Security

Last updated: April 2026

Overview

Overrule is a Microsoft Outlook rule management tool. This page describes the security controls, data handling practices, and infrastructure that protect your information.

Overrule LLC is a Microsoft Verified Publisher. We have completed Microsoft's publisher verification process through the Microsoft Partner Network (MPN), which confirms our legal business identity. The Overrule application is linked to this verified publisher identity, so users see a “Verified publisher: Overrule LLC” badge on the Microsoft sign-in consent screen rather than an unverified publisher warning.

Architecture

The diagram below shows how data flows through Overrule's systems. The key boundary to understand: your email messages live exclusively within Microsoft's infrastructure. Overrule only ever accesses your inbox rule definitions — never message content.

MICROSOFT INFRASTRUCTUREAzure ADOAuth 2.0 sign-inIssues access tokens to browserOverrule stores no passwordsMicrosoft Graph APIInbox rules — source of truthFolder names (display only)Email content: never accessedOAuth tokenRule data(HTTPS)OVERRULE INFRASTRUCTUREVercel — Next.js (App Router)Auth & SessionNextAuth JWT cookieValidated per requestToken not in databaseWrite SafetyPer-rule write lockHash-based change detectionExternal-change guardObservabilityError events → SentryRule content excludedPayments → StripeBrowserEncrypted JWTsession cookieHTTPSTLSNeon PostgreSQL · AWS US-East-1 · AES-256 at rest · SOC 2 Type IIRule Data (cached from Graph)Full rule definitionsConditions & actionsNo email content storedMetadataUser groups & annotationsWrite-operation audit log

All communication between components uses encrypted transport (HTTPS/TLS). Overrule's database is a synchronized cache of your rule definitions; Microsoft Outlook remains the authoritative source of truth at all times.

What We Access and Store

Overrule accesses only your Outlook inbox rules — not your email messages. Specifically, we read and store:

  • Full rule definitions — The name, conditions (such as sender filters, subject keywords, or recipient patterns), and actions (such as folder targets or forwarding addresses) of each rule in your mailbox. This is the complete rule structure as returned by the Microsoft Graph API, cached in our database to power search, grouping, and conflict analysis.
  • Mail folder references— Rule actions that target folders (such as “move to folder”) reference folders by their Microsoft-assigned ID. These IDs are stored as part of the full rule definition in our database. Human-readable folder names are fetched from Microsoft Graph at display time and are not stored separately.
  • Account identifiers — Your name, email address, and Microsoft tenant ID, used to associate your data with your account.
  • Organizational annotations — Groups and labels you create within Overrule to organize your rules. These exist only in Overrule and are never written back to Outlook.

Overrule does not access, read, index, or store the content of any email messages, attachments, calendar events, contacts, or any other mailbox data beyond inbox rules.

Microsoft Graph Permissions

When you sign in, Overrule requests the following Microsoft Graph API permissions. We request only what is necessary for the features we provide:

  • MailboxSettings.ReadWrite— To read your inbox rules and apply changes you explicitly request, such as toggling, reordering, or deleting rules. The “Write” component is required by Microsoft to modify rules; Overrule only writes when you initiate an action.
  • Mail.ReadBasic — Used solely to retrieve the names of your mail folders for display in the rule editor. This permission allows reading basic message properties such as subject lines and sender information, but not message body content or attachments. Overrule does not read or store any message properties — it calls only the mail folders endpoint with this permission.
  • People.Read — To provide contact autocomplete when creating or editing rule conditions that reference senders or recipients. Search results are returned in-session and are not stored in our database.
  • offline_access — To maintain your session without requiring you to sign in again during a single working session. Microsoft issues a refresh token during the sign-in flow, but Overrule does not store it — it is never written to the session cookie or database and is dropped immediately after the sign-in exchange completes.

You can revoke these permissions at any time through your Microsoft account settings at myapps.microsoft.com. Revoking access will immediately prevent Overrule from reading or modifying your rules.

