How Nylas Keeps Your Users’ Data Secure
Get an inside look at the processes Nylas uses to provide industry-leading data security with SOC 2 and HIPAA Type 1 / HITECH certifications.
David Ting | January 5, 2021
Data breaches, security vulnerabilities, and malicious hacks are recurring problems in our increasingly connected society and there have been numerous high-profile data breaches in the last decade. It’s quite likely that you, the reader of this article, have fallen victim to one or more data breaches. Malicious actors can leverage this data against you, and it’s essential for any company that stores your data to be a good steward and prevent it from falling into the wrong hands.
Security is an integral component of everything we do at Nylas, and I’m very proud of the effort our engineers have made to turn Nylas into a leading example of software security. This article will give you an inside look at what we do to keep user data safe.
Want a PDF of this article?
Share it with a friend or save it for later reading.
We'll send the PDF straight to your inbox!
Security is Our Prime Directive
Nylas provides API services that connect to user’s email inbox, calendar, and contacts book, so naturally, we’re responsible for protecting associated user data. At the core of our policy is the concept of zero-trust security, meaning we plan our security policies around the assumption that a hack can happen from any direction and on any resource that runs in our infrastructure. While state-sponsored attacks get the biggest headlines, employee mistakes and misconfigured services are far more likely to be the cause of a significant data breach. An excellent security team will consider all possible avenues to ensure nothing is left unchecked
Our SOC 2 certification best indicates the paramount importance of security at Nylas because it’s the SaaS industry’s most comprehensive security certification. As part of this certification, we go through yearly independent audits of our internal policies and penetration tests at all levels of our security protocols, processes, and systems. We’re also HIPAA Type 1 / HITECH Compliant, meaning we meet US federal requirements to store and protect individual health records.
However, we want you to feel comfortable building with the Nylas Platform, and the certifications only go so far. To make you feel more at ease, let’s take a close look at the Nylas security team’s practices so you feel assured that we’re doing everything we can to keep your users safe.
Automatic Ingress, Egress, and Code Scanning
At the core of the Nylas Platform is our Sync Engine: a fleet of servers that establish and maintain connections to all third-party APIs for which we provide integrations. Our sync fleet transmits and receives immense amounts of data every day; we need to ensure that all incoming and outgoing connections are made to the appropriate third-party API servers. We also need to ensure that data is being stored only in trusted locations.
Automated scanning is the first line of defense against potential threats to our Sync Engine, and we use a combination of custom code and third-party solutions from companies who specialize in software security:
- Code scanning – We scan every single function in our code base to build a complete data flow map and raise alerts when functions send data to new or unexpected locations.
- Dynamic website and API scanning – We make requests to our APIs and dashboard that simulate attack vectors.
- Vulnerability scanning – We use well-established third-party solutions to scan new and existing code for vulnerabilities listed in the National Vulnerability Database (NVD).
- Cloud infrastructure – We monitor changes to anything on our infrastructure, including identity and access management, data storage and caching, and network connections. Our team is alerted whenever abnormal changes occur and we have processes in place to facilitate manual review and remediation of any security concerns.
We rank security risks based on the NVD’s Common Vulnerability Scoring System (CVSS), which we customize for our specific data storage practices, and we use tools like PagerDuty to alert our on-call engineers 24/7 when significant concerns arise. The combination of these services provides a comprehensive automated monitoring system to keep us informed about any changes that might affect user data security.
Automated scanning certainly makes our infrastructure safer, but no security strategy is complete without proactive human involvement. We have an internal penetration testing team that engages in active penetration testing to manually search for vulnerabilities by regularly simulating malicious behaviors that use any or all of our infrastructure as an attack vector. We want to be sure that nothing within our internal infrastructure can create larger holes in other internal services. We also want to make sure we initiate the appropriate security responses for any triggers that are set off.
As part of our yearly SOC 2 compliance renewal, we partner with third-party companies to get specialized penetration testing. They simulate attacks that use Nylas accounts as the attack vector, and they ensure that malicious actors can’t hijack the Nylas dashboard or API to gain unauthorized access to data stored on the Nylas platform.
It Takes a Village to Keep Users Safe
Nylas trains our entire engineering team to operate with the principles outlined in this article, and we regularly engage in company-wide initiatives to ingrain industry-leading security practices across the board. I hope this article has given you enough confidence to trust Nylas with your users’ communications and scheduling data, and we’re here for you when you’re ready for your security review processes when you decide to integrate with providers like Google. No matter how you look at it, we have something to fit any company’s security needs when looking to add communications and scheduling features to their app. Reach out to a platform specialist if you want to have a more in-depth discussion about your security requirements.