SourceWhale uses Read access to track different kinds of email responses, and to orchestrate email follow-ups accordingly. Read access is never applied to emails that were not sent using SourceWhale.
SourceWhale uses Send access to send emails on your behalf. In this way, the emails sent through SourceWhale appear in exactly the same form as if you had sent them manually.
The content of emails or calendar events retrieved through the Gmail or Outlook APIs is never stored on SourceWhale systems (a fresh API call is performed every time a client requests this data).
No databases constituting the SourceWhale Platform are accessible from the public internet.
SourceWhale uses industry-standard encryption for all Client Data, both in transit and at rest.
Where appropriate, client-generated data is sanitised before storage.
SourceWhale uses logical separation within its multi-tenant architecture to enforce data segregation between Clients.
Upon a client’s request, their client data is promptly deleted. With each deletion request, the data is logically deleted in the first storage copy and then completely deleted across the other copies. This is done in order to prevent accidental deletions or possible intentional damage.
All endpoints are protected against Denial-of-Service attacks.
Cloud resources are deployed across multiple availability zones and regions, to ensure resiliance of the SourceWhale platform.
Full logging and monitoring are implemented across the SourceWhale platform, to ensure rapid event notification and traceability.
Rolling backups of all non-temporary data are implemented, to ensure data endurance.
SourceWhale is hosted on Amazon Web Services. Information on Amazon’s physical security controls can be found here: aws.amazon.com/compliance/data-center/controls.
AWS maintain industry-standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3 and PCI DSS Level 1.
Access to all systems requires two-factor authentication. Requests are restricted by IP address, and access attempts are logged for auditing purposes.
Client authentication is performed using the Google and Microsoft identity platforms, following industry best practises with regards to the Oauth2 standard.
The SourceWhale platform implements strict security headers and other measures to prevent cross-site scripting, cross-site request forgery, and clickjacking attacks.
Client access to the SourceWhale Platform portals are protected by the most current version of Transport Layer Security (TLS).
All computers storing local copies of the SourceWhale codebase have encrypted hard drives and are protected with biometric authentication.
SourceWhale maintains ISO27001 certification.
Access to SourceWhale's systems is administered under a strict least-privilege model.
All company personnel are given training in information security and sign confidentiality agreements.
SourceWhale personnel do not access client data. Where access is required to operate the service or assist in a client issue, the request for access must be formally approved by the client.
There is a strict password policy for all personnel. All passwords and access keys have short maximum lifetimes.
There is a comprehensive process to deactivate users and their access if personnel leave the company.
SourceWhale conducts penetration tests by accredited third parties at least semi-annually.
All client cookies and sensitive personal information are scrubbed before logging.
Vulnerability Disclosure Program
Please report security exploits to firstname.lastname@example.org. Exploits which qualify under the program will be answered within 3 working days.
Rewards will be paid based on the severity of the vulnerability with a maximum level of £500.
The following vulnerabilities will not qualify for a reward: UI/UX bugs, denial of service attacks, social engineering, phishing exercises, non-exploitable flaws.
Please include step-by-step instructions so we can re-produce and details on the scope and severity of vulnerability.