Yesware takes user privacy and security very seriously. This document provides an overview of our security policies and technology. We are happy to discuss any of these points in more details with concerned customers.
Last Updated: July 25, 2016
Yesware utilizes OAuth and OpenID® for user authentication. We never have access to our users' Gmail™ or Office365® passwords.
Yesware utilizes OAuth for API access to salesforce.com. We never have access to our users’ Salesforce® passwords.
On first use of the Yesware browser extension and of the Yesware/Salesforce® integrated service, we require that all users go through the OAuth process.
As we integrate with additional CRM systems, we will continue to prefer OAuth and other forms of delegated authentication.
Data We Collect
To enable Yesware features, we collect and store information about the inbound and outbound email activity of our users. We store a permanent copy of metadata (including header information and subject line) for outbound mail composed using Yesware, and for inbound replies to those messages.
We do not store any permanent copies of the bodies of your email messages. For some CRM integration features, we store a temporary copy of message bodies until this data has been properly passed on to your CRM system; once this data has safely been recorded by your CRM, we delete it from our systems. This temporary data is stored in encrypted form; at no point do we store plaintext message body data.
Though our browser extension requires certain permissions to open tabs and run scripts, and may request access to other websites, we do not monitor your web browsing activities. Our extension does not access or modify your data on any other websites, beyond those needed by the Yesware application.
As you use the Yesware portal https://app.yesware.com our server collects usage data about the features being utilized. We use this data to assist us in debugging, for customer service and capacity planning.
We use leading third-party payment processor Zuora® for credit card payments. When you enter your credit card information on our site that information is sent directly to Zuora®. We never have access to, nor do we store, your credit card information.
For some features, we request access to user data on other services, including OAuth access to Google Contacts and Gmail® data via IMAP, and OAuth or other access to CRM systems. We treat these credentials as highly secure information, which we keep on your behalf, and we encrypt these credentials before storing them. You may revoke these credentials at the issuer at any time, or we will destroy them when asked.
Access to Systems
All interaction between Gmail® and our application occurs over a secure TLS connection. All web reports and account management activities are likewise performed over a secure TLS connection.
We host our systems with industry leading cloud PaaS and IaaS providers, including Salesforce's Heroku™, mLab™, RedisLabs™, and Amazon Web Services. We use strong passwords and multi-factor authentication for these services, and limit access to only Yesware staff and systems which have a legitimate need.
Incident Response and Remediation
We monitor our systems 24/7/365 with a variety of performance measurement and error-checking tools. When problems are detected, our ops team is notified immediately and the issues are investigated.
When a serious incident occurs, or a long interval of downtime is anticipated, we notify our users via our blog, Twitter and/or email.
We work closely with our hosting providers to ensure that underlying systems remain secure, and any security breaches are investigated, patched and remediated promptly.
Our system operations are logged extensively, and the logs are stored for at least a 30-day period in the cloud. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.
Should a security breach occur, we will promptly notify affected users of the nature and extent of the breach, and take steps to minimize any damage.
We perform regular vulnerability scans of our Internet facing applications using accredited industry standard tools to identify issues we need to fix. We are making this a standard practice for new features and infrastructure that we deploy.
When potential vulnerabilities are identified, we triage them immediately. Critical vulnerabilities (P1) cause remediation work to begin immediately, which is deployed as soon as a fix is available. Serious vulnerabilities (P2) also cause work to begin immediately, and fixes are deployed within 24 hours. Minor and trivial vulnerabilities (P3 and P4) cause work to be scheduled alongside feature work.
Data Confidentiality and Retention
Access to customer data by Yesware employees is limited to an as-needed basis (e.g., to resolve customer issues). When such access is required, only personnel with a direct need will access the data, and such access will be limited as much as possible. Breach of this policy by a Yesware employee is a serious matter, requiring investigation and appropriate disciplinary action, up to and including termination as well as legal action.
When requested, we will destroy a user's account, removing all customer data associated with that account.
We store backups of portions of our data in the cloud, and our maximum retention period for backups is 90 days.
Audits and Compliance
At Yesware, our goal is to be the most trusted vendor in our space. We achieve this by:
- Being transparent with our customers
- Meeting and exceeding established best practices.
Cloud Shared Responsibility Model
The Yesware platform is primarily built on Salesforce’s Heroku™ platform, which in-turn runs within the AWS infrastructure, and uses additional AWS services such as S3. As such, Yesware inherits the control environment which AWS maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications.
SSAE16 SOC 2
Statement on Standards for Attestation Engagement (SSAE) No. 16 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA) and is used to create a SOC 2 branded report. The SSAE 16 audit report is aligned with the International Standards for Assurance Engagements (ISAE) No. 3402 auditing standard. This allows for the report to be recognized both in the U.S. and throughout the world.
A Service Organization Control (SOC) 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. SOC 2 reports are based on the AICPA Trust Services Principles and Criteria under AT Section 101.
