Security

Introduction: How Amitree Keeps Your Data Secure

Amitree builds products that help its customers manage business workflow in email. Given the sensitivity of this medium, security is at the center of our engineering and data science practices. Our team and technology infrastructure are held accountable to high standards of information security, code quality and scalability. Amitree maintains specific and strict internal policies that restrict any unauthorized access to our users’ data or accounts. And, as an official partner of Google and Microsoft’s secure email platforms, we have continually met or exceeded their standards of security and privacy via rigorous internal and third-party audits of our products, policies, technology, codebase and team.

Amitree’s flagship product, Folio, is an email workflow tool that uses machine learning algorithms (learn more) to organize email by a meaningful business object such as a real estate transaction. Folio determines the relationships between emails and groups them with a common identifier, resulting in the creation of a Smart Folder. Smart Folders reveal the context around a real estate transaction and index all related metadata (documents, files, contacts, and user generated notes) into a contextual sidebar. This enables the following enhanced security and compliance product features:

  • Enhanced visibility: While inbox providers have gotten very good at detecting generally suspicious emails and activity, there is the opportunity for further user protection within a vertical business mailstream by detecting and flagging emails that are suspicious within the real estate transaction process. Folio understands the meaning behind real estate-specific emails, the relationships between various senders, and is able to apply verticalized business logic that can detect potentially fraudulent requests for financially sensitive information. Today, this reporting is enabled through an opt-in feature that sends an SMS to the user, but enterprise-level reporting of financial activity can be enabled upon request. The evolution and improvement of the methods used for this fraud detection will be an ongoing focus of Amitree.
  • Compliance & retention: By sorting emails into Smart Folders by transaction, a comprehensive record of all communication can be stored in a customer’s database or platform of record for compliance with legal or regulatory recordkeeping requirements and practices.

2019 Google Security Audit & Security Enhancements

In 2018, Google announced that it would be restricting access to its Gmail API to only those approved vendors that fully complied with its new requirements. In philosophy, these requirements were designed to ensure that third party apps that access a user’s most sensitive data only exist to deliver direct user value to the user and are as secure as Google’s own services. In addition, each vendor would be required to undergo a third party security audit to verify compliance, repeated annually, by a firm approved by Google.

In 2019, Amitree became one of the first companies to successfully complete the first stage (compliance with requirements) of the Google Verification Process and is in the final stages of the third party security audit, performed by offensive security testing firm Bishop Fox.

In connection with this audit, Amitree has implemented the following enhanced security practices:

  • Implementation of a bug bounty program via the HackerOne platform
  • Annual security review by Bishop Fox of our application security
  • Ongoing security training for employees and contractors
  • Movement of all processing that used occur via 3rd parties into our own infrastructure (hosted on the industry leading PaaS, Heroku)
  • Zero-access policy to any customer email by employees or contractors, even for customer support purposes (we request the customer manually forward any emails necessary for customer support to review)

Additionally, as per standard with Heroku, all of our software runs on hard-end images that are resistant to Linux CVEs. A summary of all other security measures we inherit from the platforms we use is provided at the end of this document.

Data Policy

Folio delivers value by turning a customer’s inbox into a structured database, sorted into Smart Folders, with contextually relevant artifacts surfaced for the customer at the right time. This means a tremendous amount of our customers’ data passes through our platform, and we are entrusted with keeping that data private and secure. We do not sell, transfer, or otherwise make public any data obtained from our customers’ email. The only circumstance wherein user data is permitted to be transferred is in a ‘change in control’ (e.g. an acquisition). This policy is enforced both by Amitree policy directly and by our adherence to our agreements with Google.

Folio by Amitree’s use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Inherited Security Practices from our Platform Vendors

Independent industry standards are a good measure of whether a company’s technology infrastructure adheres to the most stringent and updated security practices to keep your data safe and secure. Amitree is deployed via Heroku, which is built on top of Amazon Web Services. Amitree builds on Amazon and Heroku’s compliance with the leading standards of privacy and information security outlined on their respective security pages, found here:

Amazon AWS Security

Heroku Security

Physical Security of Data Centers

We utilize Amazon’s distributed worldwide data centers to deliver our products, affording our products a high level of protection from physical security threats.

Amazon data centers are housed in nondescript facilities.

Physical access to Amazon data centers is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.

Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.

All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services.

All physical access to data centers by Amazon employees is logged and audited routinely.

Use of HTTPS / SSL Encryption for Secure Data Transmission

Wherever possible, Amitree utilizes HTTPS / SSL encryption when sending or receiving data from the browser. The HTTPS / SSL protocol uses public-key cryptography to prevent eavesdropping, tampering, and forgery. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Feedback and Incident Reporting

You can send any concerns, vulnerability reports, bugs, or incidents you encounter to security@amitree.com. We offer a bug bounty program.