Skip to content
An eclipse ring above quiet dunes. The boundary, lit only at its edge.
security

Security at Rythm. Non-custodial by design.

We believe your bouncer should have all muscle and no curiosity. Rythm is non-custodial by design: we never hold your money, never store your email content. Scanning is in-memory, in milliseconds, for one specific thing: a payment proof.

Secure my inboxRead the privacy policy
independent audit
39 / 39
CASA Tier-2 test cases passed in 2026, the assessment Google requires for sensitive Gmail OAuth scopes.

Source: Independent CASA Tier-2 assessment, 2026

custody
$0
User funds we hold at any moment. Payments settle directly to your wallet; we are never in the money path.

Source: Non-custodial architecture, see below

content retention
0 ms
Email content we store after the in-memory payment-proof scan. No training data, no behavioral profile.

Source: Non-custodial architecture, see below

architecture

What we built. What we removed.

what we built

The lit edge.

  • Per-Lambda IAM roles. Every backend function gets its own least-privilege role. No shared roles, no accidental privilege escalation.
  • KMS encryption. OAuth tokens stored at rest are encrypted with AWS KMS keys scoped per environment.
  • Nonce-based CSP. Content Security Policy uses strict-dynamic with per-request nonces. No unsafe-inline for scripts.
  • SSRF guard. All outbound URL construction is routed through a guard that blocks private IPs, metadata endpoints, and loopback.
  • Zod validation. Every API boundary validates input against strict schemas.
  • PII-redacting logger. Sensitive fields are hashed before they ever hit the log stream.
what we removed

The blast radius.

  • User balances. There aren’t any. Cashu tokens melt to your wallet on receipt; Rythm never holds them.
  • Pooled funds. Nothing is co-mingled. Each payment is a peer-to-peer round-trip.
  • Stored email content. Bodies are scanned in memory for one thing, then discarded. No retention, no profile, no model.
  • Send permissions. Rythm doesn’t request gmail.send or Mail.Send. Rejection notices come from Rythm’s own notification address, not your account.
  • Hard fail. If Rythm goes down, email delivers normally. The protection layer can stumble; your inbox keeps working.
trust pillars

How the bouncer keeps your data clean.

Four pillars cover everything between you and the people trying to reach you.

Non-custodial architecture.

When an unknown sender pays the cover charge, the payment is a Cashu proof attached to the email. Rythm validates the proof and melts it (redeems it back into Lightning) directly to your wallet. The round-trip takes milliseconds. Rythm never holds the money.

There’s nothing to lose in a breach. We don’t have user balances. We don’t have pooled funds. We don’t even have the proofs after they’re redeemed.

Zero email content storage.

When an email from an unknown sender arrives, Rythm scans the body in memory for exactly one thing: a Cashu proof. The scan runs in milliseconds, then the content is discarded. We never store it, never share it, never use it for anything else.

No training data. No behavioral profiling. No content retention. A bouncer should have all muscle and no curiosity.

Fail-open design.

If Rythm breaks, if our servers go down, if a provider API has an outage, if a mint is unreachable, email delivers normally. You never miss a message because of us. The protection layer can stumble; your inbox keeps working.

Minimum OAuth permissions.

Rythm requests only what’s needed to do the job. For Gmail: gmail.modify (read incoming unknown-sender messages, apply labels) plus userinfo.email and contacts.readonly. For Microsoft Graph: Mail.ReadWrite (read incoming messages, apply categories) plus Contacts.Read, offline_access, openid, email, profile, User.Read. Rythm does not request send permissions (gmail.send, Mail.Send) and does not send mail from your account. Rejection notices to first-time senders come from Rythm’s own notification address (notify@mail.rythm.xyz).

You can revoke access instantly from your Google Account security settings or Microsoft account settings, no contact with us required.

independent audit

CASA Tier-2 audit completed.

Rythm completed an independent third-party CASA Tier-2 security assessment in 2026. All 39 of the test cases in scope passed. CASA is the audit Google requires for apps requesting sensitive Gmail OAuth scopes; it is a baseline for OAuth-connected email apps rather than a marketing badge.

managed allow list

Small and curated.

Rythm keeps a small, curated list of high-importance, low-velocity domains (major banks, court eFiling systems, the IRS and other government domains, shipping carriers). Mail from those specific domains lands without a cover charge, with DKIM verification on every message to guard against spoofing. The list is intentionally short. It is not a blanket pass-through for every transactional or two-factor email. For services you already use (your bank’s 2FA codes, your airline notifications), those reach you because the sender is on your personal guest list. If a sender from a new service ever lands in the held-for-review folder, rescue them once and they are on your guest list permanently.

Security FAQ

All muscle. No curiosity.
The bouncer’s job description.
A dark orbit arc against deep valley shadow. Illuminated boundary.

All muscle. No curiosity.

Non-custodial by design. Fail-open. $1.65/month.

Secure My Inbox