Authentication and Session Security

Overrule uses Microsoft Identity (Azure AD) exclusively for authentication. We do not have a separate password system and never see or store your Microsoft credentials.

After sign-in, your session is maintained via an encrypted, server-signed JWT cookie managed by NextAuth. Your OAuth access token is stored in this encrypted cookie — it is not written to our database. Session cookies are scoped to your browser and invalidated when your session ends or you sign out.

Every API request to Overrule's backend validates your session server-side before performing any operation. There is no path to rule data that bypasses session validation.

Write Safety

Because Overrule can modify your Outlook rules, we apply additional safeguards beyond standard authentication:

  • Per-rule write locks — Concurrent modifications to the same rule are serialized at the database layer. If two operations attempt to modify the same rule simultaneously, the second is rejected until the first completes or times out.
  • Hash-based change detection — Before applying any change, Overrule fetches the current rule from Microsoft Graph and compares it to the cached version. If the rule was modified externally (e.g., directly in Outlook) since the last sync, the operation is blocked and the UI is updated with the current state.
  • Write-operation audit log — Every write operation (toggle, reorder, update, delete) is recorded in the database with its type, timestamp, outcome, and before/after rule hashes.
  • Microsoft Graph is always authoritative — Overrule applies changes by calling the Microsoft Graph API directly. Our database is updated only after Graph confirms the change succeeded.

Infrastructure and Encryption

Overrule is built on infrastructure maintained by established cloud providers:

  • Application hosting — Vercel: All traffic is served exclusively over HTTPS. Vercel is SOC 2 Type II certified and ISO 27001 compliant.
  • Database — Neon (PostgreSQL) on AWS US-East-1: Your rule data is stored in a managed PostgreSQL database. Data is encrypted at rest using AES-256 and in transit over TLS. Neon is SOC 2 Type II certified.

Production database access is restricted to application infrastructure and a tightly controlled administrator credential. There are no shared credentials, no team access to customer data, and no external access paths beyond the application itself.

Dependency vulnerabilities are monitored continuously via GitHub Dependabot. Automated pull requests are opened when dependencies have known CVEs and a fix is available.

Data Isolation

Each user's data is stored under their Microsoft tenant ID and user ID. It is not accessible to other users or tenants. Overrule does not aggregate, compare, or cross-reference rule data across accounts.

Conflict detection and static analysis run entirely within your own data set. No information from your rules is exposed to or compared against any other user's rules.

Sub-Processors

Overrule uses the following third-party sub-processors:

  • Vercel — Application hosting and edge delivery (United States). SOC 2 Type II, ISO 27001.
  • Neon / AWS US-East-1 — Managed PostgreSQL database (United States). SOC 2 Type II.
  • Sentry — Error monitoring. Sentry receives error events including stack traces and request metadata. It does not receive rule content, email data, or identifiable user information beyond session identifiers. Rule field values are excluded from log context.
  • Stripe — Payment processing for paid plans. Stripe handles all payment information directly. Overrule does not store card details.
  • Microsoft Azure AD / Microsoft Graph — Authentication and mailbox rule access, as described above.

Data Retention and Deletion

We retain your account and rule data for as long as your account is active. Rule data in our cache is updated on each sync with Outlook and soft-deleted when rules are removed from your mailbox.

To request deletion of your account and all associated data, contact us at security@overruleinbox.com. We will complete deletion within 30 days and confirm by email when done.

You can also revoke Overrule's access to your Microsoft account at any time via myapps.microsoft.com, which immediately prevents any further data access or rule modifications.

Changes to This Page

We may update this page as our infrastructure, practices, or sub-processors change. When we do, we will revise the date at the top. We will not reduce the protections described here without notice.

Vulnerability Reporting

If you discover a security vulnerability in Overrule, please disclose it responsibly by contacting us at security@overruleinbox.com. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond.

We will acknowledge receipt within 3 business days and provide a resolution timeline within 10 business days.