SecurityEmail Integration
Email Integration

Email Integration

Comprehensive documentation on how Lev's email integration works—including technical architecture, security measures, and data handling policies. Only deal-related emails are processed, with no human access and zero AI training.

overviewarchitecturedata_accesssecurityllm_usagefaq

Overview

Lev's email integration enables users to send deal-related emails directly from the platform and automatically track lender responses. The integration connects to users' existing email accounts (Google or Microsoft 365) and provides workflow automation without requiring users to leave the platform.

Technical architecture

Our email integration uses an industry-standard middleware layer to securely connect with email providers while maintaining strict data isolation.

integration_layer

middleware
Nylas — industry-standard email integration platform
auth
OAuth 2.0 tokens (no credentials stored)
providers
Google Workspace, Microsoft 365
scope
Per-user (not tenant-level)

how_nylas_works

Acts as a middle layer between Lev and email providers
Handles OAuth authentication flow
Sends push notifications (webhooks) when new emails arrive
Does NOT store email data — only routes notifications

outbound_flow

1

User composes email in Lev platform

2

Lev sends API call to user's email server via OAuth connection

3

Email is sent from user's actual email address

4

Email appears in user's Sent folder (like any normal email)

5

Lev records the thread_id for tracking

Mail merge capability

Send to multiple lenders with one click — each receives an individual email with unique thread ID.

inbound_flow

1

New email arrives in user's inbox

2

Nylas sends webhook notification to Lev with headers only:

  • • From address
  • • To address
  • • Thread ID
  • • Subject line
3

Lev checks: Does this thread ID match a deal launched through our platform?

If YES (match found)
  • • Request full email body and attachments
  • • Store in system
  • • Update deal status
If NO (no match)
  • • Discard notification
  • Never request body
  • • No data retained

Inbound Email Processing Flow

Data access

Understanding exactly what data we access — and what we don't — is critical for evaluating our email integration.

lev_emails
Full body and attachments stored
replies
Full body and attachments stored for Lev-launched threads
headers
From, To, Thread ID only — checked for matches, then discarded
non_lev_body
Not requested, not received
personal
No access whatsoever
contacts
Only imported from email history with lender domains

Security & compliance

infrastructure

hosting
Amazon Web Services (AWS), US data centers
physical
24/7 security, fire suppression, redundant utilities, biometric access
network
All traffic over SSL/HTTPS
cloud_mon
CloudSploit and Prowler scanners
app_scan
Nessus and BurpSuite Professional
pentest
Quarterly third-party pentests

application_security

No single points of failure — if one system goes down, others remain operational
Database isolation — database instances physically separate from application servers
Single-function servers — each server handles one purpose
Continuous deployment — up-to-date images, configuration management

compliance

SOC 2 Type 2Certified
CCPACompliant

SOC 2 compliance covers

Access controls
Data encryption
Business continuity
Disaster recovery
Incident response

access_controls

super_admin
CEO/CTO — full access to customer data
account_mgr
Scoped access for support purposes
engineers
No direct access to customer email data
audit
All access logged with audit trail

LLM usage

Lev uses Large Language Models (LLMs) to power intelligent automation features. Here's how we handle your data when processing with AI.

model_providers

openai
Quote extraction, note generation — Zero data retention (ZDR) API
anthropic
Complex reasoning tasks — No training on customer data
google_gemini
Multimodal analysis — Enterprise data protection agreement

data_protection_guarantees

no_training
Your data is never used to train or fine-tune any AI models. We use API endpoints with explicit opt-out.
zero_retention
We use Zero Data Retention (ZDR) API agreements. Prompts and completions are not stored after processing.
minimal_context
Only minimum necessary data is sent. Email content is processed in isolation without unnecessary metadata.

data_sent_to_llms

email_body
Quote extraction, summarization
attachments
Term sheet parsing
names
Only when needed for context
account
Never sent
deal_data
Processed locally

Data handling

data_stored

Emails from threads launched through Lev
Attachments on those threads (term sheets, OMs, etc.)
Extracted quote data (parsed by AI)
Deal status updates based on email activity

data_retention

No automatic deletion — emails retained until customer requests deletion
User deletion — users can delete individual emails from Lev (does not affect their inbox)
Account termination — all data exported and deleted on request

data_ownership

  • Customer owns their data
  • Data is private to the customer's organization
  • Customer data is NOT used to train AI models

Privacy safeguards

thread_based_isolation

The core privacy safeguard: we only ever receive the body of emails on threads we initiated.

Personal emails (family, friends): Never accessed
Other business emails: Headers checked, body never requested
Side conversations with lenders (outside Lev): Not tracked unless manually included

manual_inclusion_options

For emails started outside the platform that users want to track:

1

CC method

CC assistant@lev.com on the email — automatically picked up

2

Forward method

Forward the email to assistant@lev.com

After manual inclusion, future replies on that thread are tracked automatically.

configuration_options

full
Send + Receive — Maximum automation
send_only
Send only — Privacy-conscious users, no inbox monitoring
manual_cc
Manual CC only — Most restrictive, CC assistant@lev.com

PII considerations

Current state

No automatic PII detection in emails or attachments. If PII appears on a Lev-tracked thread, it gets stored.

risk_scenarios

ssn_on_thread
Moderate risk — Borrower sends SSN on a Lev thread. Could get stored if forwarded to lender.
non_lev_pii
Low risk — PII in non-Lev emails. Body never received.
attachments
Moderate risk — PII in attachments. Stored if on tracked thread.

mitigations

Users can delete emails from Lev at any time
Most Lev emails go to lenders, not borrowers (reduces PII exposure)
SOC 2 controls protect stored data
Audit trails on all data access

AI features

The email integration powers several AI capabilities to automate deal management workflows.

quote_extract
AI parses lender responses and extracts term sheet data into a quote matrix
status_updates
Deal status updates automatically based on email activity
follow_ups
Send automatic follow-up emails to non-responsive lenders
note_gen
Auto-generate deal notes from email conversations
next_steps
AI suggests next steps based on conversation context

Data privacy guarantee

Customer data is NOT used to train AI models. AI features process your data for your benefit only.

Frequently asked questions

Will you read all my emails?

No. We only access emails on threads launched through Lev. For all other emails, we receive only headers (to check for thread ID matches) and immediately discard them. We never request or receive the body of non-Lev emails.

Can my company see my contacts/emails?

Contacts are shared within your team on Lev, but your email inbox remains private. Only emails you explicitly send through Lev become visible to your teammates on a deal.

What if our brokers won't integrate their email?

The email integration is optional. The platform is fully usable without it. Alternatives: send-only mode, manual CC to assistant@lev.com, or use Lev for deal management only.

What happens if Lev goes down?

Emails you've already sent continue to exist in your inbox normally. When service resumes, we resync and catch up on any missed replies. Your email functionality is never affected — we're just an overlay.