This article outlines FirstQuadrant’s data privacy and security practices, including encryption, data retention, subprocessors, breach response, and data residency.
We rely on third-party service providers (subprocessors) to help deliver FirstQuadrant functionality. These providers may have access to limited customer data in accordance with their role.
We do not currently hold any certifications such as SOC 2 or ISO 27001. However, we follow modern security best practices and are actively evaluating certification options.
We continuously monitor our systems for suspicious activity and security breaches. If a data breach is confirmed, we will notify affected customers without undue delay — and always within 72 hours, in accordance with GDPR requirements.
One week after an account is closed, we initiate a deletion process.
A soft delete is applied in our primary database (Supabase). This hides the data from the application and internal workflows, but it technically remains available for recovery if needed (e.g. accidental closure).
Encrypted backups, which may contain soft-deleted data, are retained for 7 days. After this window, all backup data is permanently deleted.
We are working on implementing automatic permanent deletion of soft-deleted data in our primary database after the 7-day backup window. Until then, full manual deletion is available on request.
If you’d like your data fully and permanently deleted sooner, please contact our support team.
We understand the importance of complying with UK/EU data residency requirements.
Our core infrastructure is hosted in the US but we configure our systems to limit data access in line with GDPR.
We have not set up a separate EU-region application and do not currently offer EU-only routing.
If your compliance needs require UK/EU-only routing for Nylas, please reach out to discuss alternatives or custom options.If you have any further privacy or data questions, please contact our support team or your customer success manager.