Conflu.
a tordo.xyz product
Get started →

Security

Conflu is built so your client data stays yours. Here's exactly what we do — and don't — do with it.

Data we never store

We never store email bodies, subjects, senders, or recipients; calendar event titles or descriptions; contact details; task content; or file and attachment content or filenames. Conflu keeps no copy of your provider data.

Your tokens, protected

The only credentials we hold are the OAuth tokens you grant when you connect an account. They are stored in Google Cloud Secret Manager, encrypted at rest, and never written to our database. Each token is limited to the scopes you approve and can be revoked at any time.

Live pass-through, nothing cached

When your AI client calls Conflu, we authenticate the request, retrieve the relevant token, call the provider — Microsoft Graph or the Google Workspace APIs — in real time, and stream the response straight back. We do not cache, index, or log the contents of provider responses.

Infrastructure and data residency

Conflu runs on Google Cloud Platform with processing in the European Union. Account metadata and usage counters live in Firestore; secrets live in Secret Manager. All traffic is encrypted in transit (TLS) and at rest.

You control access

You connect each account yourself through the provider's own OAuth consent screen and decide which scopes to grant. You can disconnect any account from your dashboard at any time, which revokes Conflu's access immediately. Deleting your account removes your metadata and stored tokens.

Company and accountability

Conflu is operated by RT Consulting FZE, a Free Zone Establishment licensed by the Fujairah Creative City Free Zone Authority (Licence No. 6160/2015), Twin Towers, P.O. Box 4422, Fujairah, United Arab Emirates. See our Privacy Policy and Terms of Service for full details.

Report a vulnerability

If you believe you've found a security issue, email legal@conflu.xyz with the details. We investigate every report and aim to acknowledge within a reasonable timeframe. Please give us a chance to remediate before any public disclosure.