Security

Security at Delegate

Your data security is our top priority. We've built Delegate from the ground up with encryption, access controls, and privacy protections so you can work confidently.

Our Commitment

Security is a first-class feature

We treat security not as an afterthought but as a fundamental property of everything we build. Your workspace contains sensitive emails, tasks, and business data — that responsibility shapes every architectural decision we make.

Delegate uses industry-standard encryption in transit and at rest, OAuth 2.0 for authentication, role-based access controls, and a self-host option that gives you complete data sovereignty.

AES-256
Encryption at Rest
Database-level encryption
TLS 1.3
Encryption in Transit
All connections secured
OAuth 2.0
Authentication
Google OAuth + JWT
RBAC
Access Control
Workspace role enforcement
Protection layers

Built-in security features

Multiple layers of protection work together to keep your workspace and your data safe.

Encryption at Rest

All data stored in PostgreSQL is encrypted at the volume level using AES-256. Your emails, tasks, and workspace data are never stored in plaintext on disk.

Encryption in Transit

Every connection between your browser, the Delegate server, and third-party APIs is secured with TLS 1.3. We enforce HTTPS everywhere — no plain HTTP fallbacks.

OAuth 2.0 Authentication

Delegate authenticates users via Google OAuth 2.0 and issues short-lived JWT sessions. We never store plaintext passwords — credentials-based accounts use bcrypt hashing.

Role-Based Access Control

Every workspace enforces four roles: Owner, Admin, Member, and Viewer. API routes check session ownership before touching any workspace resource — no cross-tenant data leaks.

Audit Logging

Admin actions including impersonation, plan changes, and billing operations are logged with actor identity, timestamp, and affected resource for full traceability.

Self-Host Option

Deploy Delegate on your own infrastructure using Docker Compose. Your data never leaves your environment — full data sovereignty with no dependency on our cloud.

Infrastructure

A secure foundation from the ground up

Delegate runs on Next.js 14 with a standalone output, backed by PostgreSQL 16 via Prisma ORM. The architecture is cloud-agnostic — deployable on any major cloud provider or on-premises without modifying a single line of application code.

PostgreSQL 16
Battle-tested relational database with row-level security and volume encryption. No proprietary lock-in.
Next.js standalone output
Self-contained server bundle with no unnecessary dependencies included at runtime.
Cloud-agnostic deployment
Deploy on AWS, GCP, Azure, Fly.io, Render, or your own bare-metal server using the same Docker Compose file.
Environment-based secrets
All credentials and API keys are injected via environment variables — nothing sensitive is baked into the image.
Data handling

How we handle your data

Transparency about what data we process and how it is used is a core part of our security posture.

What data we process

  • Email metadata and body (Gmail API, OAuth-scoped per user)
  • Calendar events and meeting data
  • Tasks, comments, and workspace content you create
  • Google Drive file metadata (not file content by default)
  • Authentication tokens stored per-user in the database

AI and your data

  • Your data is never used to train AI models
  • AI analysis is performed per-request, not stored indefinitely
  • You choose which AI provider processes your data
  • Self-hosted deployments can use local models with zero data egress
  • AI suggestions require your explicit approval before any action is taken

Data retention

  • Workspace data is retained for the life of your account
  • Deleted items are removed from the database immediately
  • OAuth refresh tokens are rotated on each session
  • Self-hosted users control their own backup and retention policies
  • You can export or delete all your data at any time
Compliance

Built for regulatory alignment

Delegate is architected with GDPR principles in mind — lawful processing, data minimisation, and the right to erasure are built into the data model, not patched on afterward.

SOC 2 Type II certification is in progress. Self-hosted deployments allow enterprise customers to satisfy internal compliance requirements without any data leaving their infrastructure.

GDPR-aligned architecture
Data minimisation, consent tracking, and right-to-erasure are supported by the Prisma schema and API layer.
SOC 2 Type II — in progress
We are actively pursuing SOC 2 certification. Security controls are documented and under continuous monitoring.
Audit trail
Admin operations and impersonation sessions are logged with actor, timestamp, and resource for compliance reporting.
Self-host for full control
Organisations with strict data residency requirements can deploy Delegate entirely within their own environment.
Responsible disclosure

Found a vulnerability?

We take all security reports seriously. If you discover a potential security issue in Delegate — whether it's the hosted product or the open-source codebase — please report it privately so we can address it before any public disclosure.

How to report

Email your findings to security@delegate.ws with a description of the vulnerability, steps to reproduce, and the potential impact.

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and ship a fix — typically within 90 days of the initial report.

We will acknowledge your report within 48 hours and keep you updated throughout the remediation process. We credit researchers who report valid vulnerabilities in our release notes.

security@delegate.ws

Questions about security? We're here to help.

Reach out with any questions about our security practices, compliance posture, or self-hosting options.

Contact UsSee Pricing

14-day free trial. No credit card required.