As an application dealing with work-related email, we recognize the importance of great security practices.
User authentication is handled by your email provider (Google) via OAuth2 protocol, Enough Email does not have access nor store user's login credentials to their Google account, other than temporary Google API access tokens necessary to provide the service.
Access to Enough Email organisation is controlled via Google OAuth2 and access configuration by the your account organisation admin.
When configuring Enough Email for an organisation, the organisation admin is requested to provide only the absolutely minimal scopes to Google APIs on behalf of the users in the oranisation. Enough Email does not have access to email message contents or metadata. Enough Email has access to create and see GMail filters and labels.
Application code and database are hosted on Render , which is a SOC 2 Type 2 compliant Platform as a Service provider.
All web traffic is encrypted using TLS 1.2, which is managed by Render with certificates provided by letsencrypt.org Certificate Authority.
In the databse, all personally identifiable information is encrypted at rest using AES 256 GCM encryption algorithm.
Logs are retained for 31 days, after which they are permanently deleted.
No. Enough Email only has access to create GMail filters and labels. Your emails do not travel through our services and remain within Google's systems, where their flow and filtering is controlled by the logic and the rules configured by Enough Email. The only type of email that can be accessed by Enough Email is the ones forwarded to us by the users with an intention to create a filter.
All our income is from our user subscirbtions and we do not and will not make any money from user data. We collect some usage information that we can use to improve our services and guide the direction of the product, as well as help our users in their support queries. We track actions like:
Users are identified in our system by their email address and a link to their Google user account profile. We don't attempt to collect any demographic information, and don't log IP addresses on incoming connections.
We strive to provide the best security there is, but we're a small organisation and are more focussed on security practices than certifications at the moment.
If you'd like to ask any questions or inform us about any security concerns, please email us.