Security & Privacy

We take your data security extremely seriously. Shortwave is designed from the ground up to securely handle your most sensitive business data including important emails, attachments, and more.

Before Shortwave, our engineering team built high security, high reliability data systems at Google Cloud. We have a lot of experience building and operating cloud products that handle mission-critical data.

Securely stored in Google Cloud

All Shortwave data is stored in Google Cloud’s highly secure & compliant data centers. Stored data is encrypted at rest using AES256 and encrypted in transit using TLS 1.2+. We employ a “defense in depth” philosophy where every system is protected by multiple layers of security, including at the network, service, and application levels.

Google verification & annual audit

Shortwave has been reviewed by a third-party security auditor to ensure it complies with Google's API Services User Data Policy, including its guidelines for sensitive data and its Additional Requirements for Specific Scopes. Shortwave’s app is also approved for listing in the Google Workspace Marketplace.

To maintain this verification, Shortwave undergoes an annual security audit.

Google Advanced Protection

Shortwave works with Google’s Advanced Protection program. You can authorize Shortwave for your organization by following the instructions here.


No customer data is ever shared with other parties except as necessary to provide our service, and we keep both the sub-processors we use and the data we send to them to an absolute minimum. Currently, besides Google Cloud, we only use OpenAI and Pinecone.

The vast majority of our AI workloads use open source models that run on hardware we control.

No third-party LLM training

Your data will never be used to train third-party LLMs.

Audit logging

Access to customer data is very tightly controlled internally and all access is audit logged to ensure compliance. No customer data is ever accessed by an employee without explicit customer permission. All employee data access requires multi-factor authentication using hardware security keys.

SOC 2 Type II & GDPR compliance

If your organization requires SOC 2 Type II or GDPR compliance, please contact our sales team at

Deleting your account & data

If at any time you wish to delete your account and all associated data, you can do so by following the instructions here.

Privacy Policy & Terms of Service

For additional information about our privacy practices and terms of use read our Privacy Policy and Terms of Service.