Missive was built with privacy as a core principle, not an afterthought. We’re SOC 2 Type II compliant, GDPR compliant, encrypt data at rest and in transit, don’t sell user data, and block read trackers in emails by default. This FAQ answers the questions we hear most often about reliability, privacy, and security.

The short version:

• Missive does not sell user data to third parties, ever.
• All data in our database and cloud storage is encrypted at rest.
• SOC 2 Type II compliant, audited by an independent CPA.
• Fully GDPR compliant, with a published Data Processing Agreement.
• We pass Google’s yearly OAuth API security assessment (required for any service that connects to Gmail or Google Workspace).
• When viewing emails in Missive, read trackers and 1x1 tracking pixels are blocked by default.

Full details live in our privacy policy and security page. Everything below is the plain-language FAQ.

Can Missive access my emails?

Technically yes, the same way Gmail can read your Gmail and Outlook can read your Outlook. Missive imports email via IMAP or OAuth and stores it in our database. That’s the technical foundation of a collaborative inbox: your team can only work on a message together if the message is available to the app.

That said:

• Only a small number of our engineers have database access.
• Our internal tools surface system health signals (volume, performance, errors), not email content.
• We don’t scan, share, or sell user data.
• We only look at a specific user’s content when that user has explicitly asked us to, usually while investigating a bug they reported.

Why is Missive more secure than a shared Gmail or Outlook account?

Most teams that end up on Missive start by sharing passwords to a Gmail or Outlook account, or by setting up a distribution list that forwards to everyone. Both approaches break down on the security side:

• Shared passwords can’t be revoked cleanly. When someone leaves the team, you’re either rotating the password (and re-distributing it to everyone) or accepting that an ex-employee still has access. With Missive, access is per-user. Removing someone instantly cuts their access to every shared inbox they were part of.
• No audit trail. If three people share one Gmail login, you can’t tell who replied to which message, who deleted what, or who opened which attachment. Missive logs every action per user, with timestamps.

The short version: Missive doesn’t replace Gmail or Outlook as your mail server, your email still lives there. Missive adds an access layer designed for teams on top, which is more auditable and more revocable than sharing credentials.

Does Missive use my email content to train AI?

No. Missive does not train models on your data.

If you turn on Missive’s AI assistant or AI rules, the relevant content is sent to the AI provider you picked (OpenAI, Anthropic, or Google). Each provider has its own policy, but the pattern is consistent:

• OpenAI: does not train on API inputs unless you explicitly opt in. Prompts and responses retained for up to 30 days for abuse monitoring, then deleted.
• Anthropic: does not train on API inputs or outputs by default. Same 30-day safety retention.
• Google Gemini: same default for the paid API tier.

This is true whether you pay Missive for AI credits or bring your own API key (BYOK). BYOK also unlocks provider-side controls like OpenAI’s EU data residency for teams that need it. More detail in our AI overview docs.

Can senders see when I open their emails?

No. Missive blocks read trackers and 1x1 tracking pixels by default, so senders can’t tell whether you opened their message. You can even build rules on the “contains read trackers” condition, handy for auto-routing marketing email.

Where does Missive store my data?

Missive runs on Amazon Web Services (US East 1 region, Northern Virginia) for application hosting, with Crunchy Bridge for managed Postgres databases. Both are compliant with major security certifications and publish their security practices publicly.

If you need to allowlist our IP ranges on your mail server, AWS publishes the current list at https://ip-ranges.amazonaws.com/ip-ranges.json.

Is Missive SOC 2 compliant?

Yes. Missive has SOC 2 Type II compliance, audited by an independent third-party CPA based in California. Type II (as opposed to Type I) confirms that our security controls are both well-designed and consistently effective over time, not just a point-in-time snapshot.

The SOC 2 report is available on request. Email security@missiveapp.com to get a copy.

Is Missive GDPR compliant?

Yes. Missive is fully compliant with the EU’s General Data Protection Regulation. You can request a Data Processing Agreement and see the full list of subprocessors on our GDPR page.

Is Missive HIPAA compliant?

No. Missive is not HIPAA compliant and we don’t sign Business Associate Agreements (BAAs). If you work with Protected Health Information (PHI) and need a HIPAA-compliant email tool, Missive isn’t the right fit.

Is Missive PCI DSS compliant?

Missive itself doesn’t store or process payment card data. All payment processing for Missive subscriptions is handled by Stripe, which is certified as a PCI DSS Level 1 Service Provider. We don’t store or even relay card numbers through our infrastructure, so PCI scope sits with Stripe.

Does Missive support SSO and two-factor authentication?

Yes, both.

• Two-factor authentication (2FA) is available on every plan, Free included. Set it up in Settings > Login & Security using any TOTP app (Authy, Google Authenticator, 1Password, etc.).
• SAML SSO is available on the Business plan and works with any SAML 2.0 identity provider (Okta, Azure AD, Google Workspace, OneLogin, and so on).
• SSO enforcement lets admins require every user in the org to authenticate through your IdP, which is how most compliance programs expect centralized access to work.

Will Missive still be around in a few years?

Almost certainly yes. Missive has been running since 2015, is fully bootstrapped (no VC funding), profitable, and independently owned by the original founding team. Over 5,000 teams use Missive daily, across logistics, legal, real estate, professional services, and more.

No investor whims, no forced-sale pressure. We move at the pace that makes the product better.

Do you sell or share user data?

We do not sell user data, to anyone, ever. That’s the hard line. We do share a limited set of operational data with a small number of subprocessors (things like our email delivery provider, payment processor, and error reporting service), and those are all listed publicly on the GDPR page.

Can I export my data?

Yes. Go to Settings > Login & Security and request an export. You get:

• Conversations: every message (email, SMS, etc.), comment, assignment, and timestamp, in .json per organization.
• Comments: every internal chat comment you have access to, in .csv per organization.
• Contacts: every contact from every contact book you can access, in .csv per book.
• Email addresses and phone numbers: every From/To/Cc field across messages you can access, in .csv.
• Canned responses: in .html with attachments.
• Rules: in .csv per organization.

Missive delivers the export as a conversation in your inbox when it’s ready.

How do I delete my account and all my data?

Heads up: this can’t be undone. The full steps are documented here, and the short version is:

1. Go to Settings > Accounts, delete each connected account (email, SMS, etc.) via Delete account.
2. Go to Settings > Calendars, delete each connected calendar.
3. Go to Settings > Integrations, delete each integration (Asana, Todoist, etc.).
4. Go to Settings > Organizations. If you own one, delete it. If you’re a member, an admin needs to remove you.
5. Go to Settings > Login & Security (you may need to re-enter your password or confirm with Google or Apple).
6. Scroll to Delete account and click Delete.
7. Confirm in the popup.

You’ll be logged out immediately. Within 30 days, every trace of your Missive data and activity is permanently deleted from our database, cloud storage, backups, and logs. This process satisfies Article 17 of GDPR (the right to erasure).

If you just want to stop paying but keep access, go to Settings > Billing and switch to the Free plan instead.

Who do I contact with more questions?

• Privacy questions: privacy@missiveapp.com
• Security questions: security@missiveapp.com
• Security researchers reporting vulnerabilities: see our vulnerability disclosure program.

Missive is the collaborative email client for teams that treat inbox hygiene as a team sport. Start a free account at missiveapp.com.