Your security and privacy are our top priority here at Shift. Not only is Shift a great tool, but it is completely safe and secure to use. 🔐 If you're curious about any component of Shift's security measures, keep on reading!
Is Shift HIPAA, SOC2, or ISO 27001 compliant?
No. However, we do have robust internal procedures in place to ensure the data we collect is secure and our systems are kept in check. Continue reading below for more details.
Your data is as secure as your computer
First and foremost, nearly all data that the Shift desktop application uses is kept local to your computer. This includes the data that keeps you logged into your accounts within Shift. We highly recommend using a complex password to lock your computer.
Shift integrates app and extension login security. That means when you log into your apps and extensions in Shift, you are using those app and extension security mechanisms to authenticate. Shift also uses the standard OAuth authorization protocol. We have been approved by Google to use the OAuth process, which is understood to have no known vulnerabilities. OAuth authorizes Shift (locally) to access your emails and download them to your local computer. An identity token is stored against your Shift account in the cloud, but the token required to access your emails is always local. Shift can handle your mail privately and locally without any risk that anyone, anywhere – other than you – can gain access to your information, data, or emails. Read more about the OAuth process here.
Password management security
Password data is not backed up or stored on Shift's servers. Any saved passwords in the Shift browser are local to your computer. To help ensure your password data is safe and backed up, we recommend using a trusted extension such as 1Password or Bitwarden.
All data to and from the Shift service is encrypted using secure SSL/TLS protocols. Data is never sent to our services without encryption. Our team periodically will run vulnerability scans to determine if there are any insecure configurations in our system. Our system is protected from Denial of Service (DoS) attacks via several mitigations including (but not limited to) IP blocklists and web application firewalls. At this time, we don't have any third-party penetration test results that we can share.
Access to our source control and cloud environments is controlled via role-based access controls. Access to these systems is logged. Data is encrypted in transit and at rest. Only members of the Shift team with need-to-know access are permitted access to customer data. Shift employees cannot view any email content, passwords, calendar information, app, extension information, etc. The limited access our team does have is only given so they can assist you. When a Shift employee leaves, their access is revoked immediately upon their departure and they no longer have access to any internal systems.
Our client and server software is regularly updated. We use an automated system to notify us when a third-party dependency has a vulnerability that requires patching. Customer information is never stored or transmitted without encryption. Our service only stores the minimum amount of data required to operate the service. Shift has processes in place to comply with various data laws. More about that here.
Shift does not operate a private data center. Our services are provided exclusively through a Cloud provider (AWS). Access to the office is restricted to employees. Guests are escorted on-site to protect the confidentiality of our data and source code.
Incident response plan and disaster recovery
The Shift team has automated systems in place that report on outages or unexpected behaviors. In the case of an incident, the responsible team is paged to respond. Our data is regularly backed up. There is a disaster recovery plan in place in case our service provider has a long-term outage that affects the service.
Customer controls for security
So far, we've discussed what we do to offer security on various fronts to our customers. Here are the things that you, as a customer, can do to ensure security from your end:
- Utilize unique, strong, passwords and protect them
- Use multi-factor authentication
- Update your operating system, and Shift, regularly to ensure they are patched against vulnerabilities and to use the latest security features
- Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account, and manage roles and privileges to your account
- Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating Shift or other services you trust
We want you to feel comfortable that your data and privacy are taken seriously and taken care of! If you have any questions whatsoever regarding security or privacy in Shift, please get in touch with our support team and we'd be happy to help!
Read more about Privacy and Security in Shift here.