOC 2 Type I certification in July 2025.

What is the status of AgentMail’s SOC 2 Type II audit?

AgentMail reports SOC 2 Type II is in progress with a target of completion in Q1 2026.

What encryption standards does AgentMail use in transit?

AgentMail encrypts data in transit using TLS 1.2 or higher.

How does AgentMail protect data at rest?

AgentMail stores data at rest encrypted using industry-standard ciphers.

What backup and retention policies are stated for AgentMail?

AgentMail retains encrypted point-in-time/daily backups for 30 days and retains personal data only as long as necessary per its Privacy Policy.

What information does AgentMail state about data minimization or personal data retention?

AgentMail states personal data is retained only as long as necessary according to its Privacy Policy; no further retention durations are provided beyond backup retention.

How can customers request data export, deletion, or handle GDPR data subject requests?

AgentMail supports data export and deletion in accordance with its Privacy Policy and DPA; customers can initiate data subject requests via the Console or by contacting support/sales for enterprise workflows.

Where can I find AgentMail’s DPA, security whitepapers, and compliance documentation?

AgentMail publishes its Privacy Policy and Data Processing Addendum (DPA) on its website, and additional security and compliance materials (including SOC 2 Type I evidence and enterprise documentation) are available through the sales team or upon request.

What logging, audit trails, and access controls are available for compliance?

AgentMail provides administrative access controls, audit logging, and enterprise-grade identity options (OIDC/SAML SSO, MFA) with expanded audit and reporting features available to enterprise customers for compliance needs.

What authentication and identity controls does AgentMail provide for agent identities?

AgentMail supports custom domains and agent-specific email identities, with built-in SPF/DKIM/DMARC support and API key authentication for access control.

Does AgentMail provide mechanisms for identifying and authenticating agents with third-party applications?

AgentMail documents agent sign-up and receipt of 2FA codes as a use case for identifying and authenticating agents with other applications.

What guardrails and security concerns does AgentMail acknowledge?

AgentMail’s materials note the need for API permissions and agent guardrails to mitigate risks such as impersonation and unwanted automated messaging when deploying autonomous agent inboxes.

How are API keys managed and what controls exist for key rotation and scope?

API keys are created and managed in the Console; customers should rotate keys regularly and use enterprise identity controls (SSO and admin roles) for tighter access management, with further key management options available for enterprise customers.