How does AfterHours decide which emails are real leads?

AfterHours reads every new email and figures out who is a real customer asking about your services, and who is just spam, a newsletter, or a vendor pitch. Only real prospects get a reply. Everything else is ignored.

What if the AI replies with something weird?

You stay in control. You write the reply template, set the tone (friendly, professional, or formal), list topics the AI must avoid, and add common customer questions with the right answers. Every sent reply is visible in your dashboard.

Will the AI keep replying back and forth with the same person?

No. AfterHours only replies to the first email from a new prospect. Once your customer responds, the conversation belongs to your team. The AI steps aside.

Which email providers work with AfterHours?

Gmail (including Google Workspace) and Microsoft Outlook (including Microsoft 365). You connect your inbox in one click. No passwords to enter, no technical setup.

When exactly does AfterHours reply?

Only outside the business hours you set, in your local timezone. During work hours your team handles emails normally. AfterHours covers nights, weekends, and holidays, whenever you are offline.

How long does setup take?

About 60 seconds. Sign up, connect your inbox in one click, set your business hours, and you are live. The first auto-reply goes out the next time a lead emails you after hours.

Is my email data safe?

Yes. Your inbox access is encrypted with bank-grade encryption. We do not save the contents of your customer emails. Your data is never used to train AI models. Read our Privacy Policy for the full details.

Security

How AfterHours Protects Your Inbox Data

Published June 8, 2026 · 5 min read

When you connect AfterHours to your inbox, you hand us something genuinely sensitive: access to your email. We don’t take that lightly. This post is a plain-English walkthrough of how that access is scoped, encrypted, and independently verified — so you can decide to trust us with the facts in front of you.

1. We read as little as possible

The most secure data is the data we never touch. AfterHours exists to do one narrow job: spot a brand-new sales lead that arrives outside business hours and send a fast, on-brand reply. So we ask for the minimum permissions that job requires and nothing more.

We request only gmail.readonly and gmail.send (and the Microsoft Graph equivalents) — not full mailbox management, not your contacts, not your settings.
Personal, financial, and otherwise sensitive emails are filtered out before processing. We never read, store, or display them.
Lead emails are processed in a short, in-memory window to classify the message and draft a reply — not warehoused for later mining.

2. Your credentials are encrypted at rest

To reply on your behalf, we hold an OAuth refresh token for your connected inbox. That token is the crown jewel, so we treat it like one. Every token is encrypted with AES-256-GCM — an authenticated encryption scheme that both hides the data and detects any tampering — before it ever reaches our database. The encryption key lives only in the runtime environment, never in our source code, and the application refuses to start in production if a strong key isn’t present.

3. Everything moves over encrypted connections

All traffic to and from AfterHours runs over TLS (HTTPS). We add a strict set of security response headers — HSTS, content-type and framing protections, and more — so browsers enforce safe behavior. Our cross-origin policy is locked to our own frontend rather than left open to the world.

4. We get checked by someone other than us

Anyone can claim their app is secure. Because AfterHours uses a Google “restricted” Gmail scope, we’re required to prove it. Google mandates an independent CASA (Cloud Application Security Assessment) Tier 2 review, carried out against the OWASP ASVS (Application Security Verification Standard) — the same benchmark used across the security industry.

That assessment looks at how we handle authentication, encryption, data storage, dependencies, and more, and it’s validated by an authorized third-party lab — not by us. We’re completing this assessment as part of Google’s OAuth verification, and it’s repeated every single year, so our security posture is re-checked on an ongoing basis rather than once and forgotten.

5. What we hardened to meet the bar

Preparing for CASA isn’t a paperwork exercise — it’s engineering. Recent work included:

Adding industry-standard security headers across every response.
Continuously scanning our dependencies for known vulnerabilities and removing or patching anything flagged.
Failing closed: the app won’t boot in production without a strong encryption key and session secret.
Stripping all debugging and test endpoints out of production builds entirely.

Bottom line

You should never have to take a vendor’s word for it. With AfterHours, inbox access is minimized, your credentials are encrypted, and our security is verified against a public standard by an independent lab — every year. That’s the level of care your customer conversations deserve.

Connect your inbox securely →

Questions about our security practices? Read our Privacy Policy or reach out any time.