Built for the most cautious operator.

ISURA never sees your password. You authorize the connection on your provider's own page (Google or Microsoft) and we receive a scoped, revocable token in return. The same standard your bank, calendar, and operating system use.

OAuth tokens are stored encrypted at rest using AES-256, isolated per workspace, and rotated automatically. Tokens are never logged or exposed to client code. Refresh failures are handled silently — you simply re-authorize when needed.

You can run ISURA in pure read-only mode at any time. In this mode, ISURA can analyze and surface — but cannot draft, queue, or send. Approval-based mode adds drafting, but every send still requires an explicit click from you.

Hosted on a hardened cloud with edge runtimes for compute, a managed Postgres database for storage, and TLS 1.3 across all traffic. Production access is multi-factor, audited, and limited to a small number of named engineers. Backups are encrypted and tested.

Disconnect ISURA from inside the product or from your provider's security settings. We revoke tokens immediately, stop all background processing, and purge stored analysis artifacts within 24 hours.

If you believe you've found a security issue, please tell us privately first. We respond within 48 hours and credit researchers who follow good-faith disclosure.

Contact: security@isura.tech