Moss’s Email Suppliers feature allows authorised users to connect supported business mailboxes from Google (Gmail) and Microsoft Outlook and send emails from Moss using those addresses.

This article describes which measures we take to ensure high security standards for this process.

The connection flow is designed so that only explicitly authorised senders can be connected, and each connection can be revoked again.

Each mailbox must be connected through the email provider's OAuth consent flow by the person authorising that address. Moss only creates an authorised sender after the provider confirms the connection.

Each connection attempt is protected with a signed OAuth state, a cryptographic nonce, and a 10-minute validity window. Completed or expired attempts cannot be reused.

After a successful OAuth callback, Moss extracts the sender address from the provider identity token and stores it as an authorised sender only after validating the provider response. Duplicate sender registrations for the same organisation and provider are prevented.

Connected senders can be created as organisation-shared senders. Organisation admins can manage connected emails.

An authorised sender can be removed at any time. When a sender is disconnected, the refresh token linked to that sender is deleted as well.

The Email Suppliers feature is built to use the smallest practical level of provider access and to keep message sending constrained to approved business flows.

For Gmail, Moss requests the gmail.send scope.

For Microsoft Outlook, Moss requests the Microsoft Graph Mail.Send scope.

In both cases, Moss also requests the basic OpenID identity scopes needed to complete the OAuth login flow and identify the connected sender.

The Email Suppliers feature does not scan inboxes, search mailbox content, download emails, or access calendar entries. The connected account is used to send emails only.

Before an email is sent, Moss validates that the selected sender matches the sender configured for the template and that the reply-to address matches the configured template value. This prevents using a connected mailbox outside the intended template setup.

Email sending is tied to supported business flows such as invoices, payment confirmations, and purchase requests. Template placeholders are resolved only from the referenced business entity needed for that flow.

Attachments are limited to files uploaded with the request or files retrieved by ID for the correct organisation. Moss does not pull arbitrary files from the connected mailbox.

A user can only send emails with their own connected sender or with a sender that has explicitly been shared with the organisation.

We only store the data required to operate the feature securely and traceably.

OAuth refresh tokens are encrypted before they are stored in the database and are only decrypted when they are needed to obtain a fresh access token for sending.

Moss stores the connected sender address, provider, organisation and actor ownership, token reference, and operational timestamps required to manage the connection.

Because the Email Suppliers feature does not read mailbox content, Moss does not store emails, drafts, inbox contents, or calendar items as part of this feature.

Connection attempts, authorised senders, and token records are written with audit logging so that changes to these records can be traced.

If you have any questions or concerns about using the Email Suppliers feature, please reach out to our support team at support@getmoss.com.