Data Processing & Security
Azindoo — Operated by Obimanso Technologies (UK-registered company, based in Leeds)
Last Updated: 10 May 2026
This document explains, in operational detail,
what data we process, where it lives, who touches it, and how it is protected. It complements our
Privacy Policy and forms part of our Data Processing Addendum (DPA) for business customers.
1. Roles
- Controller: You (the Azindoo user / your organisation) decide which mailbox to connect and what to do with the resulting intelligence.
- Processor: Obimanso Technologies (Azindoo) processes the email data on your instructions.
- Sub-Processors: See section 4.
2. Data Categories We Process
| Category | Examples | Source |
|---|
| Account data | Name, email, hashed password, team membership | You |
| Authentication tokens | Google OAuth access & refresh tokens (encrypted) | Google, on your authorisation |
| Email content | Subject, cleaned plain-text body (HTML/quotes/signatures stripped, capped at 8 KB), sender, to/cc recipients, timestamps, direction. We do not store HTML, Bcc, Gmail labels, or attachment contents. | Gmail API |
| Derived intelligence | Commitments, emotional scores, summaries, trust edges, alerts, SLA records | Generated by Azindoo |
| Usage / telemetry | IP, browser, feature events, error logs | Your device |
3. Data Flow
- You log into
azindoo.com and authorise Gmail via Google OAuth (read-only).
- Our backend (US) calls the Gmail API, downloads recent messages and stores them in our PostgreSQL database (US).
- Selected modules send email content to the Abacus.AI LLM endpoint (US) for analysis.
- Structured outputs are written back to your account in the database.
- You view results in the dashboard at
azindoo.com.
- You can disconnect, export, or delete data at any time from Settings › Privacy & Data.
4. Sub-Processors
| Sub-Processor | Function | Location |
|---|
| Abacus.AI | Application hosting, managed PostgreSQL, LLM inference | United States (AWS) |
| Amazon Web Services | Underlying compute, storage, network | United States |
| Google LLC | Source data (Gmail API), Google Sign-In | Global (Google-managed) |
5. Technical & Organisational Security Measures
- TLS 1.2+ for all client ↔ server traffic.
- Encryption at rest for database storage and backups.
- OAuth tokens encrypted in the database; never sent to the browser.
- Authentication via NextAuth with hashed passwords (bcrypt) and Google SSO.
- Role-based access control for application-level data.
- Least-privilege production access for engineers, with audit logs.
- Automated dependency vulnerability scanning.
- Incident-response process with notification within 72 hours of confirmed breach affecting personal data.
6. Data Retention
- Imported emails & derived intelligence: retained while your account is active.
- OAuth tokens: deleted immediately when you disconnect the account.
- Account deletion: full purge from primary database within 7 days; from encrypted backups within 30 days.
- Aggregated, fully anonymised metrics may be retained indefinitely.
7. International Transfers
Data is stored and processed in the United States. For users in the EU, UK, Switzerland or any other jurisdiction, transfers rely on the EU–US / UK / Swiss Data Privacy Framework where the sub-processor is certified, Standard Contractual Clauses where required, and your explicit consent obtained at sign-up.
8. Subject Rights Handling
Subject-access, rectification, erasure, portability and objection requests are handled within 30 days. Most actions are available self-service from Settings › Privacy & Data. For other requests, write to [email protected].
9. Breach Notification
If we confirm a personal-data breach likely to result in risk to your rights and freedoms, we will notify affected customers without undue delay and at most within 72 hours of confirmation, with the information required by GDPR Art. 33 and equivalent laws.
10. Audit & Compliance Roadmap
- SOC 2 Type II — planned within the next 12 months.
- ISO/IEC 27001 — under evaluation.
- Annual third-party penetration test.
- Continuous vulnerability scanning.
11. Contact