How Turret protects your firm's data.
Turret connects to Google Workspace via Domain-Wide Delegation using a service
account your Google Workspace Super Admin authorizes. The service account has
read-only scopes: gmail.readonly
and admin.directory.user.readonly.
Turret cannot send, modify, delete, or forward any email. Authorization can be
revoked at any time from your Google Admin Console without contacting Turret.
Credentials (service account keys) are encrypted at rest using AES-256-GCM before being written to the database. Keys are stored separately from data and rotated on a defined schedule. All traffic is encrypted in transit via TLS 1.2+.
Every database record is scoped to a tenant ID. Application-layer queries always
filter by tenantId.
One firm's data is never accessible to another firm, even on the same infrastructure.
Pattern-matched snippets are redacted before being written to the database. Social security numbers and credit card numbers detected in email content are replaced with masked values before storage. Raw email content is compressed and stored for archive purposes but is never logged or exposed in error messages.
Turret staff can access operational metadata (job status, error logs, scan counts) for support purposes. Turret staff do not access email content as part of normal operations. All access is logged.
Security questions? Contact nick@musecap.com.
← Back to home