You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
Home > Privacy & Security > Security in Shift
Security in Shift
print icon

Your security and privacy are our top priority here at Shift. Not only is Shift a great tool, but it is completely safe and secure to use. 🔐 If you're curious about any component of Shift's security measures, keep on reading!


Is Shift HIPAA, SOC2, or ISO 27001 compliant?

No. However, we do have robust internal procedures in place to ensure the data we collect is secure and our systems kept in check. Continue reading below for more details.


Your data is as secure as your computer

First and foremost, nearly all data that the Shift desktop application uses is kept local to your computer. This includes the data that keeps you logged into your accounts within Shift. We highly recommend using a complex password to lock your computer. Read more about our suggestions here.


Login security

Shift integrates app and extension login security. That means when you log into your apps and extensions in Shift, you are using those app and extension security mechanisms to authenticate. Shift also uses the standard OAuth authorization protocol. We have been approved by Google to use the OAuth process, which is understood to have no known vulnerabilities. OAuth authorizes Shift (locally) to access your emails and download to your local computer. An identity token is stored against your Shift account in the cloud, but the token required to access your emails is always local. Shift can handle your mail privately and locally without any risk that anyone, anywhere – other than you – can gain access to your information, data, or emails. Read more about the OAuth process here.


Password management security

When you use the Password Management feature in Shift, your password data is always encrypted locally first before being sent to Shift's servers, where it is then encrypted a second time. Industry-standard encryption methods, AES and Argon2 are used in this process. Read more about Password Management security here.


Network security

All data to and from the Shift service is encrypted using secure SSL/TLS protocols. Data is never sent to our services without encryption. Our team periodically will run vulnerability scans to determine if there are any insecure configurations in our system. Our system is protected from Denial of Service (DoS) attacks via several mitigations including (but not limited to) IP blocklists and web application firewalls. At this time, we don't have any third-party penetration tests results that we can share.


Authentication security

Access to our source control and cloud environments are controlled via role-based access controls. Access to these systems is logged. Data is encrypted in transit and at rest. Only members of the Shift team with a need-to-know access are permitted access to customer data. Shift employees cannot view any email content, passwords, calendar information, app and extension information, etc. The limited access our team does have is only given so they can assist you. When a Shift employee leaves, their access is revoked immediately upon their departure and they no longer have access to any internal systems.


Application security

Our client and server software is regularly updated. We use an automated system to notify us when a third-party dependency has a vulnerability that requires patching. Customer information is never stored or transmitted without encryption. Our service only stores the minimum amount of data required to operate the service. Shift has processes in place to comply with GDPR, CCPA, and VCDPA requests. More about that here.


Physical security

Shift does not operate a private data center. Our services are provided exclusively through a Cloud provider (AWS). Access to the office is restricted to employees. Guests are escorted on-site to protect the confidentiality of our data and source code. 


Incident response plan and disaster recovery

The Shift team has automated systems in place which report on outages or unexpected behaviors. In the case of an incident, the responsible team is paged to respond. Our data is regularly backed up. There is a disaster recovery plan in place in case our service provider has a long-term outage that affects the service.


Customer controls for security

So far, we've discussed what we do to offer security on various fronts to our customers. Here are the things that you, as a customer, can do to ensure security from your end:


  1. Utilize unique, strong, passwords and protect them
  2. Use multi-factor authentication
  3. Update your operating system, and Shift, regularly to ensure they are patched against vulnerabilities and to use the latest security features
  4. Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account, and manage roles and privileges to your account
  5. Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating Shift or other services you trust

Have questions?

We want you to feel comfortable that your data and privacy are taken seriously and taken care of! If you have any questions whatsoever regarding security or privacy in Shift, please get in touch with our support team and we'd be happy to help!


What's next?

Read more about Privacy and Security in Shift here.

scroll to top icon