Enough Email Security

Introduction

As an application dealing with work-related email, we recognize the importance of great security practices.

This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.

General practices

  • Access to servers, source code, and tools and services are secured with multi-factor authentication.
  • We use strong, randomly-generated passwords that are never re-used.
  • Access to production systems is given to employees and contractors only when absolutely necessary to help our customers with support issues and provide high quality services.
  • We update code dependencies immediatelly whenever a known security vulnerability is announced. This is done using automated security vulnerability detection tools.
  • On rare occasions when a copy of production data needs to be made for testing purposes, all personally identifiable information is scrubbed or obfuscated.

Authentication

User authentication is handled by your email provider (Google) via OAuth2 protocol, Enough Email does not have access nor store user's login credentials to their Google account, other than temporary Google API access tokens necessary to provide the service.

Access to Enough Email organisation is controlled via Google OAuth2 and access configuration by the your account organisation admin.

Access to your Google account

When configuring Enough Email for an organisation, the organisation admin is requested to provide only the absolutely minimal scopes to Google APIs on behalf of the users in the oranisation. Enough Email does not have access to email message contents or metadata. Enough Email has access to create and see GMail filters and labels.

Servers

Application code and database are hosted on Render , which is a SOC 2 Type 2 compliant Platform as a Service provider.

Encryption

All web traffic is encrypted using TLS 1.2, which is managed by Render with certificates provided by letsencrypt.org Certificate Authority.

In the databse, all personally identifiable information is encrypted at rest using AES 256 GCM encryption algorithm.

Data retention/logging

Logs are retained for 31 days, after which they are permanently deleted.

FAQs

Can Enough Email see my emails?

No. Enough Email only has access to create GMail filters and labels. Your emails do not travel through our services and remain within Google's systems, where their flow and filtering is controlled by the logic and the rules configured by Enough Email. The only type of email that can be accessed by Enough Email is the ones forwarded to us by the users with an intention to create a filter.

What user data do you collect?

All our income is from our user subscirbtions and we do not and will not make any money from user data. We collect some usage information that we can use to improve our services and guide the direction of the product, as well as help our users in their support queries. We track actions like:

  • Log-In and Log-Out events
  • Interaction with features of the web app (e.g. applying filter rules, enabling Slack audit trail)
  • Crashes and other errors
  • Changes in organization configuration/settings
  • Filter creation via email forwarding
  • Filter effectivness via the counts of email messages under GMail labels

Users are identified in our system by their email address and a link to their Google user account profile. We don't attempt to collect any demographic information, and don't log IP addresses on incoming connections.

Are you SOC 2 or ISO 27001 certified?

We strive to provide the best security there is, but we're a small organisation and are more focussed on security practices than certifications at the moment.

Contact

If you'd like to ask any questions or inform us about any security concerns, please email us.