Data Security and Privacy at Toggles
How we protect user data, ensure secure access, and maintain compliance.
Data Security
- • All data is stored in a secure, enterprise-grade backend-as-a-service platform.
- • Data is encrypted both at rest and in transit.
- • Row-level access controls are enforced for all database tables to ensure strict isolation.
Access Control & Authentication
- • Toggles does not store or manage user passwords.
- • Authentication is handled via Microsoft Outlook (OAuth / OpenID Connect) or email login.
- • Only users who can authenticate through Outlook have access to their Toggles account data.
File Handling & Storage
- • Files are stored in isolated organization-specific storage buckets.
- • Files are named using randomly generated identifiers to prevent guessing or exposure.
- • Access to download files is provided via signed URLs that are short-lived and secure.
Infrastructure Location & Backups
- • All systems and data are hosted in the United States.
- • Automated daily backups are maintained by our hosting provider.
Data Retention & Deletion
- • Files not tied to workflows will be auto-deleted in the future as part of planned cleanup.
- • Users can request deletion of their data at any time via support.
- • When an account is deleted, all associated data is removed permanently.
Permissions & Scope
- • Toggles only operates in the current compose window — no access to inbox, calendar, contacts, or groups.
- • Permissions are limited to Microsoft Graph scopes required for composition and file attachment.
Data We Don't Collect
- • We do not store or access your emails, contacts, calendar items, or private file storage outside of attachments.
- • No cookies or tracking beyond the standard telemetry sent through the Microsoft add-in framework.
Admin Controls & Consent
- • Admins can deploy, restrict, or remove Toggles via AppSource and the Microsoft admin portals.
- • Users and tenant admins can revoke permissions at any time in the My Apps portal.
Platform Certifications
- • Hosted on infrastructure compliant with industry standards (e.g., SOC2, ISO 27001).
Admin Access & Logging
- • Access by any employee must be granted by leadership.
- • Data access is only granted as-needed for performing job responsibilities.
Third-Party Services
- • Stripe is used for payment processing; no credit card data is stored by Toggles.
- • Resend is used to send transactional and onboarding emails.
- • Microsoft may collect usage analytics via the Office.js Outlook integration.
For Administrators
- • No domain-wide access required – Toggles operates on a per-user basis and does not request or require admin consent.
- • No ability to read inboxes – The add-in only runs when the user is actively composing or replying to an email. We do not request mail.read or similar permissions.
- • All user authentication is handled by Microsoft – We rely on OAuth/OpenID via Microsoft Identity, with no password storage or third-party auth layers.
- • Data residency – All data and files are stored in the United States.
- • Microsoft AppSource Verified – Toggles is listed and approved on the Microsoft AppSource marketplace.
For more details, refer to our Privacy Policy and Terms of Service.
If you have any questions or concerns about our security practices, please contact us.
Last Updated: June 14th, 2025