NYLAS INFORMATION SECURITY STANDARDS 

Last updated 7/14/2023

These Nylas Information Security Standards form part of the Nylas Order Form Terms (“Terms”) available at https://www.nylas.com/documents/Nylas-Order-Form-Terms.pdf. Defined terms used but not otherwise defined herein have the meanings given in the Terms.

Information Security Standards. These Information Security Standards apply to Nylas’ processing of Licensee Personal Data. Nylas shall implement and maintain an information security program (“Information Security Program”) that: (i) is consistent with industry standard practices taking into consideration the sensitivity of the Licensee Personal Data processed, and the nature and scope of the Product(s) to be provided; and (ii) includes commercially reasonable technical and organizational measures designed to protect Licensee Personal Data. At a minimum, the Information Security Program shall include:

1. Information Security Organization: Nylas has established a management framework for information security and risk which is signed off at the appropriate level and ensures the necessary resources to provide required controls.
2. Policies: Nylas maintains information security policies, standards and procedures that include but are not limited to the controls set forth herein, and that address: Access Control, Acceptable Use, Application Security, Business Continuity, Backup, Information Classification, Clear Desk and Clear Screen, Incident Response, Mobile Device Security, Physical Security, Privacy, and Vulnerability Management. Nylas will review these documents at least annually.
3. Human Resources: Nylas’ personnel are subject to appropriate background and vetting checks, depending upon their roles and access levels. Nylas’ personnel sign confidentiality agreements and acknowledge Nylas policies during the onboarding process. Appropriate information security and privacy awareness training and education is provided to ensure employees understand their responsibilities regarding the confidentiality, integrity, availability and privacy of Licensee Personal Data provided to Nylas.
4. Physical Environment: Licensee Personal Data or Nylas’ systems processing Licensee Personal Data are subject to controls and processes designed to prevent unauthorized physical access, damage, or theft.
5. Data Center Security: Nylas utilizes data centers that provide technical and operational safeguards designed to protect against accidental, unauthorized, or unlawful destruction, loss, unauthorized disclosure or access to Licensee Personal Data.
6. Network Security: Nylas implements multi-layered network security infrastructure that is designed to provide continuous monitoring, restrict unauthorized network traffic, and detect and limit the impact of attacks, including: firewalls or other filtering devices, intrusion detection systems (IDS), and/or intrusion prevention systems (IPS).
7. Remote Access: Nylas authenticates remote personnel with two-factor authentication prior to permitting access to Nylas’ networks containing Licensee Personal Data.
8. Firewalls: Firewall protection systems are implemented on both internal and external traffic. Firewalls have real-time logging and alerting capabilities. Nylas reviews firewall rules on a regular basis.
9. Monitoring and Auditing: Nylas maintains logs from Nylas’ information systems, network devices, and applications that process, store, or transmit Licensee Personal Data. Logs are designed to ensure traceability and provide answers to questions: Who, When, What, Where and if the action was successful or not.
10. Review Audit Logs: Nylas has a process to, at least weekly, review event logs using continuous, automated monitoring or else manually.
11. System Clocks: Information systems and network devices are synchronized to a trusted time server.
12. Audit Log Retention: Audit logs are retained by Nylas for at least twelve (12) months from creation.
13. Audit Log Integrity and Confidentiality: Nylas implements technical and organizational measures designed to ensure the integrity and confidentiality of the audit logs.
14. Access Control: Nylas configures access to information systems that process, transmit, or store Licensee Personal Data utilizing the principle of least privilege, allowing only authorized access for Nylas personnel.
15. User Access Management: Nylas utilizes a formal user access management and review process to provision and deprovision user accounts and assign or revoke access rights for all Nylas personnel to all systems and services that process, transmit, or store Licensee Personal Data.
16. Unique Accounts: Nylas’ personnel using systems that process Licensee Personal Data are uniquely identified and authenticated.
