Security at Rythm — non-custodial by design.

We believe your bouncer should have all muscle and no curiosity. Rythm is non-custodial by design: we never hold your money, never store your email content. Scanning is in-memory, in milliseconds, for one specific thing: a payment proof.

Non-custodial architecture

When an unknown sender pays the cover charge, the payment is a Cashu proof attached to the email. Rythm validates the proof and melts it — redeems it back into Lightning — directly to your wallet. The round-trip takes milliseconds. Rythm never holds the money.

There’s nothing to lose in a breach. We don’t have user balances. We don’t have pooled funds. We don’t even have the proofs after they’re redeemed.

Zero email content storage

When an email from an unknown sender arrives, Rythm scans the body in memory for exactly one thing: a Cashu proof. The scan runs in milliseconds, then the content is discarded. We never store it, never share it, never use it for anything else.

No training data. No behavioral profiling. No content retention. A bouncer should have all muscle and no curiosity.

Fail-open design

If Rythm breaks — if our servers go down, if a provider API has an outage, if a mint is unreachable — email delivers normally. You never miss a message because of us. The protection layer can stumble; your inbox keeps working.

Minimum OAuth permissions

Rythm requests only what’s needed to do the job: read/modify labels and send rejection notices. We do not request full account access. We do not request send-as on arbitrary messages.

You can revoke access instantly from your Google Account security settings or Microsoft account settings — no contact with us required.

CASA Tier-2 audit completed

Rythm is undergoing an independent third-party CASA Tier-2 security assessment. All 39 of the 39 test cases in scope have been addressed (that is, work has been done against each item — the audit is not yet finalized). We’ll update this page when the assessment completes.

We don’t claim SOC 2, HIPAA, or enterprise-grade until those frameworks are independently validated.

Infrastructure hygiene

  • Per-Lambda IAM roles. Every backend function gets its own least-privilege role. No shared roles, no accidental privilege escalation.
  • KMS encryption. OAuth tokens stored at rest are encrypted with AWS KMS keys scoped per environment.
  • Nonce-based CSP. Content Security Policy uses strict-dynamic with per-request nonces. No unsafe-inline for scripts.
  • SSRF guard. All outbound URL construction is routed through a guard that blocks private IPs, metadata endpoints, and loopback.
  • Zod validation. Every API boundary validates input against strict schemas.
  • PII-redacting logger. Sensitive fields are hashed before they ever hit the log stream.

Essential services bypass

Banks, the IRS, courts, 2FA providers, shipping carriers — these always reach your inbox, no cover charge required. We verify authenticity (DKIM, SPF, known domain lists) to prevent spoofing. If an essential sender ever gets filtered by mistake, rescue once and they’re on your guest list forever.

Security FAQ

Does Rythm read my emails?

Rythm scans the body of incoming emails from unknown senders to check for a Cashu payment proof. The scan runs in-memory for milliseconds and the content is discarded immediately. We never store, share, or repurpose email content.

What happens if Rythm is breached?

There are no user funds to lose (non-custodial) and no stored email content to leak. What exists is OAuth refresh tokens (KMS-encrypted) and guest-list metadata. We’d rotate keys, force re-authentication, and notify affected users per our incident response plan.

Is Rythm SOC 2 or HIPAA certified?

Not currently. We’re planning SOC 2 after CASA Tier-2 finalizes. We don’t claim either until independent attestation is complete.

Can I revoke Rythm’s access?

Yes, instantly — from your Google Account or Microsoft account security page. No contact with Rythm required.

Does Rythm use AI on my email?

No. Rythm is rule-based and deterministic: known sender, or cover charge proof, or rejection. We don’t train models on your email. We don’t run ML classifiers over your content.

Where is my data stored?

Guest list and account metadata live in DynamoDB in AWS us-east-1. OAuth tokens are encrypted at rest with KMS. Logs are retained for a fixed window (see the privacy policy) and do not contain raw email content.

All muscle. No curiosity.

Non-custodial by design. Fail-open. $1.65/month.

Secure My Inbox
← Back to HomePricingHow It WorksSecurityAboutGlossaryPrivacyTerms