All posts
Published Apr 8, 2025, 7:44:21 PM
5 min read

Your Privacy with Disso: What We Can — and Can’t — Access

Gradient heart illustration

At Disso, your data privacy is not just a priority — it's a principle.
We take all necessary measures to ensure your digital assets and communications stay secure and strictly private, accessible only to you.

As essential as security is, privacy matters just as much — and we're committed to both. In this guide, we walk you through exactly what data is (and isn’t) accessed, step by step, in plain language.If you have any questions along the way, just hit the Intercom support button below — we’re here to help.

Data Access Explained

🔑 OAuth2 Authorization

When selecting the application you want to secure, we first ask for access using an OAuth2 integration. OAuth2 is a trusted industry-standard protocol that allows secure, permission-based access without sharing your password. Instead of credentials, Disso receives a token that only allows the specific actions you've approved.

This method is used across enterprise platforms like Microsoft 365, Slack, Google Workspace, and others — ensuring tight control and transparency. We never see or store your login details. All permissions are clearly listed up front, and you can revoke access at any time through your app’s admin settings. By using OAuth2, we ensure enterprise-grade security, even for teams without enterprise-scale infrastructure — so you stay in full control, with no compromises on safety.

👥 Select Accounts to Monitor

After connecting via OAuth2, you can choose which accounts to test Disso on — before any data is accessed. We recommend starting with high-risk roles—like a hotel receptionist handling multilingual emails, a hospital doctor managing urgent requests, or a sales rep exchanging links with unknown contacts. These accounts face volume, pressure, and unpredictability — ideal for spotting real threats. We suggest testing with at least 10 accounts to see Disso’s impact before scaling further.

🔒 What Disso Can Access and Store

Once set up — in under a minute — Disso starts protecting you from phishing and social engineering. It analyzes key parts of your communication to detect threats, without reading full message content.

Metadata

Metadata is simply data about data. It helps us make sense of your communications without needing to access the actual message body.

Here’s the metadata we extract:

  • Sender and receiver email addresses
  • Date and time sent
  • Headers/IP address
  • Message ID
  • URLs and links

Contextual Metadata (Scored, Not Stored)

In addition to basic metadata, Disso also analyzes contextual signals in your messages — patterns that might suggest manipulation, urgency, or fraud.
We do not store this data. We simply score it in real time to help our models learn and improve over time.

Here are some of the signals we score:

  • Urgency cues
  • Grammar or spelling issues
  • Requests to change sensitive information
  • Attempts to remove someone from a conversation
  • Sudden changes in payment method
  • Reciprocity language (e.g., “I did this for you, now can you…”)

🚫 What Disso Can't Access

While Disso analyzes certain metadata and context to detect threats, there are strict limits to what we don’t access — by design.

Here’s what Disso does not access or store:

  • ❌ Full message content– No human ever reads your emails. Like many AI companies working with highly regulated industries, we use ephemeral processing: your data is analyzed only in memory, never stored, and never used to train any models.
  • ❌ Attachments or documents– We don’t scan or store your documents internally. We only check for known malicious threats (e.g., malware) — nothing more.
  • ❌ Personal files or device data
  • ❌ Private conversations outside of your communication system
  • ❌ Any content unrelated to phishing or security signals

Your privacy is a priority. Disso only uses the minimum data necessary to protect you — no more, no less.

🧠 How Disso Uses Your Data

Now that it's clear what data we access—and what we don’t—we want to explain how Disso uses this data to protect you from phishing, malware, and other malicious behavior.

Once Disso collects and stores both standard and contextual metadata, it uses this information—anonymized and never tied to individual communications—to improve detection models through ongoing training. Specifically, Disso leverages a fine-tuned large language model (LLM) from Mistral, which was initially trained using synthetic data. This allows us to safely and ethically enhance our detection capabilities without ever exposing your personal information.

So, what does that mean in practice?

  • Our algorithms continuously analyze metadata for strong suspicious signals that could indicate malicious intent.
  • Less obvious patterns are evaluated using our fine-tuned LLM, which detects anomalies or subtle threats that might otherwise go unnoticed.
  • This all happens in real time, around the clock, to give you the best possible protection.

Rest assured: all training is anonymized, and no model is ever trained on individual message content. Your privacy stays protected—always.

🔐 Your controls

So, how do you stay in control of your data?
Disso acts as a data processor under GDPR, which means you own your data, and we only process it on your behalf. To support that, we give you several layers of control:

  • OAuth2 Access
    Disso uses OAuth2 permissions, which means you can revoke access at any time. You stay in charge of when and how we connect to your communication data.
  • Admin Access Control
    You decide who gets access. One main admin is selected to manage Disso, and they control who else can be granted permission within your organization.
  • Minimal Data Retention
    By default, Disso retains metadata for 60 days, allowing time to analyze threats and improve detection. You can request a shorter retention period if preferred.
  • Data Deletion
    Want your data removed? You can trigger data deletion at any time. We make it easy, fast, and fully compliant.
  • Custom Settings
    Fine-tune Disso to your needs—choose which accounts to monitor, adjust security thresholds, and set preferences for real-time or periodic protection.

📄 Compliance

In addition to our commitment to keeping your data private, Disso meets key compliance standards—all transparently listed in our Trust Center:

  • ISO 27001 Compliant
    We follow internationally recognized security standards to ensure your data is handled with care and protected at every level.
  • GDPR Compliant
    Disso acts as a data processor, meaning you stay in control while we process data strictly on your behalf—fully aligned with GDPR requirements.
  • EU AI Act Ready
    Our AI models are designed with safety and accountability in mind, built to meet the latest EU AI regulations.
  • Hosted in Europe
    All your data stays within the EU. We use secure AWS servers located in Europe to comply with regional hosting and sovereignty requirements.

❓ Questions/Comments

We hope this information reassures you of our commitment to keeping your data secure and private. If you still have questions or feedback, feel free to hit the Intercom button in the app or reach out via email ([email protected]).