When you’re building a product on top of an API that touches user emails, calendars, contacts and meeting data, “trust us” isn’t good enough. You need proof.
That’s why compliance certifications exist — and why, at Nylas, we treat them as an ongoing practice rather than a box to tick before a sales call. This post walks through the audits we maintain, what they actually mean, and how they reflect the way we build and operate every day.
What Nylas compliance certifications cover
Nylas completes four annual external compliance audits: SOC 2 Type II, HIPAA, ISO 27001, and ISO 27701. Each one addresses a different dimension of security and privacy — and together, they cover the trust and security expectations most enterprise procurement teams, healthcare organizations, and international customers expect.
Why compliance isn’t a checkbox (even when it feels like one)
Here’s the honest truth: compliance audits have a reputation problem. To a lot of people, they conjure images of a frantic few months of documentation scrambles, policy rewrites, and consultants — followed by a certificate that gets filed away and forgotten.
That’s not how it works here, and it’s not how it should work for any company handling sensitive data at scale.
At Nylas, the certifications we hold aren’t trophies. They’re a byproduct of how we actually run our infrastructure, respond to incidents, manage access controls, and think about data. The audit process validates what’s already happening — it doesn’t manufacture it.
The certifications we hold
SOC 2 Type II
SOC 2 Type II is an independent audit of a SaaS company’s security, availability, and confidentiality controls over a sustained observation period — typically six to twelve months. Nylas undergoes this audit annually.
SOC 2 is the gold standard for SaaS companies, and the difference between Type I and Type II matters more than most people realize.
Type I is a point-in-time snapshot: “Here’s what our controls look like today.” Type II is a sustained test over an observation period — typically six to twelve months — that asks: “Do these controls actually work, consistently, over time?”
Nylas holds SOC 2 Type II certification, which means an independent auditor has reviewed our security, availability, and confidentiality controls not just in theory, but in practice. For developers integrating Nylas into their applications and for prospects evaluating us as a vendor, this is the assurance that our security posture isn’t a performance for audit season — it’s how we operate year-round.
What it covers: logical access controls, monitoring and alerting, incident response, change management, and more. In short: the things that determine whether your users’ data is actually protected.
You can request our SOC 2 report directly from our Trust & Security page.
HIPAA
HIPAA (the Health Insurance Portability and Accountability Act) sets the legal standard for protecting Protected Health Information (PHI) in the United States. If your product touches patient data — scheduling, clinical communications, EHR integrations — HIPAA compliance is a legal requirement for you and every vendor in your stack.
Nylas is HIPAA compliant, which means healthcare organizations and developers building health-adjacent products can use our APIs without introducing a compliance gap into their architecture.
This isn’t just about having the right policies documented. It means technical safeguards are in place for how PHI is accessed, transmitted, and stored — and that we’re equipped to sign Business Associate Agreements (BAAs) with covered entities.
If you’re in health tech and evaluating email or calendar APIs, this one matters a lot.
ISO 27001
ISO 27001 is an internationally recognized standard for Information Security Management Systems (ISMS).
Where SOC 2 is largely a North American benchmark, ISO 27001 carries weight globally — particularly in Europe, Asia-Pacific, and enterprise procurement processes worldwide.
Earning ISO 27001 certification means Nylas has implemented a structured, risk-based approach to managing information security across the organization. It’s not a single control or policy — it’s a framework that covers everything from asset management and supplier relationships to physical security and business continuity.
For international customers and enterprises with global security requirements, ISO 27001 is often a prerequisite for vendor approval. It signals that security isn’t siloed inside one team — it’s embedded across the organization.
ISO 27701
ISO 27701 is the privacy extension to ISO 27001. It addresses privacy information management — specifically, how organizations collect, process, store, and protect personal data in a way that maps to the obligations defined by GDPR, CCPA, and other major privacy regulations.
Where ISO 27001 addresses information security, ISO 27701 addresses privacy information management. It requires organizations to demonstrate how they collect, process, store, and protect personal data — and to do so in a way that maps to the rights and obligations defined by major privacy laws.
For Nylas, this certification reflects our commitment to privacy as a first-class concern, not an afterthought bolted on after the security work is done. If your users are in the EU, California, or anywhere with meaningful data protection law, this is the certification that shows we’ve thought carefully about what happens to their data — and built systems to protect it accordingly.
What this means if you’re building on Nylas
Compliance frameworks can feel abstract until you’re in a sales cycle and a procurement team asks for your vendor’s SOC 2 report. Or until you’re launching in a new market and realize your entire stack needs to be GDPR-ready. Or until a healthcare customer asks whether you can sign a BAA.
At that point, what your vendors hold matters — because it flows directly into what you can claim.
Building on Nylas means:
- Faster enterprise deals. When customers ask for security documentation, you’re not waiting on us. Our certifications are available and our posture is documented.
- Reduced compliance burden. Inheriting controls from a compliant infrastructure provider is significantly more efficient than rebuilding them from scratch.
- Confidence across regions. ISO 27001 and ISO 27701 mean we’ve met internationally recognized standards, not just domestic ones.
- Healthcare readiness. If you’re building in health tech, you can do it on Nylas without adding a compliance gap.
Compliance as culture, not calendar event
The certifications above aren’t things we do once a year and then set aside. Our security and privacy controls are embedded in how we deploy code, manage access, respond to incidents, and onboard new systems. The audits confirm that. The practice is ongoing.
That’s the standard we hold ourselves to — and what we think every infrastructure provider handling sensitive data should hold themselves to, too.
Want to dig into the details? Visit our Trust & Security page to access our compliance documentation, request our SOC 2 report, or reach out to our team to discuss how Nylas fits into your security and compliance requirements.
Frequently Asked Questions
Can I request Nylas’s SOC 2 report?
Yes. You can request it directly from our Trust & Security page. We make it available to prospects and customers evaluating Nylas as a vendor.
Does Nylas sign Business Associate Agreements (BAAs)?
Yes. Nylas is HIPAA compliant and equipped to sign BAAs with covered entities. If you’re building in healthcare, reach out to our team to get that process started.
Which certifications are relevant for customers in the EU?
ISO 27001 and ISO 27701 are the most relevant for EU customers. ISO 27701 specifically maps to GDPR obligations around how personal data is collected, processed, and protected.
Does Nylas sign Data Processing Addendums (DPAs)?
Yes. Nylas has incorporated DPA language into all of our default Order Form and MSA terms. Clause 5 (Data Privacy) covers standard DPA terms with SCCs outlined in 5(j) and Exhibit A. If you require a separate DPA or specific terms, please reach out to our team.
Does Nylas’s compliance posture apply to all products in the platform?
Our certifications cover Nylas’s infrastructure and operations as a whole — including the Email API, Calendar API, Contacts API, Scheduler, and Notetaker. If you have questions about a specific product or use case, contact our team.
How often are Nylas’s certifications renewed?
SOC 2 Type II is audited on an ongoing basis over a six-to-twelve-month observation period, not as a one-time event. ISO certifications follow a similar cycle of surveillance audits and periodic renewal.
Email and Contacts API 
Calendar API & Scheduler 
Notetaker API 
Agent Accounts 
Sales & CRM 
Recruiting & ATS 
Healthcare
Financial
Legal
Real Estate
Education
Field Services
Docs
SDKs
Tutorials
API status
Changelog
Support
