Privacy and data practices
This article outlines FirstQuadrant’s data privacy and security practices, including encryption, data retention, subprocessors, breach response, and data residency.
Encryption at rest and in transit
All data is encrypted both in transit and at rest:
- In transit: Data is encrypted using TLS 1.2 or higher. All connections to our backend (hosted on Vercel) are secured via HTTPS.
- At rest: We use Supabase, hosted on AWS (us-west-1), which encrypts data at rest using AES-256 encryption.
Subprocessors
We rely on third-party service providers (subprocessors) to help deliver FirstQuadrant functionality. These providers may have access to limited customer data in accordance with their role.
Certifications
We do not currently hold any certifications such as SOC 2 or ISO 27001. However, we follow modern security best practices and are actively evaluating certification options.
Incident response and breach notification
We continuously monitor our systems for suspicious activity and security breaches. If a data breach is confirmed, we will notify affected customers without undue delay — and always within 72 hours, in accordance with GDPR requirements.
Data retention and deletion
What happens after account closure?
- One week after an account is closed, we initiate a deletion process.
- A soft delete is applied in our primary database (Supabase). This hides the data from the application and internal workflows, but it technically remains available for recovery if needed (e.g. accidental closure).
- Encrypted backups, which may contain soft-deleted data, are retained for 7 days. After this window, all backup data is permanently deleted.
- We are working on implementing automatic permanent deletion of soft-deleted data in our primary database after the 7-day backup window. Until then, full manual deletion is available on request.
If you’d like your data fully and permanently deleted sooner, please contact our support team.
Data residency and EU compliance
We understand the importance of complying with UK/EU data residency requirements.
- Our core infrastructure is hosted in the US but we configure our systems to limit data access in line with GDPR.
- We have not set up a separate EU-region application and do not currently offer EU-only routing.
If your compliance needs require UK/EU-only routing for Nylas, please reach out to discuss alternatives or custom options.
If you have any further privacy or data questions, please contact our support team or your customer success manager.