Yesware takes user privacy and security very seriously. This page provides an overview of our security policies and technology.
Last Updated: June 29, 2018
Yesware utilizes OAuth and OpenID® for user authentication. We never have access to our users' Gmail™ or Office365® passwords.
Yesware utilizes OAuth for API access to salesforce.com. We never have access to our users’ Salesforce® passwords.
On first use of the Yesware browser extension and of the Yesware/Salesforce® integrated service, we require that all users go through the OAuth process.
As we integrate with additional CRM systems, we will continue to prefer OAuth and other forms of delegated authentication.
Data We Collect
To enable Yesware features, we collect and store information about the inbound and outbound email activity of our users. We store a permanent copy of metadata (including header information and subject line) for outbound mail, and for inbound replies to those messages.
We do not store any permanent copies of the bodies of your email messages. For some CRM integration features, we store a temporary copy of message bodies until this data has been properly passed on to your CRM system; once this data has safely been recorded by your CRM, we delete it from our systems. This temporary data is stored in encrypted form; at no point do we store plaintext message body data.
Though our browser extension requires certain permissions to open tabs, run scripts and may request access to other websites, we do not monitor your web browsing activities. Our extension does not access or modify your data on any other websites, beyond those needed by the Yesware application.
As you use the Yesware portal https://app.yesware.com our server collects usage data about the features being utilized. We use this data to assist us in debugging, for customer service and capacity planning.
We use leading third-party payment processors Zuora® and Stripe® for credit card payments. When you enter your credit card information on our site, that information is sent directly to Stripe® or Zuora®. We never have access to, nor do we store your credit card information.
For some features, we request access to user data on other services, including OAuth access to Google Contacts and Gmail® data via IMAP, and OAuth or other access to CRM systems. We treat these credentials as highly secure information, which we keep on your behalf, and we encrypt these credentials before storing them. You may revoke these credentials at the issuer at any time, or we will destroy them when asked.
Access to Systems
All interaction between Gmail® and our application occurs over a secure TLS connection. All web reports and account management activities are likewise performed over a secure TLS connection.
We host our systems with industry leading cloud PaaS and IaaS providers, including Salesforce's Heroku™, mLab™, RedisLabs™, and Amazon Web Services. We use strong passwords and multi-factor authentication for these services, and limit access to only Yesware staff and systems which have a legitimate need.
Incident Response and Remediation
We monitor our systems 24/7/365 with a variety of performance measurement and error-checking tools. When problems are detected, our ops team is notified immediately, and the issues are investigated.
When a serious incident occurs, or a long interval of downtime is anticipated, we notify our users via our blog, Twitter and/or email.
We work closely with our hosting providers to ensure that underlying systems remain secure, and any security breaches are investigated, patched and remediated promptly.
Our system operations are logged extensively, and the logs are stored for at least a 30-day period in the cloud. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.
Should a security breach occur, we will promptly notify affected users of the nature and extent of the breach, and take steps to minimize any damage.
We perform regular vulnerability scans of our Internet-facing applications using accredited industry standard tools to identify issues we need to fix. We are making this a standard practice for new features and infrastructure that we deploy.
When potential vulnerabilities are identified, we triage them immediately. Critical vulnerabilities (P1) cause remediation work to begin immediately, which is deployed as soon as a fix is available. Serious vulnerabilities (P2) also cause work to begin immediately, and fixes are deployed within 24 hours. Minor and trivial vulnerabilities (P3 and P4) cause work to be scheduled alongside feature work.
Data Confidentiality and Retention
Access to customer data by Yesware employees is limited to an as-needed basis (e.g., to resolve customer issues). When such access is required, only personnel with a direct need will access the data, and such access will be limited as much as possible. Breach of this policy by a Yesware employee is a serious matter, requiring investigation and appropriate disciplinary action, up to and including termination as well as legal action.
When requested, we will destroy a user's account, removing all customer data associated with that account.
We store backups of portions of our data in the cloud, and our maximum retention period for backups is 90 days.
Audits and Compliance
At Yesware, our goal is to be the most trusted vendor in our space. We achieve this by:
- Being transparent with our customers
- Meeting and exceeding established best practices.
Cloud Shared Responsibility Model
The Yesware platform is primarily built on Salesforce’s Heroku™ platform, which in-turn runs within the AWS infrastructure, and uses additional AWS services such as S3. As such, Yesware inherits the control environment which AWS maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications.
SOC 2 Type II
Statement on Standards for Attestation Engagement (SSAE) No. 18 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA) and is used to create SOC 1 and SOC 2 branded reports. The SSAE 18 audit report is aligned with the International Standards for Assurance Engagements (ISAE) No. 3402 auditing standard. This allows for the report to be recognized both in the U.S. and throughout the world.
A Service Organization Control (SOC) 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. SOC 2 reports are based on the AICPA Trust Services Principles and Criteria under AT Section 101.
Yesware maintains a current SOC 2, Type II report with our most recent examination in June of 2017. Yesware received a favorable and unbiased opinion from a third party auditor validating our SOC 2 compliance with no exceptions or control deviations. We’re happy to share our report with customers under our mutual non-disclosure agreement (NDA).
