Your security and privacy are our top priority here at Shift. Not only is Shift a great tool, but it is completely safe and secure to use. 🔐
Is Shift HIPAA, SOC2, or ISO 27001 compliant?
No. However, we do have robust internal procedures in place to ensure the data we collect is secure and our systems kept in check. Continue reading below for more details.
Your data is as secure as your computer
First and foremost, nearly all data that the Shift desktop application uses is kept local to your computer. This includes the data that keeps you logged into your accounts within Shift. We highly recommend using a complex password to lock your computer. Read more about our suggestions here.
Shift integrates app and extension login security. That means when you log into your apps and extensions in Shift, you are using those app and extension security mechanisms to authenticate. Shift also uses the standard OAuth authorization protocol. We have been approved by Google to use the OAuth process, which is understood to have no known vulnerabilities. OAuth authorizes Shift (locally) to access your emails and download to your local computer. An identity token is stored against your Shift account in the cloud, but the token required to access your emails is always local. Shift can handle your mail privately and locally without any risk that anyone, anywhere – other than you – can gain access to your information, data, or emails. Read more about the OAuth process here.
Password management security
When you use the Password Management feature in Shift, your password data is always encrypted locally first before being sent to Shift's servers, where it is then encrypted a second time. Industry-standard encryption methods, AES and Argon2 are used in this process. Read more about Password Management security here.
All data to and from the Shift service is encrypted using secure SSL/TLS protocols. Data is never sent to our services without encryption. Our team periodically will run vulnerability scans to determine if there are any insecure configurations in our system. Our system is protected from Denial of Service (DoS) attacks via several mitigations including (but not limited to) IP blocklists and web application firewalls. At this time, we don't have any third-party penetration tests results that we can share.
Access to our source control and cloud environments are controlled via role-based access controls. Access to these systems is logged. Data is encrypted in transit and at rest. Only members of the Shift team with a need-to-know access are permitted access to customer data. Shift employees cannot view any email content, passwords, calendar information, app and extension information, etc. The limited access our team does have is only given so they can assist you. When a Shift employee leaves, their access is revoked immediately upon their departure and they no longer have access to any internal systems.
Our client and server software regularly security updates. We use an automated system to notify us when a third-party dependency has a vulnerability that requires patching. Customer information is never stored or transmitted without encryption. Our service only stores the minimum amount of data required to operate the service. Shift has processes in place to comply with GDPR and CCPA requests. More about that here.
Shift does not operate a private data center. Our services are provided exclusively through a Cloud provider (AWS). Access to the office is restricted to employees. Guests are escorted on-site to protect the confidentiality of our data and source code.
Incident response plan and disaster recovery
The Shift team has automated systems in place which report on outages or unexpected behaviors. In the case of an incident, the responsible team is paged to respond. Our data is regularly backed up. There is a disaster recovery plan in place in case our service provider has a long-term outage that affects the service.
We want you to feel comfortable that your data and privacy are taken seriously and taken care of! If you have any questions whatsoever regarding security or privacy in Shift, please get in touch with our support team and we'd be happy to help!
Read more about Privacy and Security in Shift here.