Platform Security & Privacy
Enterprise-grade security and privacy controls have always been at the heart of Nylas.
Nylas strives to earn customer trust by enforcing world-class security practices and standards. We keep customer data private and secure through a multilayered physical and network-level security hierarchy. All of these platform security procedures and processes are documented below.
Nylas adheres to a high level of operational excellence. Nylas has multiple interlocking policies for incident response, audits, and privacy. We believe security practices should be transparent to customers, and these measures are outlined below.
Nylas fully complies with key government and industry regulations and policies, including US-EU as well as US-Swiss Safe Harbor and PCI DSS as a merchant. Nylas also supports a variety of use cases employed by companies engaged in PCI- and HIPAA-covered activities.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy. Under the GDPR, Nylas is considered a data processor. Our customers are considered data controllers. Our customers’ end users are considered data subjects.
For example, let’s say Nylas had a customer called “The World’s Best CRM.” “The World’s Best CRM” would be considered a data controller. Jeremy, a small-business owner, uses “The World’s Best CRM” to send awesome emails and engage his customers. Jeremy is considered a data subject. The Nylas API, which powers “The World’s Best CRM,” is considered the data processor. We define these roles in more detail below.
SOC 2 Type II
The SOC 2 Type II certification is the most comprehensive security certification in the SaaS industry. To achieve SOC 2 Type II certification, Nylas underwent an independent audit and penetration tests of existing security protocols, processes, and systems. The SOC 2 Type II certification demonstrates our data management systems, and processes are designed to keep users’ sensitive information secure while ensuring a high degree of performance and reliability.
SOC 2 Standards of Excellence Used at Nylas:
Encryption and Access Control
Nylas uses multiple application-level security mechanisms and features to ensure customer data safety. All customer API calls require proprietary OAuth2 authentication tokens granted only by Nylas, and user data is encrypted using military-grade encryption standards.
Network Transport and Storage
Nylas implements best practices for maintaining service-wide network security. We deploy the latest technology to provide uninterrupted service and guard against attack. Internal sync infrastructure is isolated from the public Internet within separate VPCs, blocking all inbound connections and persistence, and storage layers are encrypted and secured behind VPN and firewalls.
Network Firewalls: Nylas adheres to industry-standard practices for securing and maintaining our infrastructure, with additional protection being afforded by our firewalls. Each system uses firewalls to restrict access from external networks and between systems internally. To mitigate both internal and external risk, access is restricted to only the ports and protocols required for specific business needs.
Infrastructure and Physical Security
All Nylas physical infrastructure and data centers are housed in state-of-the-art secure facilities with industry, standard access controls and physical security measures. Nylas development machines run on unprivileged networks secured by VPN.
Nylas is hosted at Amazon Web Services (AWS) data centers, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001, and PCI DSS Level 1.
SSAE 16, or more formally, Statement on Standards for Attestation Engagements No.16, is key guidance for reporting on internal controls for service organizations. SSAE 16 is used for reporting on the Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2, and SOC 3. SOC 1 is focused toward an organization’s internal controls over financial reporting, while SOC 2 and SOC 3 cover reporting for the security, availability, processing integrity, confidentiality, and privacy for service organizations, including cloud and data center providers.
AWS is certified to ISO 27001, which describes a systematic approach to managing sensitive information so that it remains secure. ISO 27001 covers a risk management process that encompasses people, processes, and IT systems. AWS is also Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS), enabling customers to run applications on AWS’s PCI-compliant infrastructure for storing, processing, and transmitting credit card information in the cloud.
Additional AWS physical security measures include:
At each AWS hosting site, Nylas servers are secured at all times by trained security guards, and access is authorized strictly on a least-privileged basis. The data centers use state-of-the-art electronic surveillance to monitor any suspicious activity.