For IT and security teams evaluating Kelp for Google Workspace.
Hi — we're Alex and Jeremy, the cofounders of Kelp. We met studying Computer Science at Stanford in the 1990s and worked closely together in the early pre-IPO years at Google and Twitter. We built Kelp to be easy for security and IT teams to evaluate, with the privacy safeguards we'd want for our own companies.
This page is the short version: how we handle your users' data, which Google APIs we use and why, and the compliance work we've done. If you'd rather just talk to us, email security@trykelp.ai — we're happy to share our CASA report, fill out a questionnaire, or get on a call.
If you'd like to let your users sign in to Kelp, here's how to allow the OAuth app in your Workspace org. You'll need super-admin access to admin.google.com. The two things you'll need to identify Kelp:
85049188222-hro30vnvdknq5752v0tdun3fj86qicb8.apps.googleusercontent.com Kelp AIAllowing the app only authorizes Kelp to be granted access; individual users still sign in through Google's standard OAuth consent flow. If you'd rather roll out to a specific OU first, or want help validating the configuration, email security@trykelp.ai and we'll walk through it with you. Google's general docs on this flow are here.
Kelp has completed Google's Cloud Application Security Assessment (CASA) — the security audit Google requires of any application that asks for restricted Gmail scopes. CASA isn't a self-certification: it's run through the App Defense Alliance by accredited third-party assessors.
The audit checks an application against the OWASP Application Security Verification Standard (ASVS) — architecture, authentication, access control, data protection, cryptography, logging, and secure deployment. Passing CASA is a prerequisite for Google to grant production access to sensitive scopes, so it's not optional for an app like ours.
Sign-in is Google OAuth 2.0 with PKCE. We don't store passwords or manage credentials — users go through Google's standard consent flow.
Here are the scopes we ask for, and why:
openid email profile — basic identity, so we can create and recognize a user's
Kelp account.gmail.readonly — read message metadata and content so we can classify each inbound
message against the user's filters, and observe how the user handles their mail (for example,
a message marked as spam, a Kelp label removed, or a filter's label added by hand) so Kelp can
suggest improvements to their filtering.gmail.modify — apply the action a user has chosen for a matching filter
(archive, label, mark as read, move to Spam, or move to Trash). We need this because
Kelp's whole job is to act on inbound mail per the user's rules; without it, we could read
but not actually do anything. Note: gmail.modify is a coarse Google scope
that also grants the ability to compose and send mail, which is why Google's consent
screen renders it as "Read, compose, and send emails from your Gmail account." Kelp does not use those capabilities — we don't request the narrower gmail.send scope (or any send-related scope), and Kelp's codebase contains no send-message
path. Filters only categorize and triage existing mail.contacts.readonly and contacts.other.readonly — used to figure out
who the user has corresponded with. When we see a message from one of those contacts, we drop
it immediately and never save any information about it.We use Google API data only as the Google API Services User Data Policy and its Limited Use requirements allow. We don't sell user data, transfer it to data brokers, or use it for advertising.
Kelp is built around a small data footprint. We don't keep copies of message bodies, attachments, or contact lists. What we do retain — so users can review what was filtered and so Kelp can improve their filtering — is listed below.
Kelp uses Anthropic's Claude API in three ways: to classify inbound mail, to power the in-product assistant that helps users set up filters, and to run a periodic review that learns from how a user handles their mail and suggests filtering improvements. For each message we classify, we send the headers (From, To, Cc, Date, Subject), the user's filter prompts, the processed message body — converted from HTML to text and capped at 10 KB — and, when personalization is on, the user's profile, in a single classification call. The in-product assistant and the periodic review additionally draw on the user's learned filtering memory (see Data handling) as context.
Kelp keeps its own memory of a user's filtering preferences, but we don't use any of Anthropic's stateful features — no training, no fine-tuning, no Anthropic-side memory.
Per Anthropic's API data policy, customer inputs and outputs aren't used to train Anthropic's models, and content is kept only as needed to run the service and meet legal obligations. Kelp does not send Google user data to any other AI provider.
When the AI gets it wrong. Because classification is done by a large language model, a message can occasionally be filtered incorrectly — that risk is inherent to any AI system. Kelp is designed so a mistake is both recoverable and uncommon. Kelp itself never issues a permanent delete; its strongest actions move a message to Gmail's Spam or Trash, where it stays recoverable until Gmail's own retention window passes (about 30 days). Every action Kelp takes is recorded and can be reversed from the dashboard — putting the message back in the inbox and removing any label Kelp added — and the envelope preview above lets users see exactly what was filtered. To keep mistakes rare, Kelp only ever filters mail from senders outside your contacts and trusted list, and before a filter goes to work, Kelp checks it against your recent mail.
HttpOnly cookies; we
use a double-submit token for CSRF protection, with Secure and SameSite=Lax in production.For the user-facing details, see our Privacy Policy and Terms of Service.
For anything else — CASA report, security questionnaire, architecture deep-dive — email security@trykelp.ai and we'll get back to you quickly.