Last Revised: 15 October, 2019
Effective Date: 17 February, 2019
The security and privacy of your information is important to us, and we maintain a variety of appropriate technical and procedural safeguards to protect your personal data in an effort to prevent loss, misuse, unauthorised access, disclosure, alteration, or destruction.
No person employed by, or affiliated with Sortd, has access to personal data about you, unless we believe, they have a legitimate business need to access that information in order to provide products or services to you or to do their jobs (such as customer support). No Sortd staff have routine access to your email.
Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can guarantee against any interception or any other type of misuse.
Sortd uses the industry standard OAuth process to authenticate you and access your Google account and as such Sortd does not know, see or store, your access credentials. All communication between Sortd’s applications and Sortd backend systems, as well as the communication between Sortd and Google’s systems, is secured with TLS (SSL) v1.2 (or higher) encryption.
You however must keep your password/login credentials confidential and not disclose it to any other person. Disclosure, of your login credentials, intentional or otherwise, will negate any security we put in place. Consequently, you are responsible for all uses of the Service by any person using your password. Therefore, please advise us immediately if you believe your login credentials has been misused.
During the OAuth process you will be asked to give Sortd permission to access your Google account. These permissions are required in order for the Service(s) to provide the functionality of the Sortd offering.
Additional permissions may be requested depending on which Sortd tools you make use of; for example the Sortd Chrome Extension will ask for permissions that are unique to Chrome Extensions, whereas the mobile application(s) and Gmail Add-on will ask for different sets of permissions.
These are the initial permissions you grant when logging in to the Service for the first time and are required in order to make use of the Services.
These permissions enable the Service to access to your Google account, through Google controlled interfaces for activities which cannot be done simply through the Gmail website. These permissions also allow Services to obtain some basic information about you, such as your email address and name.
By providing these permissions Google provides Sortd security tokens, using the industry standard OAuth mechanism. Sortd never receives your Gmail password, and you can revoke the Sortd security tokens (and hence permissions) at any time via the Google security tools.
During the OAuth process Sortd will request permissions to Gmail, which Google may display as, the ability to:
These permissions are required in order to allow the Service to interact with your email and to perform offline actions such as sending reminders even when you are not in front of your computer using the Service.
The permissions are required, because of the way the permissions system works on Gmail. Sortd does NOT read the content of your email, additionally Sortd will never delete your email unless you specifically ask it to, or it is performing a shared email email sync which causes the old email to be replaced by a newer updated version of the shared email thread.
The main component of Sortd is implemented as a Chrome Extension, which requires permissions in order to be installed into your Chrome browser.
The Chrome Extension will request the following permission:
This permission allows Sortd to load when you open Gmail (mail.google.com) and interact with the Sortd backend services (app.sortd.com).
These are the permissions that you are requested to provide when you install the Sortd Gmail Add-on.
The Sortd Gmail Add-on allows Sortd to provide functionality inside the Gmail mobile application on Android and iOS (and web browser, if you don’t have the Chrome Extension installed).
The Add-on will ask for the following permissions, which are inherent to all Gmail add-on’s and not specific to Sortd:
Much of the functionality that Sortd Services provide require access to Gmail via the Gmail API. This is a backend system that Google makes available for services such as Sortd to provide enhanced capabilities, over and above what is ordinarily available in Gmail. The Gmail API requires each Google user to permit access to their email. Google has a rigorous verification program, that Sortd Services have to go through, that ensures that the permissions Sortd requests are inline with the functionality provided, as well as the security and privacy of our mutual users.
Furthermore, it should be noted that Sortd does not store your email content, but only certain email metadata such as the MessageId, Sender, Subject and Date are stored in Sortd and only when certain Sortd features are used.
Sortd does not store the actual email content (body), but may store the email metadata mentioned above in cases such:
Simply reading email inside Sortd does not result in Sortd storing any data of any kind.
In certain cases, Sortd does, however, need to access and modify bodies of emails such as for the purpose of providing the email tracking feature. In this case, when enabled by the user, Sortd specifically adds a tracking pixel to the bodies of emails just prior to the the email being sent.
Additionally, Sortd provides shared email functionality which is enabled on Shared Boards (available on Team subscriptions only). In the case that an email has been added to a Shared Board, that email thread will sync the to the Gmail Inbox(es) of all members of the Shared Board. If that email is updated (e.g. email reply) Sortd will temporarily store the email (including the body and attachments) being synced, until all Gmail Inboxes are up to date. This is required to ensure durability and ensure that no email is lost, but the process is normally complete within a matter of seconds, after which the email is deleted permanently from Sortd’s infrastructure.
All Sortd’s services and applications run in a virtual private cloud (VPC) hosted in the USA on Amazon Web Services (AWS) infrastructure; All systems and data stores have failover and backup instances and all user data persisted, is stored in an encrypted form. Additionally, all networks and servers have firewalls and restricted access permissions, to permit only the minimum network traffic necessary to run the services.
For more information on AWS security and compliance policies they can be viewed here and here respectively.
We monitor our systems continuously with a variety of performance measurement and error-checking tools. When problems are detected, our operations team is notified, and the issues are investigated.
We implement best security practices where ever possible such as those promoted by AWS and the Centre for Internet Security (CIS) to ensure that underlying systems remain secure, and any security breaches are investigated, patched and remediated promptly.
When a serious incident occurs, or a long interval of downtime is anticipated, we notify our users via our blog, Twitter and/or email. Should a security breach occur, we will promptly notify affected users of the nature and extent of the breach, and take steps to minimise any damage.
Sortd has now formalised our policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community, and we recognise that the work the community does is important in continuing to ensure safety and security for all of our customers.
For more Information please see the Sortd Vulnerability Disclosure Program.