Security & Privacy

We take your data security extremely seriously. Shortwave is designed from the ground up to securely handle your most sensitive business data including important emails, attachments, and more.

Before Shortwave, our engineering team built high security, high reliability data systems at Google Cloud. We have a lot of experience building and operating cloud products that handle mission-critical data.

CASA Tier 2 compliance & annual audit

Shortwave has been reviewed by third-party security auditors to ensure it complies with strict security requirements. To maintain this verification, Shortwave undergoes an annual security audit. You can read more about CASA (Cloud Application Security Assessment) here.

Google verification

Shortwave has been approved by Google and is compliant with Google's API Services User Data Policy, including its guidelines for sensitive data and its Additional Requirements for Specific Scopes. Shortwave’s app is also approved for listing in the Google Workspace Marketplace.

Google Advanced Protection

Shortwave works with Google’s Advanced Protection program. You can authorize Shortwave for your organization by following the instructions here.

All data securely stored in Google Cloud

All Shortwave data is stored in Google Cloud’s highly secure & compliant data centers. Stored data is encrypted at rest using AES256 and encrypted in transit using TLS 1.2+. We employ a “defense in depth” philosophy where every system is protected by multiple layers of security, including at the network, service, and application levels.

Sub-processors

No customer data is ever shared with other parties except as necessary to provide our service, and we keep both the sub-processors we use and the data we send to them to an absolute minimum. Currently, besides Google Cloud, we only use OpenAI, Anthropic, and Pinecone.

The vast majority of our AI workloads use open source models that run on hardware we control.

No third-party LLM training

Your data will never be used to train third-party LLMs.

Audit logging

Access to customer data is very tightly controlled internally and all access is audit logged to ensure compliance. No customer data is ever accessed by an employee without explicit customer permission. All employee data access requires multi-factor authentication using hardware security keys.

SOC 2 Type II & GDPR compliance

If your organization requires SOC 2 Type II or GDPR compliance, please contact our team at support@shortwave.com.

Deleting your account & data

If at any time you wish to delete your account and all associated data, you can do so by following the instructions here.

Privacy Policy & Terms of Service

For additional information about our privacy practices and terms of use read our Privacy Policy and Terms of Service.

Frequently asked questions

Does Shortwave read my emails?

Shortwave processes your emails to provide features like search, threading, labeling, and the AI assistant. Your email content is never used to train third-party AI models and is never shared with anyone outside the sub-processors listed above (Google Cloud, OpenAI, Anthropic, and Pinecone).

Does Shortwave overwrite or modify my Gmail?

Shortwave syncs with Gmail but does not overwrite your emails. Actions you take in Shortwave (archive, label, delete) are reflected in Gmail, just as they would be from any email client. Your original email content is never modified.

If you stop using Shortwave, your Gmail inbox remains exactly as you left it.

Does Shortwave support SPF, DKIM, and DMARC?

Shortwave sends emails through Gmail's servers, so your existing SPF, DKIM, and DMARC records for your domain apply automatically. You do not need to add any additional DNS records for Shortwave.

If you're using a "Send mail as" alias with a non-Gmail provider, your SMTP provider's authentication settings apply instead. See Use Shortwave with other email providers for details.