InboxBrain Security Policy

Updated: May 1, 2019

We take security seriously here at InboxBrain. Here are some of the enterprise-grade security and privacy controls we use to protect our customers’ data.

What do we do?

InboxBrain provides robust tools and analytics to enhance users’ outbound, electronic communications via Gmail and G Suite. Features include: analytics regarding open and click-through rates of recipients, automated sequences for follow-ups from within email, and easy-to-use email templates.

Why do we need permission to access your Google account?

When a user installs the InboxBrain Chrome extension, we create a InboxBrain account for the user and link it with the user’s Google account. We ask the user for permission to connect to his or her Google account and authenticate that connection via Google Apps OAuth. This means that each users’ InboxBrain account has the same industry-leading login security as their Google account. Users can add 2-factor authentication via Google if they choose.

InboxBrain requests access to the following Google information so that our features can work:

  • Read, send, delete, and manage your email
  • InboxBrain requests these permissions so we can provide you with features like open, click, and reply tracking, send later, and calendar scheduling within an email.

  • Manage your basic mail settings
  • InboxBrain needs access to your mail settings so we can honor your existing preferences, including undo send, email aliases, and your email signature.

  • Manage your contacts
  • InboxBrain enables you to create templates that auto-fill using information stored in your Google contacts, such as the contact’s first name. InboxBrain also enables you to create contact groups based on your Google contact groups.

  • View your contacts
  • See above.

  • Manage your calendars
  • InboxBrain enables you to quickly set up meetings via email by offering times when you’re available; after your recipients choose a time, we schedule the meeting on your Google calendar.

  • View users on your domain
  • InboxBrain requests access to view other users on your email domain so we can show them as contacts in the ‘to’ field when typing an email, even if these users do not exist in your Google contacts.

What information do we collect?

The integration with Google provides InboxBrain with access to, for instance, a Google user’s email, calendar, and contacts, as described above. However, InboxBrain only collects the user’s name and email address, and, while a user is writing an email, the content of the draft email message is stored on our servers. Once the message is sent, we transfer the content back to the user’s Gmail account where it is stored on Google’s servers. In addition, when a user sends an email, the recipient’s email address and IP address are stored on our servers, to provide the user with tracking and analytics.

How do we collect the information?

When a user installs the InboxBrain Chrome extension, we create a InboxBrain account for the user and link it with the user’s Google account. To accomplish this, we ask the user for consent to connect to his or her Google account and authenticate that connection via Google Apps OAuth. This is a two-step process. In the first step, InboxBrain notifies the user that use of the InboxBrain products are subject to the terms of the InboxBrain Terms of Service and Privacy Policy, each of which describes how we process a user’s data. The user must then click “Activate InboxBrain” to proceed to the second step. In the second step, Google Apps provides notice of the types of information that will be accessible by InboxBrain and the scope of the authorization the user is giving to Google and to InboxBrain to enable the connection, and the user must click “Allow” to proceed with using the InboxBrain product.

How is user data protected?

InboxBrain protects user data throughout the data flows of the InboxBrain product, from account creation and integration through Google’s OAuth service, to encryption of data in transit to InboxBrain servers (using browser-based TLS) and encryption of that data at rest (using AES-256), to a variety of administrative, physical, and technical safeguards designed to create a secure environment for our customers’ data. As a result, the InboxBrain product can be implemented within a HIPAA-compliant environment.

We work with industry-leading cloud PaaS and IaaS providers. All InboxBrain applications run in a virtual private cloud (VPC) hosted by Digital Ocean, including failover and backup instances. User data transferred to InboxBrain is hosted by our cloud-based database provider, Mongo, which also store and process the data using industry standard infrastructure. These infrastructure providers maintain industry-standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3 and PCI DSS Level 1.

What compliance initiatives do we undertake?

InboxBrain has created a robust security program designed to meet the requirements of a ‘business associate’ under HIPAA, including implementation of each of the implementation specifications which underlie the administrative, physical, and technical safeguards required under the Security Rule. In addition, InboxBrain has implemented a comprehensive internal security policy and program to regularly review and assess the adequacy of controls we have in place.

InboxBrain also certifies its adherence to the EU – US and Swiss – US Privacy Shield frameworks in order to provide an adequate basis for the transfer of personal data from the EU and Switzerland to our US-based servers.