After completing our initial SOC 2 examination in June of 2016, Yesware received a favorable and unbiased opinion from a third party auditor validating our SOC 2 compliance. We’re happy to share our report with customers under our mutual non-disclosure agreement (NDA).
Yesware has been awarded the Skyhigh CloudTrust™ rating of Enterprise-Ready. Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
Salesforce.com Security Review
Yesware successfully passed the Salesforce.com Security Review, and is listed on the Salesforce AppExchange®.
Reporting Security Issues
At Yesware, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. We have implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Please do the following:
E-mail your findings to firstname.lastname@example.org. Encrypt your findings using our PGP key (below) to prevent this critical information from falling into the wrong hands.
Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
Do not reveal the problem to others until it has been resolved.
Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
What we promise:
You may not use automated tools in your research without our explicit consent. Use of automated tools may result in investigative action or your IP(s) being blocked.
We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
We credit the first researcher to report an issue. Additionally, we reserve the right to only acknowledge researchers who discover issues in Yesware products or services, if we determine the issue to be of a high or critical severity, or if there has been continued research or contributions made by the reporter.
If you have followed the instructions above, we will not take any legal action against you in regard to the report.
We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
We will keep you informed of the progress towards resolving the problem.
In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
You can find our PGP key below. You may use this key to encrypt your communication with us. (You can learn more about PGP here.)
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFEb6DIBCADCSEOA+357rApk2ISZ3TRA+1/wTDPK8T9MPIaBSBXURxO4MOOg 4MrQRsAl/XjdIDcbVaWkbWbB4buMvDXdihK4wOPk/SH5V/C8TezZETR01BxCmTm1 BGlHsDR/Gduprr2rEKH4E9Qz1c2L7WbZd0PWsKE374nTYRqtKS0WE0VWSwD7O2+1 9tvYeOsr2JMSCuV1z6KhhfPCZRBMa1ThsKH+rfPbmeFGrnvAItXZey1DUtODZKQS BpgPhowyQG9/2icNiLuURj13pF252uQhL/wZZyMdKkzjJBZxmN8mNoSPymc7sHzn 0etwFeLxoPY5lluP4BrT1HWYJex2DxGEQquxABEBAAG0Olllc3dhcmUgU2VjdXJp dHkgKFllc3dhcmUgU2VjdXJpdHkpIDxzZWN1cml0eUB5ZXN3YXJlLmNvbT6JATYE EwECACAFAlEb6DICGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAKkv1SHQ/2 EeibB/oCmfeXC1V13LBAYWQrQNxRgiRN75EBCZ7XajaU75j+hxajIzwVi4Q6E8/Q KrHDvYeev1XHAnUX5aK6o3P34QVyeRshEmNiqM52ffJWxekFo8xoe2lHKUfH5Q1n IfGsIg9mQzBA/tVUVRJTCL6pg+18w9Cfh9ur6tYFSWFwM0ngFGJfmjCGQrkVZeNN QTWmdFTSUDAZg7oN6k2bXDTk5HdeC2TYcurU0+vEVYYOSJ3hwhbi9mrGC9KYREyl UkdXU/5lxyNHl76cmVJ9CwSFVGqR6X7ukcAZO4AUlGWRHJXjrLEdqyKJEyrIyoH5 6P+3Wv59/keyDlp3bscO4B2d85pM =1neY -----END PGP PUBLIC KEY BLOCK-----
We would like to extend our thanks to the following people and organizations for making our infrastructure more secure:
- Jaikey Sarraf
- Fredrik Nordberg Almroth
- Rafael Pablos
- Jitendra Jaiswal
- Nakul Mohan (@Anonymous_India)
- Navaid Zafar Ansari & Zeeshan Sultan
- Harikrishna Valugonda
- Ehraz Ahmed
- Umraz Ahmed
- Dibyendu Sikdar
- Jay Turla of HP Fortify
- Rodolfo Godalle, Jr.
- Tarek Siddiki
- Jose Pino
- Prem Kumar
- Evan Ricafort
- Clifford Trigo
- Rakesh Singh & Harish Kumar & Sandeep Sodhi
- Muhammad Shahmeer
- Kamil Sevi
- Jayvardhan Singh & Parichay Rai
- Ali Hassan Ghori
- Muhammad Talha Khan
- Lokesh Kumar
- SaifAllah benMassaoud
- Hamza Fourtassi
- Ashesh Kumar
- Waqar Vicky
- Gaurang Bhatnagar
- Muhammad Osama
- Kiran Karnad
- Raja Uzair Abdullah
- Muhammad Zeeshan
- Othmane Tamagart
- Zee Shan
- Daniel Nasir
- Melbin Francis
- Guilherme Scombatti
- Karl Aparece
- Hisham Mir
- Zawad Bin Hafiz
- Aworunse Matthew Temmy