Security & Privacy
How Micro protects your data, handles AI, and keeps your information safe.
Overview
Section titled “Overview”Micro is built for founders and investors who share sensitive information — deal flow, fundraising conversations, hiring decisions, and more. Security and privacy are foundational to how we build the product.
Authentication
Section titled “Authentication”Micro uses Clerk for authentication. You can sign in with Google or email — no passwords are stored by Micro.
- Session security — httpOnly, secure cookies with strict same-site policies
- Google OAuth — Used to connect Gmail and Google Calendar. OAuth tokens are stored separately from your main data in encrypted storage.
- Security headers — All API requests are protected with industry-standard security headers via Helmet
Encryption
Section titled “Encryption”- In transit — All data is encrypted using HTTPS/TLS. Insecure connections are automatically upgraded.
- At rest — All data is encrypted at rest using AWS default encryption (AES-256) across databases, file storage, and token storage.
Infrastructure
Section titled “Infrastructure”All Micro infrastructure runs on Amazon Web Services (AWS):
- Database — PostgreSQL on AWS RDS with automated backups
- File storage — AWS S3 for files and email data
- Token storage — AWS DynamoDB for OAuth credentials (isolated from main database)
- Job processing — AWS SQS for background tasks
- Region — US-based infrastructure
Email Privacy
Section titled “Email Privacy”Email body content is never shared with your teammates. You control what metadata is visible through per-account sharing settings in Settings → Connected Accounts:
| Setting | What teammates see |
|---|---|
| Subject line and metadata | Subject, participants, timestamps (default) |
| Metadata only | Participants and timestamps only |
| Private | Nothing — email activity is fully hidden |
Contact Blocklist
Section titled “Contact Blocklist”You can block specific email addresses or domains from appearing in Micro. This is useful for:
- Personal contacts you don’t want visible to teammates
- Sensitive or regulated relationships (HIPAA, GDPR, investor confidentiality)
- Competitor domains you want to exclude
Access it from Settings → Connected Accounts → [your account] → Blocklist.
Two modes:
| Mode | Behavior |
|---|---|
| Private | Contact hidden from teammates, still visible to you |
| Blocked | Contact hidden from everyone, including you |
Patterns can be a full email address (john@example.com) or a domain (competitor.com), which blocks all contacts from that domain.
AI & Your Data
Section titled “AI & Your Data”No training on your data
Section titled “No training on your data”Your data is never used to train AI models. Our AI providers (Anthropic, OpenAI, Google) do not use API customer data for model training under their standard API terms.
When AI accesses your data
Section titled “When AI accesses your data”The AI assistant only accesses your data when:
- You ask it a question or give it a command
- AI Autofill runs on a property you’ve enabled it for
- Meeting summaries are generated from recordings you’ve opted into
Automation scoping
Section titled “Automation scoping”AI Autofill, Auto-Add, and other automations run based on your connected account’s activity — your emails, your calendar, your meetings. They do not run based on your teammates’ activity, even on shared lists. Each team member’s automations run independently.
AI Providers
Section titled “AI Providers”| Provider | What it’s used for |
|---|---|
| Anthropic (Claude) | Primary AI assistant |
| OpenAI | Autofill, large-context tasks |
| Google (Gemini) | Image generation |
Compliance
Section titled “Compliance”- CASA Tier 3 — Certified by Google. This is Google’s Cloud Application Security Assessment, a third-party security audit required for apps that access Gmail and Google Calendar data.
- GDPR — We acknowledge and support EU data rights including access, correction, erasure, portability, and objection.
- CCPA/CPRA — California residents have rights under the California Consumer Privacy Act.
- SOC 2 Type II — If your organization requires SOC 2 compliance, please contact us at support@micro.so.
Google Permissions
Section titled “Google Permissions”When you connect Gmail and Google Calendar, Micro requests the minimum permissions needed:
- Read email — To display and search your inbox
- Send email — To send and reply from within Micro
- Modify email — To archive, label, star, and mark as read/unread
- Read calendar — To display events and enable meeting features
Micro does not request permission to permanently delete emails.
Sub-Processors
Section titled “Sub-Processors”The following third-party services process user data as part of the Micro platform:
| Service | Purpose |
|---|---|
| AWS | Infrastructure — database, file storage, queues, serverless compute |
| Clerk | Authentication and identity management |
| Anthropic | AI assistant (Claude) |
| OpenAI | AI autofill and large-context tasks |
| Google (Gemini) | Image generation |
| Clearbit | Contact and company data enrichment |
| Recall.ai | Meeting bot — recording and transcription |
| Stripe | Billing and subscription management |
| Liveblocks | Real-time document collaboration |
| Sentry | Error monitoring |
Data Deletion
Section titled “Data Deletion”To delete your account and all associated data, contact us at support@micro.so. We will process your request in accordance with applicable data protection laws.
Legal Documents
Section titled “Legal Documents”For security questions or to report a vulnerability, contact support@micro.so.