Yesware has been awarded the Skyhigh CloudTrust™ rating of Enterprise-Ready. Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
Salesforce.com Security Review
Yesware successfully passed the Salesforce.com Security Review and is listed on the Salesforce AppExchange®.
Reporting Security Issues
At Yesware, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. We have implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Please do the following:
E-mail your findings to firstname.lastname@example.org. Encrypt your findings using our PGP key (below) to prevent this critical information from falling into the wrong hands.
Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
Do not reveal the problem to others until it has been resolved.
Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
What we promise:
You may not use automated tools in your research without our explicit consent. Use of automated tools may result in investigative action or your IP(s) being blocked.
We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
We credit the first researcher to report an issue. Additionally, we reserve the right to only acknowledge researchers who discover issues in Yesware products or services, if we determine the issue to be of a high or critical severity, or if there has been continued research or contributions made by the reporter.
If you have followed the instructions above, we will not take any legal action against you in regard to the report.
We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
We will keep you informed of the progress towards resolving the problem.
In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
You can find our PGP key below. You may use this key to encrypt your communication with us. (You can learn more about PGP here.)
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFoJ5xYBEAC1qZcsMXY56XtRvf/3uQXgArnXzBT2K9wIiXOCrYacM816oAjc VpX0euie+pLy0AM6UQvTkvG96+w6IcJYflDQ0cXq63pS5Rv0mLCWn18/idv0PKz+ 90yho9VszvpFo8AmHxXSFxboM/rzECCOPna9wJ7VwxpjzYFy6Z3iZbanx4qu54Qg anJj6FE2QR/FSTawGZFfWzzY7YvQz/zlpEIBq3oCuuRv63NXsQlduNN0j+0ls0ua NmH/a7m8izg1XtreXyArwQLqFkTWPSMuTBWBH8kXguyAV3GGsQHvosY0x/c/idSv ok3PfLySRvK98p3ZvSMgr4xZijSwqkKenTe+lV3Az+vXIn84HEzS8MvOK/k1++5+ V4YFIRwJrueZknKHqg66YbWdD3TW2ScWVIMa7SbS5jHXRz1eiqERb6rP6VHqizxX VaNUxG/zyfaUTBLqsqSmtoJNXPsnAx5mLbJAspi7Ejxp+nix7zPIl4Uwsxy2cLs0 f7J9pWC9HLVSZjfyYeXBoWUbZ5lv1tKrT021rio2qHB9i+W1kktqCYJcEpUm5C6M MRJ0SdcolPYM2XTNVYSzeFWixTZksHg6a4SiRHn0chKyVG+awupTizgdGPNg24H1 MK118tRinOUqSTG4unjfdN6m8XVJ391EgQwnT2MG9X9SRbQ612ZxhleLaQARAQAB tEBZZXN3YXJlIFNlY3VyaXR5IChSZXBsYWNlcyAyLzEzLzIwMTMgS2V5KSA8c2Vj dXJpdHlAeWVzd2FyZS5jb20+iQJUBBMBCgA+FiEEhDIMmjXMVze9EkKSOkVOC8Yi fdIFAloJ5xYCGwMFCQeGH4AFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQOkVO C8YifdKcZg//Xr20KiVGd8D6IvAip1w42od3/L9gBAH7EZJMDAe5zcS28PAukvDw HA/K34b8TQ4QEW9/IHT5JWX99lz9FOl/i9Aak8As7sjkRYKcuo5FNE0x7xbEAF7N vIxIv+Eau0LycRy0URrSYCU1zXQejn1+4UkimkhZUyudx9DKmJOKF1m5JqmmHT+X V/v2z0K8s0qZgDuAaeVAIUziotUWN/wdvAMKud/A40BX71GKX3so6+ebgrHZTFRE