17. Revocations: The access rights of all Nylas’ personnel to Licensee Personal Data and Licensee Personal Data processing facilities owned or directly controlled by Nylas are removed upon termination of employment or aligned to a change in role.
18. Access Review: Nylas performs access reviews at least once a year.
19. Password Management and Authentication Controls: Nylas maintains policies and/or procedures for the proper use and protection of passwords in Nylas’ possession or control.
20. Systems: Nylas utilizes a formal account management process to manage systems that process Licensee Personal Data.
21. Cryptography: Nylas has created policies and/or procedures for the use of cryptography and defines secure generation, storage, distribution and destruction of encryption keys.
22. Cryptography of Licensee Personal Data at rest: Nylas implements minimum AES 256 encryption for Licensee Personal Data at rest.
23. Cryptography of Data in transit: Nylas implements minimum TLS 1.2 for all Licensee Personal Data transmitted by Nylas via the Internet.
24. Change Management: Nylas documents change management process for all systems or applications processing Licensee Personal Data.
25. Vulnerability Management: In connection with Nylas’ processing of Licensee Personal Data, Nylas maintains a vulnerability management program to prioritize assets by risk, test for vulnerabilities of operating systems and applications, analyze and classify the criticality of vulnerabilities, and report, remediate, and verify remediation. All patches or fixes for vulnerabilities classified as high and critical are fully implemented up to 30 days from their release. Nylas ensures compensating controls are in place if a security patch cannot be promptly applied.
26. Pentest: Nylas hires an independent third-party to conduct penetration tests on the infrastructure used to process Licensee Personal Data at least annually. The results of these tests are communicated to the Licensee, when requested.
27. Secure Development: Nylas implements a system development life cycle. Any testing configurations are removed prior to production deployment, and Licensee Personal Data is not used for testing and development. Nylas enforces separation of duties between Nylas Personnel assigned to the development/test environment and those assigned to the production environment to the extent reasonably practical.
28. Incident Procedure: Nylas documents information security incident policies or procedures that enable effective and orderly management of security incidents. 
29. Business Continuity and Disaster Recovery Plan: Nylas maintains a documented organizational business continuity plan (“BCP“) and disaster recovery (“DR“) procedures designed to ensure that Nylas continues to provide services in case a disruptive incident could negatively impact operations. Nylas performs annual business continuity and disaster recovery tests. Test results and corrective actions are documented.
30. Data Backup: Licensee Personal Data is backed up periodically in accordance with Nylas’ Backup Policy. Backups are tested. If Nylas restores a backup containing Licensee Personal Data, it maintains a log with, at least, the name of the person responsible for the restoration and the description of the Licensee Personal Data restored.
31. Third-Party Risk Management: Nylas implements a third-party risk management program that includes regular risk assessment and reviews. 
32. Asset Management: Nylas maintains an inventory of current information system assets that includes: the business function of the asset, asset accountability, and sufficient detail to facilitate tracking and reporting of assets. Nylas updates information system asset inventories periodically.
33. Classification of Information: Nylas defines and implements an information classification system and explicitly considers personal data as part of the schema.
34. Temporary Files: Information systems can create temporary files in the normal course of their operations. Nylas ensures that temporary files created as a result of the processing of Licensee Personal Data are disposed of following documented procedures.
35. Media Handling: Nylas only uses removable media and/or devices that allow encryption. 
36. Compliance: Nylas undergoes an annual security audit by an independent company that attests to the effectiveness of the controls Nylas has in place to safeguard the systems and operations where Licensee Personal Data is processed, stored and/or transmitted. At a minimum, the audit covers the security, confidentiality and availability of Licensee Personal Data using the ISO27001 or SOC2 framework.
37. PCI-DSS Not In Scope: Nylas does not store, process, or transmit “cardholder data” that is subject to the Payment Card Industry Data Security Standard (“PCI-DSS”) on behalf Licensee. PCI-DSS is not in scope for Nylas.
38. Pseudonymization: Nylas applies pseudonymization techniques to Licensee Personal Data as appropriate.