Security

Introduction: How Folio Keeps Your Data Secure

Folio is a product that help its customers manage business workflow in email. Given the sensitivity of this medium, security is at the center of our engineering and data science practices. Our team and technology infrastructure are held accountable to high standards of information security, code quality and scalability. Folio maintains specific and strict internal policies that restrict any unauthorized access to our users’ data or accounts. And, as an official partner of Google and Microsoft’s secure email platforms, we have continually met or exceeded their standards of security and privacy via rigorous internal and third-party audits of our products, policies, technology, codebase and team.

Folio is an email workflow tool that uses machine learning algorithms to organize email by a meaningful business object such as a real estate transaction. Folio determines the relationships between emails and groups them with a common identifier, resulting in the creation of a Smart Folder. Smart Folders reveal the context around a real estate transaction and index all related metadata (documents, files, contacts, and user generated notes) into a contextual sidebar. This enables the following enhanced security and compliance product features:

Enhanced visibility: While inbox providers have gotten very good at detecting generally suspicious emails and activity, there is the opportunity for further user protection within a vertical business mailstream by detecting and flagging emails that are suspicious within the real estate transaction process. Folio understands the meaning behind real estate-specific emails, the relationships between various senders, and is able to apply verticalized business logic that can detect potentially fraudulent requests for financially sensitive information. Today, this reporting is enabled through an opt-in feature that sends an SMS to the user, but enterprise-level reporting of financial activity can be enabled upon request. The evolution and improvement of the methods used for this fraud detection will be an ongoing focus of Folio.
Compliance & retention: By sorting emails into Smart Folders by transaction, a comprehensive record of all communication can be stored in a customer’s database or platform of record for compliance with legal or regulatory recordkeeping requirements and practices.

2019 Google Security Audit & Security Enhancements

In 2018, Google announced that it would be restricting access to its Gmail API to only those approved vendors that fully complied with its new requirements. In philosophy, these requirements were designed to ensure that third party apps that access a user’s most sensitive data only exist to deliver direct user value to the user and are as secure as Google’s own services. In addition, each vendor would be required to undergo a third party security audit to verify compliance, repeated annually, by a firm approved by Google.

In 2019, Folio (formerly operated by Amitree) became one of the first companies to successfully complete the compliance requirements of the Google Verification Process and passed a third party security audit performed by offensive security testing firm Bishop Fox. Folio regularly undergoes this process in order to ensure the highest level of security for users.

In connection with this audit, Folio has implemented the following enhanced security practices:

Implementation of a bug bounty program via the HackerOne platform
Annual security review by Bishop Fox of our application security
Ongoing security training for employees and contractors
Movement of all processing that used occur via 3rd parties into our own infrastructure (hosted on the industry leading PaaS, Heroku)
Zero-access policy to any customer email by employees or contractors, even for customer support purposes (we request the customer manually forward any emails necessary for customer support to review)

Additionally, as per standard with Heroku, all of our software runs on hard-end images that are resistant to Linux CVEs. A summary of all other security measures we inherit from the platforms we use is provided at the end of this document.

Data Policy

Folio delivers value by turning a customer’s inbox into a structured database, sorted into Smart Folders, with contextually relevant artifacts surfaced for the customer at the right time. This means a tremendous amount of our customers’ data passes through our platform, and we are entrusted with keeping that data private and secure. We do not sell, transfer, or otherwise make public any data obtained from our customers’ email. The only circumstance wherein user data is permitted to be transferred is in a ‘change in control’ (e.g. an acquisition). This policy is enforced both by Inside RE, LLC policy directly and by our adherence to our agreements with Google.

Folio’s use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Inherited Security Practices from our Platform Vendors

Independent industry standards are a good measure of whether a company’s technology infrastructure adheres to the most stringent and updated security practices to keep your data safe and secure. Folio is deployed via Heroku, which is built on top of Amazon Web Services. Folio builds on Amazon and Heroku’s compliance with the leading standards of privacy and information security outlined on their respective security pages, found here:

Amazon AWS Security

Heroku Security

Physical Security of Data Centers

We utilize Amazon’s distributed worldwide data centers to deliver our products, affording our products a high level of protection from physical security threats.

Amazon data centers are housed in nondescript facilities.

Physical access to Amazon data centers is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.

Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.

All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services.

All physical access to data centers by Amazon employees is logged and audited routinely.

Use of HTTPS / SSL Encryption for Secure Data Transmission

Wherever possible, Folio utilizes HTTPS / SSL encryption when sending or receiving data from the browser. The HTTPS / SSL protocol uses public-key cryptography to prevent eavesdropping, tampering, and forgery. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Feedback and Incident Reporting

Our incident reporting disclosure program is administered through HackerOne, which is the designated platform for submitting all reports.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	Persistent	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_D23ND7CP0D	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_37478674_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
fs_mixpanel	Persistent	This cookie is set by Mixpanel to track user interactions and collect analytics data on website usage. The collected data helps generate insights, analyze user trends, and improve website performance.
fs_uid	1 year	This cookie is set by the provider Fullstory. This cookie is used for session tracking.
mp_f2e400c1bb39dfe2653a021b96f9a68d_mixpanel	1 year	This cookie is set by Mixpanel to track user interactions and collect analytics data on website usage. The collected data helps generate insights, analyze user trends, and improve website performance.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	Persistent	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	Persistent	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	Persistent	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	Persistent	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.