cnGDqFybWAfPjQB6lZDWZzQtBKAj2a7ctiRN7BtxLukFo3rf5pgrlW2Rye8qASUq 587N//iiPhGZW+onrKL49HYd0X1ZnacgKtSlhM1o9zsbi1eXWIEuU7YP3jD7W/Za aHg5wFBcfnb3tJ9OUScKGTFRYtVlic8dOV+T8pKuJO0LxrHlOhRPM2i/UR6XdJWf DIsBQsjyjxhJzuuP5b0zMjlf8sYGzSgElHH4rZr/2dPKTZcyIGbo8E7JrEKk4ZuX rBzN3TLoBCOr0rqmfctCMJ6kGhZ2YaiRoqSNGVeIHNhsI8jsmd80PWRJzC/tvEQY B4lATgoeU/0vf2CWfihgUBT8QK1PHatHoujUqvLGND3zHzV8YNkyJ6byo0U4hKMd vcxDalZVMuJc1kk2ljg72ZPdSRcpCtd9dWOsIM6aRpOnDgYl7bAB9Ny5Ag0EWgnn FgEQANjaCLkFu1TyNLgycaKRO99sejadrPgQrgptLE819KMaKX3cEpnXYUvp7hkj gk9L9i6sERK7pA2MpTbzytvJKQZar5eaenOGicIyuvL2cirEzRDLsJqlUbDLafM4 23rInSUWk3KFOXkPpPSHTZOLj10hhy+iA4Xdn4LpQAwOu6UKtiQ5IKda/yTRT22N g1C9GZ6JL4IwvwNZmnLp6elo2gymuf6RNOHHt4SQ+6INAeDxn9IbfojMgfYjaHg8 H4K38zy7bVQ/upui/yt1HhWhxBsnvvZIjHJ58nXsIDvi3PvYy4ctJ99lMq3j9TPy ljRbJ7oLSguUpWLyDkiTeK2krdZzpZVBXO0EaVHUjVTCYMhK/Noq8aReFX9n2GEO KAyPruZLcePWP2lrYrp7xM8l8JhHiAEtvH44QyO4UBimbzm+Tm5vCgMo9K8sXPmX 6TTQp2Z7uxfwUMnX/g7qu5Krq/YN7uRDzgO3mKk7gRRzTxR4tEqwvz2+EKWPMf01 dKKTBHM05hhpPRbbO+AN4M7p7lZz4Mbz1nLCGfSGsjT+q9K1zMkoNuFoFgwBoSz/ fEQEX6m7TBBFlg7TIr4GtC7A1AKZH2gnPjvMEUFE5KDQ2G65jCNCF99HQVS4P0jf B0J47AHUWbgVfmz4Zuf7ZJKO6eEvHtHXBVOpBBq0L39Wu4xRABEBAAGJAjwEGAEK ACYWIQSEMgyaNcxXN70SQpI6RU4LxiJ90gUCWgnnFgIbDAUJB4YfgAAKCRA6RU4L xiJ90ksYD/9Soi74sxWqL1FLmK6WfYVLl1T/4yTMflDc+n8GatbkpspgH03d4Dkf gC+opYJeBdV/cugDMxwk/NSx8dHQ1tWXOOoE9HFi2KWN6l5dwj6i8yIVKpeEAcVU pjo3eOc70MGQMJdFmyMqbtU8/MNUkYLDt9mE3mHk/iy5kdNQ9O7Rb6PmBOJraQvS g9X2fgFTeDIrj45xH4zbT1wDY2TWRv/6qo3265nqjJQbEsy3wMIIYl9z6e70PJ/Q 8CvshDZXLIjRMXqxBkAgHMzBC8aOosBj/UTArJBdK+vhH5twynH8M6rT+U4nsvz0 IGtE6lL/1TcJD9OlHh/Hat6rJ7SgHpPbUfbNCYEUQVkuf7WgT1ZsUUT+krBYg1W7 6/r1v9ZslHAjPJX0svD/4PKEJzWAlhpIbVjEDcPH/0OiMiLyJNBjWjkHr4gDDFpa r+mD0F2K/HwwwEOgiDGq6Jo0yk58oMJFWIy0scnajWric2fkc8rVfIxDyQfzcZYx fI0WAOo2hnQuubIU1yfat0QtcfXvMa41/VadiIw/2R5681exD0KYSHjABxzfvNDZ 9OLXF8xatXN7+jlwVMb7xEp7DjAXJbh8XkeL7jiQphHhQI/NY3040yhaZboPkE2s Q0wR3hhc7n4RnWKksSIPjtXgwrpzgY3XbWGGBUKXSBKSgQvXNuPLhA== =9TrE -----END PGP PUBLIC KEY BLOCK-----
We would like to extend our thanks to the following people and organizations for making our infrastructure more secure:
- Orkhan Yolchuyev
- Ismail Tasdelen
- Aniruddh Mistry
- Gaurav Gera
- Koen Rouwhorst
- Pal Patel
- Jaikey Sarraf
- Fredrik Nordberg Almroth
- Rafael Pablos
- Jitendra Jaiswal
- Nakul Mohan (@Anonymous_India)
- Navaid Zafar Ansari & Zeeshan Sultan
- Harikrishna Valugonda
- Ehraz Ahmed
- Umraz Ahmed
- Dibyendu Sikdar
- Jay Turla of HP Fortify
- Rodolfo Godalle, Jr.
- Tarek Siddiki
- Jose Pino
- Prem Kumar
- Evan Ricafort
- Clifford Trigo
- Rakesh Singh & Harish Kumar & Sandeep Sodhi
- Muhammad Shahmeer
- Kamil Sevi
- Jayvardhan Singh & Parichay Rai
- Ali Hassan Ghori
- Muhammad Talha Khan
- Lokesh Kumar
- SaifAllah benMassaoud
- Hamza Fourtassi
- Ashesh Kumar
- Waqar Vicky
- Gaurang Bhatnagar
- Muhammad Osama
- Kiran Karnad
- Raja Uzair Abdullah
- Muhammad Zeeshan
- Othmane Tamagart
- Zee Shan
- Daniel Nasir
- Melbin Francis
- Guilherme Scombatti
- Karl Aparece
- Hisham Mir
- Zawad Bin Hafiz
- Aworunse Matthew Temmy