AgentMailr is now Lumbox. Same product, new name. Learn more →
Trust // Security

Security at Lumbox.

Your agents route real inboxes, OTP codes, and stored passwords through Lumbox. That is sensitive, and we treat it that way. This page is a plain-language summary of how we protect it.

Infrastructure and data residency

The API and mail server run on dedicated Hetzner hardware in Germany. The database is hosted on Neon (US). The dashboard runs on Vercel, and this site is served by Cloudflare. Each component is isolated, and access to production is restricted.

Encryption

All data is encrypted in transit with TLS. Sensitive fields at rest, including SMTP passwords, stored AI API keys, and the credential vault, are encrypted with AES-256-GCM.

The credential vault uses envelope encryption with a separate key per organization. We cannot read what you store. Even with database access, your credentials stay sealed under a key scoped to your organization.

API keys

API keys are hashed with SHA-256 before storage. We never keep the plaintext, which means we cannot recover a key after it is created and a database leak cannot expose usable keys. Rotate or revoke keys at any time from the dashboard.

Browser isolation

Browser automation runs in isolated containers (Steel Browser). Page content, cookies, and screenshots are ephemeral and are not stored permanently unless you explicitly save session state. One agent session cannot see another.

Email handling

Inbound email is parsed to extract OTP codes, links, and categories. Attachment text is sanitized for prompt injection before it is ever returned to an agent, so a malicious email cannot quietly hijack the model reading it. Each agent gets its own inbox, with no shared mailboxes and no cross-contamination between agents.

Data retention and deletion

Email is retained only while its inbox exists. Delete an inbox and every associated email and attachment is permanently deleted. Delete your account and all data is permanently removed within 30 days. You can export your data through the API at any time.

What we do not do

  • block We do not sell your data.
  • block We do not use your email content to train AI models.
  • block We do not run ads or tracking cookies on this site.
  • block We do not see or store your card number. Payments run through Dodo Payments.

Self-hosting

If your security posture requires full control of the data path, Lumbox is self-hostable. Run the entire stack on your own infrastructure, including a single $5 server, and no email ever leaves your environment.

Compliance

Lumbox is an early-stage product and is not yet SOC 2 certified. We are happy to walk through our architecture and complete security questionnaires for teams evaluating production use. Reach out and we will answer directly.

Responsible disclosure

Found a vulnerability? Email support@lumbox.co with the details and steps to reproduce. We will acknowledge your report, keep you updated on the fix, and credit you if you would like. Please give us a reasonable window to remediate before any public disclosure.

Deploy your agent inbox → Read the privacy policy